Inquiry: Exploring the role of security in enhancing an organization's resilience.
If we see each problem - be it water shortages, climate change, or poverty - as separate, and approach each separately, the solutions we come up with will be short-term, often opportunistic quick fixes that do nothing to address deeper imbalances
- Peter Senge
The story so far:
Last month’s post focused on the idea that states, and organizations, need to become more adaptable or risk collapse - a thought that still hits me like a load of bricks. If you didn’t catch that post, you can find it here.
Roberts argues that Canada is on the edge of an “adaptability trap”. Here is why:
short-term politics (we only have a few years before we need to get elected again)
a missing dialogue (between levels of government)
a decaying public sphere (democracy is a two-way street)
a web of rules (how many forms does it take to order a passport?)9
The average life of an S&P 500 company is expected to decrease from 33 years in 1964 to just 12 in 2027.
So, how can security help?
Post preview:
The topic of our inquiry in this post was: how can security help enhance an organization’s resilience - or adaptability?
To answer that, I start by asking which of our behaviours, desires, or attitudes are preventing us from becoming more adaptable, and are we willing to change them?
My answer to the second question: our Industrial Age bubble. Think of it as the system behind the global extraction, waste, and homogenization that defines our working reality.
There is a case here to make that the greatest threat security professionals face, is not cyber, physical, or even natural threats, but an unsustainable business model.
But, can we change that (answering the first question)? How might we influence the patterns of our system by:
reframing our roles to Chief Resilience Officer and supplementing risk with resilience
challenging the business, not just enabling it
What?
The topic of our inquiry in this post is: how can security help enhance an organization’s resilience - or adaptability?
How can security help enhance an organization’s resilience - or adaptability?
Last month, we left with a question that I asked you to reflect on: which of our behaviours, desires, or attitudes are preventing us from becoming more adaptable, and are we willing to change them?
I wonder if it is our Industrial Age. What does that mean?
Let me unpack this with a series of contrasts from Peter Senge1:
Historically, solar radiation was the single source of energy on earth. It powered forests, marine ecosystems, and caterpillars. Now, 90% comes from burning fossil fuels.
Historically, most food was sourced locally. Now, most food “travels thousands of miles, and is often genetically modified or otherwise preserved so it can survive the trip”.
Historically, there was no waste. Now, we generate a ton of waste.
Nature has a “love affair with diversity and uniqueness: no two trees, leaves, dragonflies, polar bears, or people are the same”. In our day-to-day, the “industrial age’s quest for efficiency and standardization has gradually unleashed relentless forces for homogenization, destroying cultural diversity just as it has destroyed biological diversity”.
Senge calls this an Industrial Age “bubble” - a metaphor, commonly used by historians to make sense of different realities.
What’s the problem?
Aside from the obvious unsustainable cycle of extracting raw materials and dumping more waste than the environment can handle, systems thinking teaches us that strong systems have three key characteristics2:
Resilience
Self-Organization
Hierarchy
Let’s take those one at a time:
Resilience “is the capacity to survive, adapt, and flourish in the face of turbulent change”.3 Without diving deep into what that means, I wonder if resilience is even compatible with the industrial bubble?
In the industrial bubble, we love standardization, efficiency, and productivity. Do we not? Problem: there is nothing standardized about humans. We are all unique with oh so many differences.4 This is a good thing. I mean, imagine if your body (a complex adaptive system) was made up of only livers? How long do you think you would live if you had a liver for a heart?
I want you to imagine an assembly line. Experience tells me that this has been an incredibly efficient way to produce and profit. But, is it natural for humans to do so? I mean, does a child ever say: “when I grow up, I want to be the person that puts tape on Amazon’s boxes!”? I don’t think so.
Don’t get me wrong, I see my privilege. I understand how I have benefited from such business models.
Can we really expect people to not just survive, but also adapt and flourish in the face of turbulent change if they spend the majority of their lives being told what to do and when to do it? Can we expect people to be creative during a crisis, when they normally aren’t permitted to be creative?
Self-Organization is the “capacity of a system to make its own structure more complex. It is the ability of a society to take the ideas of burning coal, making steam, pumping water, and specializing labor, and develop the eventually into an automobile assembly plant, a city of skyscrapers, a worldwide network of communications”.5
Self-organization is what happens when people learn, mobilize, and adapt. This suggests that the strongest systems are bottom up, not top down.
Self-organization means uncertainty. It means unpredictability. It means that we can’t predict what systems or structures are going to emerge.
As a leader, does that scare you?
In the industrial bubble, we all too often exchange resilience and self-organization for short-term productivity and stability - the “usual excuses for turning creative human beings into mechanical adjuncts to production processes”.6
We see this happen with education systems that restricts kids and in governments that resist their people from organizing.7
Self-organization embraces difference, diversity. It’s what enables brilliant innovation and permits experimentation. It’s what enables the best of what everyone has and puts it on full display with big bright lights.
Hierarchy is when a system chooses to create further sub-systems to do something. For example, your body has organs, which make up organ systems. Your organ systems make up your body. They are like nested systems.
Hierarchies always have the purpose of helping sub-systems function better.8 As leaders, we ought to remember this. When security professionals form an association together to increase quality and professionalization, the association exists to serve the security professionals.
Albeit, there is a balance here.
On the one hand, if a sub-system decides to go rogue, like a corporation bribing a government, the whole system suffers - market competition suffers.9
On the other hand, if a system holds onto a sub-system too tightly (micro managers anyone) the sub-system will not flourish, it will flat out die.
I don’t know about you, but I wouldn't describe resilience, self-organization, or hierarchy (well not healthy hierarchy) as the defining characteristics of too many systems today.
So what does that mean to us?
Is our business model unsustainable?
Every system has its limits.10
Your business has limits. For example, you may hire more people to market your product, but eventually you will find that the sales are producing orders faster than your manufacturing facility can make your goods. So, you will have to hire more people. More people means that you need more training and quality control and so you will continue to shift from one limiting factor to the next.11
Your city has limits. If a city does city things so well that everyone inside of it is super happy and it attracts more people. Eventually, there will be so many people that the system will fail to provide that which originally made its people happy because there will be so many people.
“There will always be limits to growth. They can be self-imposed. If they aren’t, they will be system imposed.”12
Are we pushing our industrial bubble to its limits?
There is a case here to make that the greatest threat security professionals face, is not cyber, physical, or even natural threats, but an unsustainable business model.
Our model is a profitable one. But is it possible that it is both profitting us and killing us?
Is the very source of our wealth also our greatest limiting factor?
Our traditional way of thinking is what led to our unsustainable business model (industrial age bubble).
If a factory is torn down but the rationality which produced it is left standing, then that rationality will simply produce another factory. If a revolution destroys a government, but the systematic patterns of thought that produced that government are left intact, then those patterns will repeat themselves… There’s so much talk about the system. And so little understanding. - Robert Pirsig
We need to think differently.
Now what might we do?
You may be a small or medium sized business or you may be a large enterprise. What you do is highly dependent on who you are.
My team and I have a saying: “just improve it by 1 percent”.13
My goal, here, is not to overwhelm you by the wealth of options to enhance your organization’s resilience. Quite the opposite.
I would like to offer you a 1 percent opportunity for action.
But first, we need to recognize that we have an influence problem.14 CSOs and CISOs rarely have enough clout do weigh in on the business model, let alone a global business model.
So, let’s take a move from the Culture Disruptor and reframe your role.15 Reframe your role from Chief Security Officer, Chief Information Security Officer, or Chief Risk Officer to Chief Resilience Officer. This will put you in a much better position to help the business create a competitive advantage by adding a much broader business value function. It might include not just risk, but also supply chain management and sustainability/environmental management.
This would position you to drive business decisions like restoring domestic operations to reduce the length of your supply chain. Or, you might do away with lean approaches like just-in-time manufacturing, which quickly reduces the resilience plateau. Yes, that might mean that you are exposed to loss prevention in the short term.
This would also position you to expand your system by connecting with governments, other businesses, and non-governmental organizations (NGO). This would let you leverage the technical expertise of NGOs in particular to develop sustainable operations, which would help you put in place sustainable water management practices, for example.
