For risk management professionals, looking ahead is an essential part of the job description. And as we embark into 2019 and consider what risk management trends and new developments could have a big impact going forward, it is actually helpful to start by looking back.
In 2018, we saw the reality of the digital transformation begin to sink in. This mega-trend is the principal change in how businesses utilize people, technology and processes to deliver value to its customers—and it’s challenging risk professionals to stay ahead of the curve. The implications—for businesses and for security and risk management providers alike—could not be more profound.
Pinkerton President Jack Zahran shares his thoughts on the digital transformation, as well as how it will impact risk management in 2019 (and beyond):
Pinkerton: Jack, thanks for sitting down with us today. Before we look to the future, we did want to take a look back at 2018 and see if there were any trends or anything that surprised you about the year as we draw it to a conclusion.
Jack Zahran: Looking at 2018, it could be characterized by digital transformation—that is the mega trend that will really change the industry and is really challenging risk professionals on how to stay ahead of the curve. There is just rapid change in terms of how companies and organizations are operating, and they are doing so with much greater connectivity and tools that have just amazing capability to really drive correlations and understanding in a significant way. But with that opportunity to improve society comes a whole set of threats that never existed before. So, I think 2018 and 2019 can be very much characterized by how risk management is going to change as digital transformation really starts to roll through daily life.
Pinkerton: Well, let’s talk about the digital transformation a little bit. What did you see as evidence of that impacting the industry in this current year, 2018?
JZ: Well, I think you saw a proliferation investment in fusion centers to centralize information flow. That’s not a coincidence—organizations are starting to recognize that unless you start to take the power of data serious and develop the ability to funnel that in a systematic way, you’re going to be operating blind. For the security and risk management industry, this has been very critical. Historically, it’s been a function within organizations that try to justify its existence because the impact to profits and loss or the business bottom line is not clearly evident. If you look at some of the surveys that are coming out, you’re seeing a 62 percent increase in budgets for 2019. That’s a strong recognition that, with better data flow and the ability to demonstrate impact, organizations see that this is something that is not a necessary expense or something to try to avoid. Instead, it is a business enabler and investment—it’s the sound thing to do. That’s just one piece of evidence that really shows the impact of transformation and what it means to the risk management industry as it becomes more relevant for the business.
The other key thing is a risk-based perspective. You really saw a proliferation in awareness programs. And, unfortunately, events like workplace violence and other catastrophic events have put a focus on and created a greater awareness within organizations. Being able to educate your workforce in a way that enables them to be a part of the process is an investment we saw across the board in 2018.
The last example I’ll give to show evidence of this is the increase in sophistication of phishing scams. A lot of people think cyber risk occurs because there is a breakdown in the firewalls or the system defense. When peeling back the onion, what you find is a large majority of the organizations that are being compromised from a cyber hack so to speak is are done so through social engineering, and the sophistication of that social engineering is on the rise significantly. That’s another clear example where a lot of investment has gone into awareness and creating a risk-based thinking within organizations. Just educating your workforce on what a phishing scam looks like is not something that was commonplace even three years ago, and you really saw that shift in 2018. I think you’re going to continue to see a strong focus on that in 2019.
Pinkerton: So, would you say that things are being driven by a new awareness for different issues and phishing scams and things like that, or is it being driven by a better understanding of the business impact that these risks have for corporations?
JZ: It’s a little bit of both. Social engineering and phishing are both issues that you can relate to in your personal life. It is not a huge conceptual leap to see that trying to get your passwords, your banking information, or just duping you into just a quick scheme can impact your organization. It’s not about the big hack that hurts the reputation—although that is still a significant threat—it’s more that social engineering that is in that bottom-up approach that is the major threat. Since that is something prevalent in your everyday life, again, it’s not a huge leap to apply that to your corporate world or in your work life. When you think about it that way, it is easy to get behind and drive support and adoption for these awareness programs. So I think those are the main drivers. And for decision-makers, it’s not something they can ignore because there’s just too much visibility to it and it’s not something that you can kick the can on anymore.
