The current state of the world is increasingly characterized by reduced peace and heightened susceptibility to various forms of disruption. Emerging trends and threats in the physical and digital security domains have created new concerns for enterprises and organizations, and leadership teams across the world are now grappling with what that means for their operations, assets, and employees.
As the global threat environment becomes more complex, providing each and every employee with duty of care and protecting them from threats can no longer fall solely upon a Chief Security Officer (CSO) or any one department within the organization. Instead, key leaders in an enterprise or organization should be thinking in terms of the worst-case scenario and collaborating together on how to respond to the next threat.
An Evolving Threat Environment
From geopolitical crises to natural disasters to cyberattacks, enterprises and organizations are facing a rapidly evolving portfolio of existing and emerging threats. In turn, corporate leaders across departments and teams must learn how to navigate this unpredictable environment in order to protect their interests and brands. The mindset in the corporate world needs to be anything can happen at any time.
In my conversations with business leaders across the world, it’s clear that geopolitics is top of mind as companies find themselves caught in the middle of global flashpoints. The intensifying rivalry between major powers, such as the United States and China, has resulted in economic sanctions, trade barriers, and other forms of political pressure. All of these have far-reaching consequences for businesses in almost every industry, from agriculture to advanced manufacturing. Moreover, regional conflicts and insurgencies, from the ongoing Russia-Ukraine war to proxy skirmishes between Israel and Iran, pose a significant threat to businesses and employees as the risk of global violence proliferates.
Natural disasters are also a growing concern. The increased size and severity of extreme weather events, such as hurricanes, wildfires, and floods, have already demonstrated the potential to disrupt supply chains and damage infrastructure. Additionally, the pandemic highlighted the need for proactive preparation for public health emergencies and the sustained impact a disease outbreak can have on businesses and workforces.
At the same time, cyberattacks are becoming more sophisticated and widespread. Ransomware attacks and data breaches cause companies a significant amount of financial loss and reputational damage each year. These threats have grown over the last three years due to “digital transformation” in the business domain and the rapid adoption of remote work environments.
A Collaborative Approach to Security
An enterprise-level threat can impact a business from any direction. More often than not, a threat will hit multiple touchpoints across the organization. In turn, the most effective response should require consideration and action from multiple departments or teams. For example, a successful cyberattack that compromises sensitive corporate, or customer information is not just a crisis for an Information Technology team. The executive leadership team must offer guidance and reassurance to their employees, the marketing team must implement customer experience improvement strategies, and the public relations team must develop a crisis communications plan.
Yet in the past, the protection of an organization's brand and its financial exposure has been conducted at the direction of the CSO or specific teams responsible for security and insurance. This should no longer be the case. As both the number and types of enterprise-level threats continue to expand, having multi-dimensional responses and operating procedures across the organization is more crucial than ever.
In a worst-case scenario, the Chief Executive Officer (CEO) and the Chief Operating Officer (COO) must be informed on all aspects of the company’s planning and response capabilities and provide the kind of leadership their employees will look to during a time of crisis. Moreover, the CEO and COO should understand and convey what actions will require their approval, and what actions their team members can trigger on their own. Alignment among C-Suite roles is a precursor to alignment across the enterprise.
In addition to C-Suite roles within the organization, human resources (HR) and legal departments are also pivotal in coordinating an effective response. The HR Director and HR team should implement training and education programs that allow every employee to understand the organization’s security policies and procedures. This not only involves the technical aspects of enterprise security but also risk management and incident response planning, ensuring that everyone is prepared to respond quickly and effectively. Similarly, the General Counsel and legal team should regularly review and update their legal and regulatory compliance strategies. Moreover, the legal team should have a crisis management plan in place, including procedures for liability and reputational damage.
Getting Buy-In Across the Enterprise
To ensure that a collaborative approach to enterprise security can be implemented effectively, it is critical for organizations to obtain buy-in from all employees, from the executive leadership to individual team members. The most critical step is stress-testing your capabilities and creating a basic framework and infrastructure so that people know their roles and responsibilities during every stage of a threat event. That is the bare minimum, however. A solid foundation for obtaining buy-in and building a workplace culture around security must also include the following two essential components:
- An end-to-end communication strategy -- Effective communication is key in times of crisis, and companies need to ensure that they have a robust communication system in place, with redundancies built-in to prevent communication breakdowns.
