We Are All Risk Managers Now

Posted on by Tom Pendergast

Risk management professionals around the world may soon find a surprising positive outcome of the global pandemic: Employees have been getting a crash course in risk management. And that means they may be better equipped to support your cybersecurity risk reduction goals in the future.

From the moment the coronavirus reared its spikey head, people around the world have been trying to minimize their exposure to the virus. And now, after managing their risk amid inadequate information, vastly differing assessments of risk severity, emotional and possibly financial duress, and more, they’ll return to work with a new set of skills.

Thanks to the pandemic, we’re all risk managers now.

A Crash Course in Risk Management

Let’s briefly consider the pandemic as a crash course in risk management for individuals.

From the beginning, at least in the United States, the job of evaluating the level of risk was fraught with difficulty. Inconsistent and vague guidance came from health officials at multiple levels. Individuals choosing to travel in February had tough choices to make.

Early on, at least here in the Seattle area, there was widespread acceptance of the advice to “stay safe and stay home,” despite the social and economic costs. But that early acceptance of efforts to “flatten the curve” didn’t last long. As towns, cities, counties and states all set off on some level of “re-opening,” people were left to make their own risk assessments.

Did they feel safe going out grocery shopping or would they pay more for delivery? (Lucky be the person who could make the choice freely!) Would they go back to work before it was demanded? What about going out for a walk? And what about wearing a mask/face covering (before that was required)?

Every decision (beyond the decision to stay home) was fraught with risk.

Evaluating people’s success at navigating this daily risk assessment, Tess Wilkinson, professor of law and psychology at the University of Pennsylvania, wrote in The Atlantic: “People are not irrevocably chaotic decision makers; the level of clarity in human thinking depends on how hard a problem is. I know with certainty whether I’m staying home, but the confidence interval around ‘I am being careful’ is really wide.”

Massive amounts of misinformation and the politicization of simple acts like wearing a mask made pandemic risks particularly hard for people to assess.

Lessons for Translating Pandemic Risk into Cybersecurity Risk

It’s too early to judge how well humanity has managed pandemic risk. There are twists and turns still to come. But as people navigate the new workplace, it’s worth considering how we can use the pandemic lessons to improve cybersecurity risk management.

One clear lesson that can be drawn is that there is real value in allowing experts to provide clear direction on how to handle cybersecurity risk in the workplace, because people make better decisions when given clear guidance.

There is no value in making risk assessment decisions more complicated than is needed. So if you’re providing direction about how to handle risks of any kind, do whatever possible to provide clear, definitive guidance whenever possible.

There will be times, however, when definitive advice isn’t possible and where you will have to rely on the judgment of your employees.

During the pandemic, people have found it difficult to stick to social distancing guidelines even when given clear guidance. Their reasons were “human”: they longed for connection, they felt vulnerable, they thought social distancing was a hoax perpetrated by their political enemies, etc. These emotions made it difficult for them to assess risk.

The most prominent cybersecurity attacks—phishing and other forms of social engineering—remain so vexing because attackers prey on human emotions. That’s why it’s so important that you, as a risk manager, help people navigate the emotional complexity of social engineering attempts. When you acknowledge why people might want to do the “risky” thing—whether it’s go to a party or open an email attachment—you help them see it in perspective and make the right decision.

Perhaps the bright side of this pandemic will be a generation of Americans who are uniquely qualified to manage risk.

Tom Pendergast

Chief Learning Officer, MediaPro

risk management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs