Inquiry: How security can help democracies survive the 21st century?

Exploring the value of security in improving Canada's adaptability

“The biggest challenge of governance, across, the globe, is adapting the institutions and processes of government to the new problems it faces” - Donald Kettl

What?

I learned security through trial and error and ASIS International’s Protection of Assets - much like many of you. When I would work through the risk assessment chapters I kept coming across the intangible assets of competitive advantage and reputation. Conceptually, this made sense. Yet, whenever, I would communicate these in a risk statement, people looked at me like those were irrelevant to the discussion.

Over time, I started to think that as a governmental organization, we didn’t need to consider those assets because we existed by law, not because we held a competitive advantage.

I think I was wrong.

Over Christmas, I read a book that has caused me to “think again”.¹ It’s called The Adaptable Country: how Canada can survive the 21st century², written by Alasdair Roberts.

Roberts’ argument is that countries need to focus on their adaptive capacity or risk collapse.

This hit me like a load of bricks. Canada… collapse???

Roberts says:

“We take the world of states [countries, in essence] for granted, but it is just as brittle as the world of empires. Most states are very young. Two-thirds of the states represented in the United Nations General Assembly are less than eighty years old. Most states are also unstable, according to the research organization Fund for Peace. About half of the world’s population lives in very unstable states. Several states have collapsed within the life experience of the average Canadian, which is about forty-three years”.³

Before I lose my non-government audience, Brian Allen (amazing security thinker and hopefully friend after this post) says that the average life span of an S&P 500 company in 1964 was about 33 years. This is expected to decrease to just 12 by 2027.⁴

The point? Organizations (and states) don’t live forever.

It seems, then, that while it is possible that the problem is blown out of proportion, there is a growing body of evidence to the contrary.

Let’s assume then that Roberts is correct and focusing on adaptability is critical to our survival. As a security professional, I ask: how can security help? In more business terms, what is security’s value add or role to play in expanding the life of our country or organization?

I will provide my two cents, but first a few definitions:

Adaptability: “the ability of a country to renovate its grand strategy and institutions in response to new circumstances and ideas”.⁵

Resilience: “the capacity of a system to preserve its core purpose and integrity in the face of dramatically changed circumstances”.⁶

Roberts prefers the use of adaptability over resilience since events often have such an effect on people that the core purpose is no longer the desired state.⁷ In my opinion, the important thing is to focus on our capacity to pull through change well - and survive.

What’s needed to achieve this condition of adaptability? According to Roberts:

1. Is the system capable of anticipating dangers?

2. Can the system redesign its strategy to address long-term challenges?

3. Is the system capable of building political support for the proposed strategy?

4. Is the system capable of executing a proposed strategy - that is, of renovating institutions and mobilizing resources as the strategy requires?⁸

For the Government of Canada, Roberts identifies four dangers that make us less adaptable:

1. short-term politics (we only have a few years before we need to get elected again)

2. a missing dialogue (between levels of government)

3. a decaying public sphere (democracy is a two-way street)

4. a web of rules (how many forms does it take to order a passport?)⁹

For the private sector, I might add:

1. consumerism culture (why can’t Amazon deliver my package minutes after I order it?) (I don’t have evidence for this point. It’s just a hypothesis).

2. organization design - “traditionally, organizations have been designed for a complicated rather than a complex world. Hierarchical and silo structures are perfectly designed to break problems down into more manageable fragments. They are not, however, so effective handling high levels of complexity. For this reason, many of our most long standing institutions are now struggling to adapt”.¹⁰

I don’t work in the private sector so can you add to this list? Leave a comment below.

So what?

Senior Security Executives (SSE),¹¹ you are perfectly equipped to improve the adaptability of your country or organization (whichever space you work in). In fact, I argue that you are the best person to do this.

Look again at the four conditions of adaptability:

1. Is the system capable of anticipating dangers?

2. Can the system redesign its strategy to address long-term challenges?

3. Is the system capable of building political support for the proposed strategy?

4. Is the system capable of executing a proposed strategy - that is, of renovating institutions and mobilizing resources as the strategy requires?

Now tell me, what do you not already excel at here?

As the SSE, you already anticipate dangers - think threat and risk assessment.

As the SSE, you already help others design systems that can address long-term challenges - think enterprise security risk management (ESRM).

As the SSE, you already work hard to build trust and influence in your organization because you have had to overcome untrue narratives like “you are a cost centre” or “you are the ‘no’ team”.

