The first OSAC to be held in person since the pandemic began, security professionals were excited to see so many friends and colleagues at this year’s Annual Briefing. Held at the (much fancier) Capitol One Hall rather than the State Department, OSAC covered a range of topics, but networking won the day.
Amid the panel discussions and hallway conversations, here are five quick takeaways (with names omitted to follow the event’s Chatham House requirement):
1. Opportunity centers rather than cost centers
With an uncertain economy, security and intelligence teams are beginning to feel the pressure. The first panel of OSAC looked at intelligence as a “value add” across the broader spectrum of business development, product, recruitment and sustainability. “There are so many places that can drive value,” said one corporate security leader. “Security decisions are business decisions.” Added an intelligence leader on the panel, “You need to be willing to speak to opportunity as well as risk.”
But many companies have preconceptions about security. “If it helps, take security off your business card,” said one security leader. “We need to sell ourselves a little bit differently. We need to get creative.”
2. The growing role of resilience
Security is beginning to converge with resilience – or vice-versa – in a growing number of companies. Just look at this description of OSAC speaker Cheryl Steele’s role as the VP of Global Security & Resiliency at Starbucks:
“The Global Security and Resilience team serves as the functional Center of Excellence for Starbucks, providing business-focused solutions consistent with the company’s strategy. Cheryl advises the leadership team on physical security and safety related activities and enterprise controls for Starbucks’ business units, the global supply chain, joint venture and strategic licensing partnerships, and facilities worldwide…”
COVID laid the groundwork for a more converged approach, and an ASIS survey found that convergence between security and resilience is outpacing the convergence between physical security and cybersecurity. One the benefits of a resilience convergence: see #1 above.
3. Russia’s invasion of Ukraine and the “polycrisis“
Ukraine was top of mind in many panel discussions. There were personal stories of corporate security leaders scrambling to evacuate staff. Of a private encrypted chat, organized by OSAC, that helped companies and NGOs coordinate on the ground. Of a skeleton State Department team reopening the Kyiv embassy. And of the ongoing economic, geopolitical and psychological ripple effects of the invasion.
As an “attack on the world’s food supply,” Ukraine can’t be analyzed in isolation. Explained one corporate intelligence leader, the invasion is part of a larger “polycrisis” of concurrent threats, including climate change. “Without good intelligence, it’s very hard to navigate this,” he said, adding that collaboration is key. “There are unfriendly companies, but no unfriendly intelligence teams.”
4. Hybrid work is here to stay
It’s not a new topic, but many companies are still contemplating how to best protect remote and hybrid workers. “We had to reimagine what security means when the world pivoted on a dime,” said one corporate security leader. Mental health and prevention have become a bigger focus.
A security consultant said some companies are rebranding “insider threat” to “insider risk” to encompass the broader issues of working from home – and to sound “less draconian.” It all boils down to trust. “Being transparent is super important”, as is making sure employees know “their safety is at the forefront.”
5. The uncertainty of Twitter
While not part of any panel discussion, Twitter was on many analysts’ minds. What if it fails? Or changes drastically? Is there an over-dependence on Twitter for situational awareness? Does this constitute a risk in itself? (Read more about Twitter and risk intelligence in our earlier blog post.)
Risk mitigation begins with diversification. While we hope that Twitter is resilient in the face of change, the accelerated emergence of other platforms may be an improvement for the industry in the long run. In the meantime, If you’re on Mastodon, come say hi.
What is Factal?
Free for over 240 NGOs, Factal is an enterprise service that increases the size of security, risk and resilience teams by about three people. We enable your team to focus on strategic planning and to take the actions that save lives and protect assets.