Pinkerton: So, obviously, Pinkerton has its risk wheel–the four quadrants of the risk wheel–which are technology and information risk, hazard and event risk, operation and physical risk, and market and economic risk. You’ve talked about that a lot over the last couple of years. Is there a specific quadrant that you think would need more attention in 2019, or is it still all so interconnected that really everybody needs to be looking at everything?
JZ: The risk wheel and how we conceptualize risk is still very relevant, and the tool itself speaks to that connectivity. However, I think what we’ve done more recently is take that to the next level. You really have to look at it in terms of the organization and their particular risk profile. So, a manufacturer is going to be way more concerned about our top two quadrants–which are operational and physical risk and event and hazard risk–because that’s more conducive to their core business, whereas a financial institution are going to be way more focused on the market and economic risk and the technology and information risk just because of the current threat landscape and the unique vulnerabilities that they have in terms of their risk profile.
Where we’re heading is getting more specialized in terms of generating a risk profile and also starting to conceptualize risk in a way that looks at structural risk versus variable risk. Structural risk impacts everybody economy-wide, and variable risk is based more on the decision making or specific business objectives of an organization—which, can rise and fall if organizations want to have a higher risk tolerance or a less risk tolerance.
Pinkerton: Okay, given the comprehensive services that Pinkerton offers, is there any one area or maybe several service lines that are growing faster, and is that surprising to you or is that kind of in keeping with what you had thought was going to happen?
JZ: Our growth is coming from all over the place, which, again, validates the arise in risk-based thinking. However, the future is in Applied Risk Science and having more of a data-driven approach to prioritizing and better honing in on where the top threats are and how those threats translate into potential business impacts for organizations. And it validates the huge investments organizations are making in things like fusion centers and information technology so you’re able to then translate incidents, translate your data into empirical decision making. By far this has the greatest potential in where we see a lot of our future growth.
The reason why that is starting to become more of the focus is because of the introduction of advanced technologies like artificial intelligence and machine learning, which can harness big data and convert that into tangible decision making. So organizations are able to drink from the firehose now, so to speak, and identify relevant, discreet correlations using that data to inform decision-making. That’s the future of risk management and that’s where we see our future growth. Organizations are going to be making their investments to do risk management in a smart way. Again, I think that’s consistent with the increase in budgets for 2019 and where organizations are saying their priorities are at.
Pinkerton: How do you see artificial intelligence and Applied Risk Science merging with Pinkerton’s core business, which has always been intelligence and boots on the ground and having a global network? How do they blend together to make Pinkerton’s offering even stronger?
JZ: I think these are powerful tools, but what makes them relevant is how you are able to augment and harness them in a meaningful way. And for us, we’re finding tremendous value in using these advanced technologies and merging that with on-the-ground type of data that we can collect. So, if you look at AI and machine learning and how you look at what really fuels that, it’s the quality of the data.
Going back to structural risk and variable risk, another way of looking at that conceptualization of structural risk is your low frequency data—your slow moving, fundamental analysis like GDP or measuring inflation—whereas your variable risk, that’s more of your high frequency data, like your day-to-day incidents. You have to be able to merge the two and, if done right, that becomes a foundation for ultimately predicting incidents and threats that are going to have the most business impact for you. Having a data-driven design powered by great technology and harmonizing that with a global network with boots on the ground, so to speak, that really enables us to offer comprehensive risk management and brains to boots positioning. So we’re able to be there for our clients, whatever their risk profile and whatever their risk policy is.
From a temporary basis to fully dedicated is kind of the model that we see as the design of the future for effective risk management.
Pinkerton: You mentioned a lot of the trends that have been going on–whether it’s data breaches or workplace violence–and there’s a lot of things that the general public can see that are impacting businesses on, unfortunately, what seems like on a weekly basis. How well do you think organizations have been responding to some of these risk trends? Looking to 2019, what should they be asking about their risk management planning to help them better prepare for what might be coming?
