Returning to Work the ESRM Way
Before the COVID-19 pandemic struck, offices were already shifting toward remote work. According to a Vox article from 2019, remote work was expected to grow significantly in the early 2020s, with an estimated 70 percent of the U.S. workforce working remotely at least five days a month by 2025.
However, the pandemic and its associated lockdowns accelerated the adoption of remote work, with more than half of American workers working remotely in April 2020, Gallup reported.
Twitter and several other major tech companies have adopted indefinite work-from-home policies, despite reopening their corporate campuses, and the new blend of hybrid workforces—with some teams remote and others in-person—have opened up new risks. According to Cisco’s Future of Secure Remote Work Report, 85 percent of respondents said cybersecurity is extremely important or more important than it was pre-COVID-19.
But full-time remote work is still slow to catch on in most workplaces. As of October 2020, Gallup found that all or nearly all (46 percent) or some (20 percent) employees were back in the workplace. And while the decision to return to physical workspaces or offices is a complex one, often dependent on the personal beliefs and workstyles of organizational leaders as much as productivity or risk management, security professionals can play a significant role in influencing the conversation around return-to-work plans.
Security Management caught up with David Feeney, CPP, a Deloitte Risk and Financial Advisory manager in the cyber and strategic risk practice, to learn more about how to apply an enterprise security risk management (ESRM) lens to return-to-work strategies and other future plans. Feeney is also a member of the ASIS ESRM Community Steering Committee.
The discussion has been lightly edited for clarity.
Security Management: How did COVID-19 change security professionals’ role within the business?
Feeney. A significant crisis tends to increase the visibility and priority of the security function in an organization. The pandemic certainly did that, and it increased stakeholder engagement in crisis scenario planning.
Security professionals find themselves more involved in more conversations about supporting the organization’s mission. As a fundamental example, organizations now realize they can’t allow their employees to return to the workplace without significant input from security.
How can an ESRM approach enable security professionals to leverage the disruption to become more aligned with the business and break down silos? A big part of ESRM is understanding your stakeholders and the business’s core values—how may those values have changed during the pandemic, and how can security professionals reevaluate their prior understanding of the enterprise after a crisis to ensure they still understand the organization?
Feeney. The COVID-19 pandemic may have permanently altered the core values of many organizations by raising awareness around the importance of security.
When future crises occur, I expect those leaders who may have earlier been skeptical about the likelihood of its occurrence will now engage much more closely on security risk management. That additional engagement is an opportunity for security professionals to improve (and perhaps update) their understanding of and alignment with stakeholders’ priorities, concerns, and core values.
When returning to offices or facilities after a long period of remote work, how can security professionals engage and communicate with stakeholders better than before?
Feeney. For many organizations, security professionals are fully engaged in the workplace reopening process. In fact, senior managers may ask security teams to manage communications around return to workplace efforts, helping to elevate organizational awareness and prioritization of security programs.
Has COVID-19 challenged perceptions around risk planning? While maybe you don’t throw out all previous planning, was the pandemic so disruptive that it calls for a complete review and overhaul of a company’s risk planning process, involving more stakeholders than before?
Feeney. While it is important for organizations to revisit their risk management and crisis preparedness programs after a significant crisis, it is also important not to scrap existing plans entirely—even if there were incidents during the crisis that resulted from planning deficiencies.
Any significant crisis may challenge perceptions around risk management and crisis preparedness, including the processes or methodologies involved. Stakeholder engagement in risk management typically increases after a crisis, and security professionals should be available to respond and invite those stakeholders into the planning process. Increased participation from stakeholders should help hone and evolve programs, resulting in better alignment between security and the business.
Were there issues that were either unknown or de-emphasized prior to the pandemic (team wellness or mental health, cybersecurity risks, supply chain vulnerabilities) that now require emphasis in risk planning moving forward?
Feeney. I think we will see an elevated prioritization of supply chain risk management going forward. We’ve seen considerable supply chain disruption this past year and were reminded of how potentially consequential a long-term disruption could be. This potential is more front-of-mind for security professionals and stakeholders alike.
How can security leaders apply an ESRM lens when discussing the risks of reopening (or not reopening) facilities?
Feeney. ESRM moves security professionals out of the role of authoritarian, enforcer, or even decision maker and instead positions them as trusted advisors to assist asset owners in making risk management decisions about their assets. When the business asks security if they should reopen, security should respond in a consultative way.
For an ESRM security professional, it is ok to answer a question with a question. For instance, if asked whether the business should reopen now, an ESRM security professional might ask what conditions need to exist before reopening, what goals you hope to achieve by reopening, or which risks of reopening are unacceptable. The business stakeholders may respond and then ask what can be done to meet these requirements, achieve these goals, and avoid these risks. In response, the security professional can offer potential risk mitigation strategies.
How can security leaders help other departments understand the security implications of new operating environments—including hybrid or remote work, as well as reopening facilities?
Feeney. Security professionals should take the role of trusted advisor to business stakeholders. If the business says it wants complete or hybrid remote work, security professionals should seek to understand the goals for doing so—as well as related risks. Based on that understanding, security professionals may have ideas about how the business can satisfy those goals and concerns with a remote model, a hybrid model, or even with a full return to the office.
For organizations that have not yet adopted an ESRM approach, does getting back to more normal operations offer an opportunity? If so, what are ways a security leader could nudge their organizations in that direction?
Feeney. There is no time like the present. If a security professional enters a conversation with a business stakeholder about security risk management, he or she can immediately take the role of trusted advisor and begin to understand the stakeholder’s priorities, goals, concerns, and requirements. Each conversation is an opportunity to practice the ESRM approach to security risk management. The more it is practiced, the more likely the business is to perceive security as a trusted, invaluable advisor.