CYBER SECUIRTY
Why organisational risk starts and ends with your people By Lisa Sisson
T
here is not one organisation that can afford to ignore risk. We must plan for the possibility of things going wrong. Whether risk comes from environmental threats such as floods and fires, human-based threats such as workplace violence or cyber-attacks, or health threats - as the world has recently learned through the global pandemic. The thing about planning for risk is that it can make us fixate on potential threats. To protect what we value most, we can become so worried about the things that might happen that we introduce systems of protection, that are themselves sources of risk. The introduction of processes to reduce risk or human errors, can create overhead that slow down our businesses. Not to mention frustrate our employees and even create a culture of suspicion and mistrust. At times this can been seen to cause more harm than the original threats we hoped to protect ourselves against.
What are you really achieving through risk management? Even with our best of intentions and our decisions to provide structure and control to reduce the effects of certain types of risks, we find ourselves being exposed to other types of risks through this process. One of those risks is ‘disengagement’. Many executives’ associate disengagement with productivity and don’t consider the risk exposure. When employees are disengaged, they are at best satisfied with the bare minimum level of productivity and focus. Which is why statistic shared from Gallup’s recent State of the Global Workplace: 2021
36 | Cyber Risk Leaders Magazine
Report, that 80% of workers are not engaged or are actively disengaged, is incredibly concerning. When it comes to disengaged employees in the context of risk, there are three concerns: 1. Lack of attention leads to errors, and ‘unintentional’ insider threats which is the most common type, making up two-thirds of incidents. 2. A lack of situational awareness, they don’t even see there is a risk. 3. A low ‘care factor’ if they do identify a threat or vulnerability, they see it as “someone else’s problem.” This is why disengagement is so important and why you need to take a person-centric approach to reduce your organisational risk profile. We need more than a traditional approach There are many global risk management standards that provide organisations with a structure, to help them understand the types of vulnerabilities and threats they need to protect against. These Standards provide frameworks and processes to manage risk, but as they are not designed with people at the centre. Risk management is more than processes and systems, it is an artform that centres around your people. Because here’s the thing. When it comes to executing the organisation’s risk management plan, who is really executing? It is your people. It is no longer with the original handful of decision makers who created the plan. The plan execution now delegated to others within the business. Managers may play a part, but the real responsibility for the execution and day-to-day management of risk, is your employees. Which
