As the world continues to adapt and overcome the global pandemic, Rose Partners’ CEO Adam Honor explains why there’s often opportunity in crisis.

The future for some people right now will appear terrifying. Particularly during these testing times, there are three words you probably wouldn’t want to hear from a leader: “I don’t know”. Those three simple words can, and do, instill fear and uncertainty in some people.

However, these words can also be a potent leadership tool. Leaders willing to say they do not have all the answers create an aura of humanity and approachability which, for some people, might not have been evident previously.

Exceptional leaders recognise the opportunity presented to them to step into the vacuum of uncertainty and present a clear and concise strategy. By doing this, they can build on the crisis event to the benefit of all employees, and the business as a whole.

Grappling with uncertainty means the lessons learned, knowledge gained or experience garnered will be that much more lasting when identifying strategy and fulfilling opportunities. When it comes easy to you, the learning is easily forgotten

For those in risk management positions, COVID-19 is an opportunity to revisit your strategy, embrace what is working, and reshape and re-present the opportunity of what needs to change in light of the events faced by businesses right now. We shouldn’t forget that the current pandemic has been an opportunity for the criminally minded among us too, with expediential rises in phishing attacks, ransomware, and more.

One of the major opportunities for CSOs / CISOs is the continued digitalisation of the workplace and your role in securing it. This strategy will require Board-level engagement, governance, and support in alignment with your executive team to enable success. This may lead to the discovery of new strategies that could benefit your organisation. Whatever the opportunity, you will need backing from the top down in order to succeed.

What better time than to leverage the Board and seek the support and buy-in you require? What better time for company Boards to proactively shape their company’s security strategy and investment plans and recognise the opportunity this crisis presents?

Do you have a Board engagement plan? Do you have a strategy to manage up through your leadership team to the Board? Do you envision an opportunity through this crisis?

I believe there are four key elements to shaping your Board relationship and engagement to ensure, (in identifying the security opportunities), you maximise the chance of success. These are detailed below with recommendations;

Strategic risk role of the Board – The Board’s role with regard to security, in line with its oversight of risk, is to provide strategic guidance to inform/direct the leadership’s strategic risk judgment. To mature your relationship with the Board/leadership team, build confidence in your security operations by framing strategic discussions around key risk issues, opportunities, and questions in light of recent events and future threats and risks.

Building Board and leadership team security expertise – The Board and leadership team need to develop more of an understanding of security/cybersecurity to ultimately play a more active role and ask questions you may not have thought of. I can’t stress the importance of investing time and effort in developing that expertise with your Board and leadership team. Find an advocate who can assist you in landing an annual curriculum of security learnings, providing ongoing training, and using credible third-party support.

Developing meaningful security risk metrics and reporting – Boards and leadership teams require data and frameworks by which to understand the risk and thus the success (or otherwise) of the security programs the company is investing in. Allied with investing in educating your Board and leadership teams, developing meaningful, business-orientated security metrics is key to your success. Invest in technology, programs, people, and processes that enable you to regularly demonstrate (report) the success (or otherwise) in managing the threats and risks. This data should be presented in a clear, unambiguous, factual manner. Board security metric reporting is part of their collective education journey. Reporting is a skill. As is brevity!

Alignment of the Board Risk Register – I believe Boards need a holistic view of security risks within the organisation. In doing so, they need direct access to the CISO / CSO to understand how security risks are being managed (from top right to bottom left of the likelihood/impact model). As a security leader, now is the opportunity to develop your collaboration with the CIO, CRO, and other partners and present a unified view of converged security strategies to secure the digital transformation of the company. That converged operating model will take both the physical and virtual approach in securing people, assets, and the business resilience of the company. In doing so, the Board gets the complete picture and not just parts throughout the reporting period. If you have not already done so, ally yourself with others who have skin in the game in securing the company.

Undoubtedly, the business operating environment for many companies will be very different going forward. 2020 plans would have been ripped up and 2021 strategies turned on their heads.

However, among all this chaos there is opportunity. For the CISO / CSO, these opportunities are aplenty; business and operational resilience will be a major focus and, in turn, securing the digital transformation of the workplace will be a key part of that operational resilience narrative.

John F Kennedy popularised the inaccurate translation; ‘The Chinese use two brush strokes to write the word ‘crisis’. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger but recognise the opportunity’.

This was picked up by marketing gurus who saw an opportunity to sell optimism that is now the thriving industry of crisis and reputation management. There is nothing wrong with that but a ‘flawed translation’ sometimes has us all scratching our heads looking for positives.

I believe as a security leader you have to find the positives in all this.

Your Board and leadership teams are vital in believing in the positives you’ve identified, in understanding the opportunity you see in this crisis, and thus enabling your success. Have an engagement plan, understand the key elements for success in engaging Boards and your executive team, and then… execute.

en_GBEnglish (UK)