Ian Harragan
Director at i-confidential
Managing risks shouldn’t mean we don’t take any.
We are faced with looking at risks daily. Thankfully, the worst events don’t happen often. But when they do, they can have a massive impact.
A manager’s role usually includes some element of minimising exposure to risks. Senior leaders, however, are asked to assume a bigger role – to manage the risks their organisation faces.
In cyber security, the risks we have to face are constantly evolving. Organisations are required to try and keep ahead of this by updating their tactics and strategy accordingly. In high-performing teams there are several approaches that can help:
Consulting peers for a range of opinions.
Seeking help with an outside view.
Taking action and 'failing fast'.
And yet, all of these steps may also introduce new risks!
Consulting peers for a range of opinions
The magnitude of some risks cannot be left to a single individual to address. Therefore, you should seek out a variety of viewpoints from your colleagues.
Usually, an organisation’s governance structure determines what the board needs to consider. This approach should ensure subject-matter experts and other interested parties are able to share their insights.
Ultimately, this still comes back to the security leader using the information available to make an informed risk call. Leaders do not avoid risk. They accept it as part of their job.
Seeking help with an outside view
Some leaders are reluctant to look for help outside their organisation. They want to believe their team is self-sufficient. But the best leaders are comfortable with external input.
You could take the view that when it comes to security, keeping it ‘in house’ is best and avoids risk. People are hesitant to share what goes on inside their organisation, and they are right to be careful. It can be extremely valuable, however, to gain a completely independent view of your organisation’s security position. Applying ‘fresh eyes’ can give even high-performing security leaders the edge in managing significant risks.
Taking action and failing fast
New threats often require new solutions. Innovative approaches keep you one step ahead of your attackers. But for every successful action, a number will likely fail.
Risk-taking always involves mistake-making. When we learn something new, we don’t get it right every time. This can lead to managers not making decisions to avoid mistakes. The consequence of this is minimal innovation, learning, or problem-solving. This results in sticking to the status quo. Often, this is fine. But while we keep doing what we know how to do, someone else is trying something different.
When the bad guys change some aspect of the game, it puts us in jeopardy. It’s at this point where high-performing leaders step in and take some risks themselves, rather than just managing.
And ideally they will do this quickly, or ‘fail fast’. Ensure the right lessons are learned, don’t waste time on stalled initiatives, and share any results – good or bad.
Risk taking comes in all shapes and sizes. It’s part of leadership on a daily basis. Thus, making mistakes is too, so don’t be too hard on yourself.
Of course, you should never take foolish, uninformed risks. Take what you believe are the necessary risks. In doing so you’re ensuring you don’t just leave results to chance. And where there is the potential for mistakes to occur, you will have a plan for how to avoid them or recover quickly.