This would also put you into a position to influence how the organization manages knowledge, empowers its people, and learns!
You know, I’ve been a fan of ASIS International for a few years now. I love the community, the standards, the courses, and I love the philosophy of enterprise security risk management (ESRM).
If you have no idea what ESRM is, and you’re a security professional, please check out the link above and get reading. ESRM will be life giving to you.
ESRM “is a strategic approach to security management that aligns an organization’s security practice to its overall strategy using globally established and accepted risk management principles”.16
It means that business leaders have the authority and responsibility to make risk decisions.
It means that security has space to add value to business leaders by helping them to manage their risk.
It means that risk can be managed systematically and holistically, which recognizes the increasing interconnective nature of our world.
But, I wonder if ESRM needs to push just a bit further.
Risk management is no doubt a well established discipline. It is also, in my opinion, a super important discipline that reduces loss and safety incidents every day.
But risk management also assumes a “reductionist worldview”.17
Picture a classic risk register. Each risk is a clear event. Each risk is seemingly independent of other risks.
Problem: only some risks are a clearly defined event - a fire, for example. Many risks have a slow burn effect: COVID and technological proliferation, for example.
Problem: risks are never independent of other risks - think COVID and its cascading effect of remote working, interest rates, inflation, home buying, stockpiling, HR issues, crime displacement, and so on.
What would it take to change that (reductionist worldview)?
What would it look like for security professionals to address the threat of a globally unsustainable business model?
My hypothesis: supplement risk with resilience.
In 2025, ASIS International published research, which argued that the two most important factors influencing security being seen as an enabler vs a cost-center are:
shifting security’s focus from reactive to proactive
demonstrating security’s competence during a crisis
Supplementing risk with resilience is a proactive move. It means that even when we can’t identify the risk (think black swan risks), we can increase the resilience plateau by designing resilience into the organization.
But resilience also requires us to dig much deeper beneath a risk event. We need to look at the patterns of the system, the structures of the system, and the mental models of the system.18
What insights would emerge if we looked that deep into how a system functioned?
What risks might we proactively manage by influencing how people exchange information?
What resilience plateau might we construct if we learned to influence system wide patterns?
How might a new business model emerge if employees were empowered to collaborate, problem-solve, and learn regardless of their position in the hierarchy?
How might organizations leverage self-organization to solve our most difficult problems? Might we pursue communities of inquiry19 or “crews”20?
Don’t just enable the business, challenge the business. Resilience, as we discussed above, is often an incoherent pattern with productivity and efficiency. Increasing the resilience plateau may mean decreasing short term profit. It may also mean not revolving your world around shareholders. I promise these will be short term losses if done right!
Businesses cannot simply be about shareholder value. The way in which business is carried out - the quality of work environment, supply chain design, manufacturing locations, product development, and service provision must not only generate shareholder value, but it must be good for the health of people and the environment.21
Security has historically been given, and been satisfied with, a very narrow scope of practice (i.e. ‘security protects us‘). While that is very true, we are also so much more helpful than that.
Martin Gill22 and Helen Forbes-Mewett23 expanded that scope considerably (see last post), but Joseph Fiksel has also expanded that scope considerably by linking the role of security to environmental management.
“Security is no longer merely concerned with defense against hostile regimes and terrorist attacks; now it also includes protection of our sources of food, energy, water, and materials, which are at the foundation of economic growth and community prosperity“.24
If we are to leverage this definition, we can’t just enable what the business wants. If we truly care about the future of our organization, we must also challenge it to ensure it has a future.
For further reading on this, I recommend Joseph Fiksel’s Resilient by Design25 and Peter Senge’s The Necessary Revolution: how individuals and organizations are working together to create a sustainable world.26
In conclusion
The topic of our inquiry in this post was: how can security help enhance an organization’s resilience - or adaptability?
To answer that, I started by asking which of our behaviours, desires, or attitudes are preventing us from becoming more adaptable, and are we willing to change them?
My answer: our Industrial Age bubble. Think of it as the system behind the global extraction, waste, and homogenization that defines our working reality.
There is a case here to make that the greatest threat security professionals face, is not cyber, physical, or even natural threats, but an unsustainable business model.
