How to Put Security Research to Work for Better Risk Management
CSOs are juggling dozens of critical priorities today, with rising threats and geopolitical tensions alongside the increasing scope and complexity of security leadership roles. Research abounds about emerging threats, competing priorities, and the current business environment, but how can CSOs leverage that information to drive smarter risk management and business decisions?
In a survey of more than 2,300 senior security executives (including CSOs) across 31 countries, Allied Universal’s new 2025 World Security Report summarized the challenging environment security now faces. Security Management spoke with two security executives at Allied Universal—Rachelle Loyear, VP of Integrated Security Solutions, and Glen Kucera, president of Enhanced Protection Services—to dig into the findings and explore how security practitioners can put the numbers to work.
Key Findings
The World Security Report is chock-full of insightful statistics about CSOs’ current priorities and challenges, but here are the top findings.
CSOs worldwide said that their top three security-impacting hazards that will affect companies in the next year are economic instability (44 percent), climate change (33 percent), and disruption of energy supplies (30 percent), all underscoring the need for additional resilience and business continuity planning. War and political instability, as well as civil unrest, followed up as the fourth and fifth hazards for the year, respectively.
Two-thirds of survey respondents expect their physical security budgets to increase in the next year, even though 80 percent of respondents said company leaders are more concerned with cybersecurity than physical security threats right now. External incidents that had the biggest impact on security budgets included cyber disruptions (74 percent), cyber deception (69 percent), and strategic cyberattacks (67 percent), followed by fraud, sabotage, theft of company physical property, and supply chain attacks.
Misinformation and disinformation incidents are also on the rise. Nearly 75 percent of CSOs said their companies have been targeted by a misinformation or disinformation campaign. Plus, that false information can exacerbate other risks; 41 percent of CSOs said that mis- or disinformation motivates at least half of the threat actors targeting their businesses, resulting in vandalism, break-ins, harassment, or even violence.
Unsurprisingly, executive protection (EP) is also top-of-mind. More than 40 percent of CSOs said the threat of violence toward company executives has increased during the past two years. This led to increased security measures for executives, including enhanced security procedures, risk assessments, online threat monitoring, and security training and preparedness for leaders.
The survey polled 200 global institutional investors, who noted that contributions of key executives represent at least 30 percent of an organization’s value, making their protection essential. Almost all (97 percent) of the investors polled said that it’s important for companies they invest in to provide physical security protection for executives.
In some high-profile companies where the key executive is intrinsically linked to the intellectual property of the organization—like Meta or Tesla—that value connection makes complete sense, says Kucera. But organizations face significant reputational harm “when something bad happens to your executive and you create the illusion you didn’t care, you didn’t have the right type of security—you get that bad reputation and then you see the stock prices start to drop,” he adds.
The report found that many security incidents had noteworthy financial impacts—a significant internal or external security incident could reduce the value of a publicly listed company by an average of 32 percent, the investors said. Large companies lost at least $9 million in revenue due to a security incident, according to the report.
Putting the Data to Work
All of those statistics feel neat, but how can CSOs use them strategically to make a difference in their organizations?
The numbers add weight to security’s story, Loyear says. “I was really excited for myself and the rest of the industry to have these data points that really prove out what it is to bring value to the organization and to help these investors protect the organization, because it changes the story of security,” she adds.
It’s the difference of saying “Would you just believe me? This is what needs to happen” versus “This is what a whole lot of security professionals are saying, and this is what your investors want you to pay attention to,” Loyear explains.
For example, if a CSO were arguing for an increase in security technology spending to address external theft, she could make a more compelling case by referencing World Security Report data that explains that 47 percent of CSOs were prioritizing investments in new security technology and infrastructure, or that 60 percent of organizations that experienced fraud, property theft, or supply chain attacks were more likely to see an increased security budget.
Security directors can also use the data as a vehicle to launch proactive business conversations with internal partners and to help understand where their program stands in relation to others.
“There’s a great whole section in there about technology, about investments, about how people are going to be using [artificial intelligence (AI)] or not using AI,” Loyear says. “Who’s early adopting? Who’s not early adopting? Where do I want to fit in this arc of what I’m investing in? But then also understanding how other people are feeling about where humans sit in this.”
The statistics can help CSOs grapple with their next steps and recommendations so that they do not fall behind the curve in security protection. The findings from the World Security Report and other research can assure CSOs about their program’s standing, Kucera says.
A CSO could go to his or her executive team with a big ask—adding a type of technology or enhancing security because of a recent incident. That CSO “can go to them and say ‘Hey, we got 2,200 people that responded that they’re all thinking the same thing I am. So, we’re not alone. I’m not out here just asking you to spend more money in the budget. This is what the world is thinking, and they’re very consistent in what they see in the threats, vulnerabilities, and the security postures to try and divert any of those events,’” Kucera adds.
Research and benchmarking can also help organizations recalibrate their risk management baseline, especially as the threat environment evolves, he says.
Similarly, the data helps with relationship building, Loyear adds. Many stakeholders want more concrete data about security and risk issues, but the security leader needs to bring the data to their attention and start those conversations.
“That’s one of the ways you can use this kind of data to just really have a touchpoint with your HR, your facilities, your operations, and let them know what’s going on,” she says.
Introducing emerging threats through data is also more palatable to many stakeholders than thinking about threats through a nebulous, hypothetical lens. Loyear uses the World Economic Forum’s annual Global Risks Report for the same thing—getting in front of stakeholders to kick off a conversation about evolving or potential challenges, start planning exercises, writing protocols, or setting up intelligence or monitoring functions.
“Use this as a jumping-off point to be more proactive and to get in front of this and be more holistic to say: ‘This is the world we’re operating in. Everybody understands it. Everybody knows it. Look, I have a graph here that says everybody knows it. Now, what do we do about it?’” Loyear says.
Without that preparedness, incident response time is wasted on freezing and panicking, she adds. Instead, if using data can get those partners to the table early to conceptualize emerging risks, resilience is more readily within reach.