JZ: Risk management and security organizations are improving their agility and their ability to respond to rapidly changing events. Again, the 2019 projected increase in budgets for Fortune 500 companies is 62 percent, so there is a good recognition that investments need to be made. The risk is more on policy and legislation which, historically, has been slow to respond to the rapidly changing cyber landscape. Enforcement has got to be agile and, until that happens, the onus is going to be on the private sector to really lead the charge in terms of keeping up with the rapidly changing landscape. That is the direction we continue to use and, because of that, you see a lot of focus on data-driven design and being able to harness these powerful technologies.
The other thing to really make this possible is having the right partnerships, to have the implementation done the right way. You could have the best policy, you could have the best intent with your design, but until you’re able to operationalize that, you’re still going to have a gap. Some of the challenges organizations are in a pursuit to have enterprise risk management, but it’s then organizing your core business in a way where you can have your risk management arm and have the ability to adopt and roll out these strategies. But you have a core business that’s decentralized, which creates an organizational gap in terms of your implementation of sound plans, and that’s where having key partnerships and a proliferation of strategic alliances is happening more and more. Having the right integrated supply chain is another key area where you’re going to see investments to help pull off the objectives that organizations are trying to get done.
Pinkerton: You mentioned that we’re looking at a pretty significant increase in risk management budgets across the Fortune 500 coming up for 2019. That will translate for the most part to maybe more personnel, either internally in the company or for firms like Pinkerton who need to staff up. What’s the role of a security person in 2019 that might be different from five, ten years ago?
JZ: That’s a good question. I think that security is now expected to be part of the business, be a business enabler and then ultimately be part of aligning with the organizational objectives. Historically, security has been facility-focused and looking at risk management from a physical perspective. Five years ago, I would say it was way more siloed versus what you have now, which is a more connected part of the organization—something that is becoming less siloed and having an all-hazards or total risk perspective. So, a security risk management professional has to be a master of all trades and have a strong understanding of all the different aspects of an organization. What you’re starting to see is a security risk management professional that has to have an enterprise perspective, thinking and reach. And that’s going to continue to be the case in terms of the security risk management profile in the future.
Pinkerton: Well, looking ahead to 2019, what’s up for Pinkerton? How is Pinkerton going to adapt to the everchanging landscape that’s out there?
JZ: Well, as an organization that’s been around for 167 years, I’d like to think we have a pretty good track record of adapting and staying relevant. How we’re positioning ourselves in terms of Applied Risk Science and taking more of a comprehensive approach to risk management that has a total risk perspective is where we’re going to continue to grow. Being able to have local access with a connected global organization is the right positioning so organizations are able to leverage what we can offer in a rapidly changing risk landscape. Big data, data-driven design, being able to connect the brains to boots and end-to-end offerings is where we’re going to continue to go because we believe that’s what’s needed in order to do effective risk management for organizations.
Pinkerton: Alright Jack, last question. If you were in a room with, say, Fortune 500 executives and you were going to tell them that there was kind of one thing they needed to focus on next year that maybe they’re not doing now, what would you tell them?
JZ: If I were in a room with Fortune 500 executives, the thing I would caution is: disruption is real, digital transformation is real and it’s going to have a profound impact on your businesses. The best defense against digital disruption from a competitor that’s coming in from left field is understanding that data is the new oil and being able to harness good, clean data is how you can drive the correlations for effective decision making. Being able to predict that is only going to be achieved if you embrace AI, machine learning and these advanced technologies and embrace that these are tools to augment your business, not something to replace it. And so, I think organizations that adopt risk-based thinking in their plans and understand that you can create a foundation that will enable you to have stronger prediction capabilities and be able to see threats that could impact your organizational objectives before they occur is money well spent.
Contact Pinkerton today to learn more about how we can help you improve your risk mitigation capabilities in 2019.