Amidst growing complexity, leaders that take an intelligence-led approach to decision-making will have resilience and security that will set them apart in a changing and competitive world.
The security landscape
Major events often act as catalysts for underlying risk trends. The current pandemic is no different, with our research showing that risks are increasing ten times faster as a result of the COVID-19 pandemic. Indicators also show that, at present, 163 countries are facing a sharply deteriorating political, security, criminal or governance situation owing to COVID-19, representing a 63% swing towards negative trends compared to the start of the year.
It is another truism that most organisations can deal with one crisis, but it is a second one on top which proves too much. In this case, the pandemic is being exacerbated by environmental events such as the Atlantic hurricane season, locust plagues in East Africa and typhoons in the Bay of Bengal. Adding to this, the impact is further magnified by socio-economic problems caused by the very measures being taken to combat it. Redundancies and bankruptcies will occur despite the unprecedented attempts by states to offer support, which at best, cushion rather than completely mitigate the damage. Current forecasts – and these are early days – suggest that 87% of the world is due to see GDP per capita markedly decline, impacting stability and security in a feedback cycle.
Security threats are largely driven by increases in regional tensions and a steady rise in domestic unrest, with 114 countries expected to see an increased level of agitation; this is already manifesting in protests in the US and in the actions of Beijing towards Hong Kong. Venezuela draws ever closer to collapse, while Russia is suffering under the weight of both the virus and falling oil revenues. Latin America, the new centre of the pandemic, will see a rise in the influence of gangs, a pattern also noted in South Africa. Even in G20 countries, the effects are therefore significant and levels of state debt pose significant challenges to future prosperity, even if the recovery follows the most optimistic predictions.
The themes to watch continue to be those shown in the last decade, including nationalism, separatism, the rejection of international norms, increased rivalry between China and the US, the aspirations of regional powers (such as Turkey, Russia and Saudi Arabia), growing environmental pressure, effects of currency and commodity fluctuations, increasing barriers to international trade and polarisation of the political environment in democracies. Another feature has been a quiet industrial revolution based on automation and AI, which – as with all revolutions – will cause both winners and losers. The acceleration of this trend is therefore an opportunity and a threat, especially to the blue-collar workforce that is already taking the brunt of COVID impacts.
The inevitable conclusion is that the virus is turning the world into a far more volatile, complex and ambiguous place in which to live and do business. The repercussions will be felt throughout this new decade, posing rapid, persistent and often unexpected future challenges to businesses already struggling to deal with the obvious crisis.
What does this mean for corporate security?
There is a saying that ‘a good crisis should never be allowed to go to waste’. After all, the value of resilience is hard to quantify when everything is going well. Since governments were largely caught hopping by a threat that really was a case of “when” rather than “if”, it is no surprise that corporates, with much starker profit imperatives and oversight, generally followed suit. Similar trends were evident ahead of 9/11 and, as then, the crisis is causing the boardroom to rapidly re-evaluate their risk approaches.
Early on in the crisis, explaining that there would never be a return to “business as usual” took significant effort, with much resistance to that message from corporate decision-makers. Now, however, the concept of the ‘new normal’ is much more entrenched. Much like a wartime situation, we are seeing the effort we have put in over the last 20 years now bearing fruit. But unlike 9/11, the recovery will be longer – making this a testing, as well as a transformative moment.
Security services are going to be more required than ever, but scrutiny will also increase. In the easier times of the last decade, business leaders have generally trusted their security function to be getting on with things. Some suppliers and in-house teams are already paying the price for negligence, falling victim to early rationalisation – although many others have sadly just been victims of plain economics.
Where once companies had several service providers, now they are seeking to keep only the best and expect more from them. In some cases, expensive technical solutions have failed the test of usability.
The other factor to contend with is the quick repackaging of standard management consultancy services by the big players that enjoy existing boardroom clout. This risks the boardroom thinking they are making decisions based on intelligence, when in fact the information may be superficial, or worst, misleading.
We have already seen this trend in cybersecurity but in the wake of COVID, it is becoming prevalent for physical security too. Add to this the plethora of security, risk and resilience products are now being peddled by management consultancies and there is a real risk that security leaders will be shut out by the clamour, not able to support their organisations effectively.
If you are not led by intelligence, what are you led by?
Those doing well have one thing in common; they presented a clear operational picture and offered insight that was actionable to senior decision makers. Their actions helped ensure that the public sector, particularly in the US, acted well ahead of government advice. Organisations such as the International Security Management Association helped CSOs to realise the threat early, take it seriously at a time when there was much scepticism, recognise the economic and health consequences and put this firmly on the board agenda. The result was that employers were generally the most trusted advisors for individuals, at least initially.
The underlying thread here is intelligence. Even in the security environment, this function is subject to all sorts of mysticism and jargon. But at its heart, being able to refine complex data into something that gets ‘the monkey off a decision-maker’s back’ is a vital. For the teams that did it well, it has paid dividends.
Proliferation of information has tempted some to rely on compiling data themselves, but given the sheer amount of data now available, both internally and externally, a more sophisticated approach is required to cut through the noise. A viable function must blend experienced people, efficient processes and effective technology to deliver impacts, but these are just ingredients. What really matters is a very strong and personal sense of what is important to the decision maker – and this requires experience, judgement and a close relationship.
This requires being more than an ‘information provider’ and bonds of trust cannot just be created overnight. It is a maxim that sweat in peacetime saves blood in wartime and it is the same in this field; the value that is added in the easy times pays dividends once the pressure is really on. However, there is good news for those late to building a security intelligence function. Embedded capability, i.e. using analysts from a partner with readymade approaches, support and information provision, offers the chance rapidly to get ahead of the curve – it is never too late.
The changing role of the CSO
Unsurprisingly, the COVID pandemic is reshaping the role of the CSO. Convergence has long been a security industry theme, seeing the cyber and physical combine. The presumption has been that cyber threats are more relevant given the rise in awareness and occurrence of issues, whilst the traditional CSO role has been losing ground due to perceptions of being outdated.
However, the impact of COVID on physical security re-validated the importance of CSOs almost overnight and firms are now reconsidering their approach. The crisis is serving as a timely reminder that physical security, travel and people still need to be considered, not just technology. Rather than opting for a CSO, CIO, or even a CISO in the boardroom, a CRO (Chief Resilience Officer) should increasingly become the role of choice (whatever the actual title); responsible for all the threat domains and able to support decision-making with a truly holistic view of risks.
It is clear that we will see the current volatility continue for a significant period yet. The increase in global risk demands a new understanding within organisations to guard supply chains, investments and stakeholder relations. However companies decide to define the role, the priority must be actionable intelligence that helps cut through the noise and achieve the agility required not only to survive, but also thrive, through this crisis.
By Justin Crump, CEO of global risk consultancy, Sibylline