The importance of getting your facts first

What have we learned?

The first part of 2021 is behind us and we’re starting to see some positive changes — tempered with our race to vaccinate citizens versus the spread of new variants of COVID-19.

The virus is teaching us more lessons about vigilance, resilience and adaptability. These are lessons we need to consider as security professionals.

During the pandemic, we locked down our businesses and cities, stayed home, and restricted activities thinking we had some measure of control. These actions worked — for a while. Then, as we saw declines to the numbers constantly being published on news and social media, behaviours changed. Some began traveling, disregarding recommendations from global health professionals. Citizens began protesting the “lockdowns,” citing freedoms being compromised for “fake science.” And some of the most influential leaders in the world provided conflicting advice (at best) and downright dangerous comments (at worst) that further spurred the wrong behaviours.

And here we are, facing a third (or even fourth) wave of the COVID-19 virus being pitted against a number of fast-tracked vaccines that have faced shortages, delays in delivery, and nationalist approaches to restrict the distribution of vaccines outside of home countries or trading blocks. After all what we’ve witnessed these past 14 months, what lessons can we extract and learn from as security professionals?

Let’s start with data and science.

A foundational component of a risk-based, business- focused approach to developing a security practice (like Enterprise Security Risk Management) is to make recommendations to reduce risks facing an organization based on data and facts — not personal opinion, or hearsay or rumours. We don’t support our recommendations using social media memes, or the testimony of friends and acquaintances. We must rely on data.

Seeing how the citizens of cities and towns across the globe responded to restrictions to reduce the spread of the virus provides more insight into how people react to change, especially change invoked by organizations and governments.

We saw the collective response from people who don’t believe in science or vaccines, who felt their own personal freedoms outweighed the collective good of a town or city, and the refusal to apply simple controls to reduce risk: wear a mask, stay six feet apart, wash your hands. We reaffirmed the human element of any security practice is going to be the most difficult aspect to address in an ESRM approach.

Let’s apply this to our own ESRM-based security practice. We can’t assume employees will simply follow security standards, guidelines and procedures because they’ve been created and published. Nor can we assume that leaders in our organizations will fully understand the security risks facing our enterprises if we don’t objectively present these risks against our assets, goals and objectives.

Now we must spend more time collaborating with other teams to assess risks to assets. We need to spend far more time educating our employees about the role they play in our security program, and how security professionals are here to enable the business to achieve its objectives. We need to ensure we are transparent in our approach to assess risks facing our enterprise assets and provide practical, objective recommendations to reduce them. We have to spend time collaborating on our assessments and constructively challenge the data we collect to reduce our security risks.

We must take what we’ve seen and learned from this experience and focus on the human elements of our ESRM-based security practice. It will take work, it will be frustrating, and it will profoundly challenge us as security professionals. But it’s worth the effort.

Tim McCreight is managing director, enterprise security, CP Rail (www.cpr.ca).