As we approach the somber anniversary of September 11th 2001, it’s only natural to assess what has changed through the lens of that tragic morning, and to think about how we are doing as a country when it comes to enhancing security at the government and private/corporate level, nearly two decades after the 9/11 attack.

The average consumer is almost certainly aware of high-profile changes like the establishment of the Department of Homeland Security and the enhanced TSA protocols that have become a necessary evil of airline travel. Security has evolved in a number of ways, however, both large and small, many of which are perhaps not so obvious to the average person.

But as we consider the evolution of security in a post-9/11 landscape, it’s how our approach to security has not changed that perhaps deserves the most attention.

Because based on the narrow definition of terrorism used both before and after 9/11, most governmental institutions, both at home and abroad, have done a commendable job tightening up security and implementing protocols to protect national interests. But the fly in the ointment is that we remain too closely focused on that narrow definition of terrorism, commonly conceived and discussed as an international attack involving some kind of violent threat.

But those threatened by a disgruntled employee with a gun in an episode of workplace violence, will certainly feel like they have been the victims of a terror attack. To the hundreds of thousands who have lost their lives from the coronavirus pandemic, the effect is just as tragically lethal as a bioweapon attack. And even civic unrest that crosses the line into dangerous or destructive behavior can be damaging to health and economies on a scale that equates to a terror attack.

It’s pointless to argue semantics or waste time arguing over what qualifies as a terrorist-level threat, it is well past time to broaden the definition of terrorism and think more holistically about the full spectrum of risk. We need to get smarter, more flexible and more open-minded in how we consider threats and, most importantly, allocate security resources.

Enterprise security, in particular, has not grasped the risks and exposures of terroristic types of threats on their operations as quickly as they should have—either for traditional or cyber attacks. And that failure starts with an inability (or unwillingness) to articulate what the most significant risks actually are. You can’t identify, address and mitigate threat if the first link in that chain is broken. Recognition is a prerequisite for preparation, and this pandemic is Exhibit A that we are not assessing and managing risk well at the corporate level.

Risk assessment and management is diffused within corporations, spread out across auditing, environmental health and safety, and financial risks. Consequently, risk infrastructure in companies is not particularly agile, and is based on outdated thinking about how to identify evaluate and mitigate risk. Too many companies have been slow to evolve.

Executives have lots of people telling them about a multitude of risks. But they have far fewer risk professionals helping them contextualize and prioritize which of those risks requires what degree of urgency and response. In general Risk Literacy remains low. For their part, CISOs and other security professionals need to get better at communicating this stuff: “speaking business” and helping senior leaders understand their true exposures and risks so that they can make informed and strategic decisions.

But it all starts with reframing the whole risk management world as something more than just an exercise in insurance instead of what it actually is: an urgent operational prerogative that demands proactive attention and investment. Nearly two decades after 9/11, we need to get smarter about protecting all of our interests. That mission is especially critical now, as the lines have become increasingly blurred between public and private interests. With enormously influential multinational corporations playing a bigger role in society and our economy, there are huge economic and societal implications to an attack: from personal sensitive data being compromised, to financial damage that could spark a national recession. In other words: in many respects, enterprise risk is national security risk, and it’s time we started addressing both with a deeper and more nuanced understanding for today’s complex and expanding risk landscape—and a newfound appreciation for the work that has to be done to safeguard both individuals and institutions.

Published August 26, 2020