But, can we change that? How might we influence the patterns of our system by:
reframing our roles to Chief Resilience Officer and supplement risk with resilience
challenging the business, not just enabling it
I’ll push these questions over to the chat.
Peter Senge, The Necessary Revolution: how individuals and organizations are working together to create a sustainable world (New York: Doubleday, 2008), 36-37.
Donella Meadows, Thinking in Systems (Vermont: Chelsea Green Publishing, 2008).
Joseph Fiksel, Resilient by Design (Washington: Island Press, 2015), 5.
John Mark Comer, Garden City (Grand Rapids: Zondervan, 2015).
Meadows, Thinking in Systems, 79.
Meadows, Thinking in Systems, 79.
Meadows, Thinking in Systems, 79-80.
Meadows, Thinking in Systems, 84.
Meadows, Thinking in Systems, 85.
Meadows, Thinking in Systems, 102.
Meadows, Thinking in Systems, 102.
Meadows, Thinking in Systems, 103.
James Clear, Atomic Habits (New York: Penguin House, 2018), 14.
Michael Coole, Nicola Lockhart, and Jennifer Medbury, “The Influence of Security Risk Management: Understanding Security’s Corporate Sphere of Risk Influence,” ASIS Foundation, 2023, https://www.asisonline.org/globalassets/foundation/research/risk-influence/full-report-asis-foundation-security-risk-influence.pdf?_gl=1*s46krf*_gcl_au*MTkwMDQ1OTg5Ni4xNzM5NzE2MDM3*_ga*Mzc0NjYyNzUxLjE3Mzk3MTYwMzg.*_ga_0ZPVSP549B*MTc0MDY1ODY5Mi40LjEuMTc0MDY2MDQ2OS4wLjAuMA..
Siobhan McHale, The Insider’s Guide to Culture Change (Harper Collins Leadership, 2020).
Enterprise Security Risk Management Guideline, ASIS International, 2019, 3.
Fiksel, Resilient by Design, 23.
Senge, The Necessary Revolution, 176.
Patricia M Shields, “The Community of Inquiry: Classical Pragmatism and Public Administration,” Administration & Society 35, no. 5 (2003).
David Lindstedt, Building Resilient Organizations Through Change, Chance, and Complexity (New York: Routledge, 2023).
Senge, The Necessary Revolution, 133.
Martin Gill, “Thinking About the Benefits of Security, and the Barriers to Recognizing Them,” in The Handbook of Security, 3rd edition, ed. Martin Gill (Basingstoke: Palgrave Macmillan, 2022), 999.
Helen Forbes-Mewett, “The New Security: Shifting the Boundaries", in The Handbook of Security, 3rd edition, ed. Martin Gill (Basingstoke: Palgrave Macmillan, 2022), 39-58.
Fiksel, Resilient by Design, 113.
Fiksel, Resilient by Design.
Senge, The Necessary Revolution.
Shawn, I really enjoyed this post. It's clear, logical, and begins to describe the kinds of changes that need to be made in any system, if it is to be resilient. Resilience often gets a bad wrap. I was hired once to engage with a group inside an organization to talk about resilience through a series of sessions. They had been deemed "essential" workers during Covid, and the management decided they needed this training.
I experienced alot of push back and anger in each session. At the end of the second session, I just asked what that was all about. They told me stories of how, throughout the Covid lockdown, and in the months during and after, the management had told them to just be more resilient and get back to work . . .as though their practices, expectations, goals, and learning were all that needed to shift in response to the upheaval and uncertainty of Covid.
Many people think resilience means a system can work like a rubber band: When it's stretched or stressed, it just relaxes eventually and goes back to its original state.
That's not possible in a complex system. And for that system to have the resilient to adapt, of course the people need to be resilience so they can adapt. When we work with an organization on system change, we talk about the "level" of change: Policy, Procedural, Practices, and (only then) Personnel. Personnel can do what they can do, but as long as the other three pieces remain static, Personnel actually can encounter greater stress in their efforts to change.
I'd love to chat with you sometime about your next steps to see where this all goes next. Thanks for sharing these ideas with the world!!! (and i'm sorry this got so long!)