The problem with risk in security management

Risk is probably the most pervasive concept in a modern business. Almost all business activity is directed at the controlling or prevention of some form of risk or another, be it sales to mitigate the risk of low cash flow all the way to cyber security measures to mitigate the risk of ICT failures. Risk is a constant, and should be considered and managed as such.

As with all technical subjects that have a cost impact on a business, there are several different definitions for ‘risk’ – it truly depends on which consultant you’re employing at the moment. The only aspect that these differing factions agree about is that risk is to be avoided, and should be controlled to minimise its impact on the company’s bottom line. But this is like saying that you want to keep your car in a good condition by not having any accidents with it. It’s a good policy, but is not the solution to the problem itself, the actual practical steps taken to achieve this goal. The solution, of course, is to adhere to the laws of the road, be alert… all of the common sense things we do to minimise the possibility and, should it happen, the scope of a vehicle accident. If we now relate this back to the science of risk management, things start to make more sense: the risk of a vehicle accident is not the accident itself, it is the possibility that one may happen. The accident , in fact, occurred because the risk itself has realised into an unwanted event. This happened because our plans to prevent an accident has failed, or, to use risk terminology, the mitigating controls associated with this risk has failed.

One of the ways to mitigate physical, or security, risk in your company is to implement a good security system, or PSIM as the market now calls it. There do exist a challenge with this idea, though, in the manner in which security systems address risk. The example of the vehicle accident again applies, but now in reverse: most of these systems address the event itself as the risk, and do not define or manage the underlying risk itself. An alarm occurs, and is managed, but that is usually the end of it. The intention is to resolve the event itself as quickly as possible, with minimum business impact, but this does not solve the real issue of the reason why this event occurred – more importantly, it does not address the cause and thus cannot assist with preventing this kind of event from ever happening again. To do so the risk that was realised in the occurrence of the alarm needs to be identified, addressed, and effectively mitigated through the application of controls. Perhaps the reason why the lower end of the PSIM market does not address this issue is because risk management is much harder than alarm management. The associated system now require features such as a powerful and effective investigative system aimed at cause analysis, and even the identification of the manner in which the controls failed to allow the event to happen in the first place. A proper compliance module is needed to verify that controls are in place and are working as expected or wanted. The thinking is different, as we now no longer just respond, we now need to analyse, understand and anticipate. We now need to understand our client’s business better, and we need to understand where we fit into their greater risk environment so that we can contribute to mitigation as opposed to simply reacting to unwanted events. Our purpose is now no longer to be a very fast alarm stack management system, but to now be the framework that prevents the alarm from ever happening in the first place, to prevent instead of react.

The advent of IoT, and the speed with which AI is being adopted as an industry standard technology makes this an exciting time to be in the risk game. We now know more about our client’s environment than before, and machine learning allows us to expedite much more complex risk models than ever before. Cause analysis benefits from the fact that AI can process immense data packs to now generate cause trees that are beyond the span of a human, while real-time predictive analytics allow modern, good systems to detect control failure as they occur and address this failure before it can result in an unwanted event. The application of sciences such as game theory makes the management of unwanted events a much faster and efficient process. It would appear that the fourth industrial revolution is also a risk revolution, and it is to be expected that this will alter the physical risk market irrevocably.

If you would like to know more about this approach to risk management, or even see it in action, browse to, or call 087-820-0620.

By Gerhard Furter Head of innovation Naxian Systems