Employees should know how communication will be conducted across the enterprise in response to a threat event, including who to contact during an incident and what channels to use to communicate critical information. Regular training and testing exercises can help ensure that all employees are familiar with the communication protocols and can execute their respective responsibilities.
A well-thought-out communication strategy is instrumental to responding to natural disasters, for example. Time is not your friend when facing a hurricane or similar crisis. Effective communication is critical in such a scenario as companies need to keep employees, customers, and other stakeholders informed in real time about processes and actions. A robust communication plan should also help affected companies maintain business continuity, demonstrate their commitment to employees and customers, and improve the prospects of recovery.
- Tabletop exercises -- To further build a strong security culture, companies should conduct tabletop exercises involving all major departments and leadership teams. In my experience working with organizations of all sizes and from all industries, these exercises can better ensure alignment across the board, helping each department understand its role and responsibilities in the event of a security incident.
Tabletop exercises provide a playbook for specific situations, enabling companies to respond quickly and effectively to cyberattacks or other security threats. They can also identify potential vulnerabilities in their security systems and processes, allowing for necessary improvements before an incident occurs.
These exercises can and should be regularly reviewed and updated to ensure they remain relevant and effective. The threat landscape is constantly evolving. Cyberattacks are becoming more sophisticated, geopolitical tensions produce day-to-day risks, and emergencies such as pandemics and natural disasters can upend business environments in a matter of hours. The bottom line: don’t count on what worked in a previous threat event to work when the next one shows up. Tabletop exercises are a vital part of ensuring companies are up to date on their response plans and can adapt to changing circumstances.
Ultimately, the goal of tabletop exercises is not just to obtain buy-in but to understand which operational responses best support at-risk employees and assets. An organization’s leadership can use these practices to answer key questions, such as how to respond to a cyberattack, how to respond to a kidnapping or act of violence against employees, or how to conduct evacuations in the middle of a conflict zone or mass casualty event.
Reviewing Security Practices
To effectively address threats and ensure the safety of their employees, assets, and operations, enterprises and organizations should be proactive and consistently ask questions. How often are decision-makers reviewing security practices? What are the current gaps in preparedness and how can they be closed?
One way for organizations to stay on top of their security posture is to review their practices at least twice a year, with a goal of doing so once a quarter if possible. In the immediate aftermath of a threat event, leadership teams should also come together to evaluate their response and adjust their security posture accordingly. Frequent reviews can enable greater focus on specific types of situations and emergencies that may arise throughout the year, such as hurricanes during the summer months or acts of violence following a geopolitical incident.
During these reviews, companies should take a holistic approach to security, examining everything from physical security measures to employee training programs. By identifying potential vulnerabilities and areas for improvement, leadership teams can work to strengthen their security posture and ensure employees are fully prepared for any situation.
Regular reviews also help to ensure that everyone in the company is on the same page when it comes to security, from senior executives down to individual employees. By providing ongoing training and communication about security threats and response protocols, enterprises and organizations can ensure that everyone is synchronized and ready to act during a threat event.
An effective approach to reviewing security practices must also consider post-Covid changes to the workforce. For example, remote work is here to stay, and business travel is approaching pre-pandemic levels. That means employees will not be in one location, a one-time zone, or one network. Exposure to cyber threats is a particular concern with remote work and business travel, as employees may use untested routers, public or home Wi-Fi, and no Virtual Private Network (VPN). With a dispersed workforce, companies must track their employees and have a good system to communicate with them.
In a global landscape defined by inter-state competition and conflict, natural disasters, and new threat vectors in cyberspace, no one knows when the next major disruption will hit their business. But corporate leaders can’t be caught off guard when a threat event happens. Whether one is a CEO or an individual employee, the responsibility to protect the enterprise should fall upon every member of the team.
To create this collaborative approach, companies must work now to obtain buy-in from all employees through regular training and tabletop exercises, and regularly review practices and protocols to identify and neutralize potential vulnerabilities. Between financial, reputational, and physical damage, not being prepared can cost you more than you can afford. But by adopting a new perspective on enterprise security, organizations can better safeguard their interests and protect their brands.