As the SSE, you already change the way you work and mobilize resources to support the business - think crisis management and operational (organizational) resilience.

Let me remind you of the brilliant work you do every day and the ways in which you contribute to human flourishing:

“Security when practiced well is fundamental to protecting individuals, organizations, communities and countries from danger; it has been shown via research to be crucial in reducing risk and saving lives. Within organizations it serves an essential function with multiple purposes, primarily it:

1. identifies major risks and is a focal point for managing them;

2. it facilitates operations, including and especially in the most testing environments where it is the mainstay of building and maintaining resilience;

3. it prioritizes protecting people and other assets while supporting organizational goals;

4. it is a focal point for expertise in responding to danger and in a crisis;

5. it provides a check on practices to ensure they are legal and ethical; in this role it recognizes and promotes the personal freedoms of individuals and protects the organization’s brand and its reputation.

6. Security provides a coordinating function, marshalling relevant internal and external resources to provide a holistic response always guided by organizational objectives.

7. In the commercial sector, security personnel help companies make profits and reduce loss, and in all sectors good security provides a value adding service.”¹²

Security professional, this is a Monday for you. Regardless of your position, you are perfectly suited to help your organization adapt into the organization that it needs to be for the future.

Canada is facing the following dangers ahead¹³:

• climate change, which causes frequent emergencies that consume our resources

• massive migration, which tests our border services capacity

• political instability, think of the US election, threat of tariffs, tensions with India, etc.

• resource competition, think water and habitable land

• interstate warfare

• economic dislocation

• challenges of integration

• data governance

This list is not exhaustive. As a security professional, you know that already. You’ve done the risk assessment. You know the dangers.

So what do we do about them?

Now what?

First, we need to identify the type of problem. I’ve found two helpful resources for this.

1. The Cynefin Framework

2. Heifetz and Linsky’s adaptive vs technical dichotomy¹⁴

Either method works well, but I’m going to go with Heifetz and Linsky as I just finished this book and am dying to get their ideas on paper.

In short, we all have problems that can be solved with our current “know-how”. A doctor, for example, knows how to diagnose high cholesterol and how to reduce it. These are called technical problems. They can be solved through expertise and best practices.

But then there are problems, which can’t be solved simply by experts. These are called adaptive problems as they “require experiments, new discoveries, and adjustments from numerous places in the organization or community.”¹⁵

Security is both a technical challenge and an adaptive challenge. We can develop technical solutions to technical challenges, like using shiny new turnstiles to keep out a petty criminal looking for a shiny new laptop. But will that help our people “make the adaptive leap necessary to thrive in the new environment?”¹⁶

When we're dealing with an adaptive challenge, which we are, “the sustainability of change depends on having the people with the problem internalize the change itself”.¹⁷

So, we need to ask two questions:

1. (Technical) How can we help our organizations become more adaptable?

2. (Adaptive) Which of our behaviours, desires, or attitudes are preventing us from becoming more adaptable, and are we willing to change them?

I know this is a little abstract so let me provide you with an example from my personal life. A couple of months ago, I received a call from my doctor. He said “Shawn, you have high cholesterol. No more red meat and exercise more”.

High cholesterol! I’m 31 and have at least two abs.

While I am not a doctor, I’ve learned that there are two ways to handle this problem:

1. medication, or,

2. diet and exercise

Medication is a technical solution provided by an expert. Diet and exercise is an adaptive solution provided by the impacted party (me).

Let me reframe these as questions:

1. (Technical) How can the expert lower my cholesterol?

2. (Adaptive) Which of my behaviours, desires, or attitudes are causing high cholesterol, and am I willing to change them?

Sustainable change means that I need to change my obsession with ice cream or risk a heart attack. Please don’t mishear me. I may also need medication (technical solution). But I too have a role to play. I need to adapt my ways to stay in the game

I hope that example illustrates the technical vs adaptive dichotomy. Let’s return to the topic at hand: adapt or risk collapse.

Steep on these questions:

1. (Technical) How can we help our organizations become more adaptable?

2. (Adaptive) Which of our behaviours, desires, or attitudes are preventing us from becoming more adaptable, and are we willing to change them?

My desire was to leave you with answers, but I’ve decided to leave you with these questions instead because I think it’s important that we internalize them and discuss them. Next month, I will share a few thoughts that I think will be helpful, but in the meantime, I want to invite you to reflect on these questions and tell me what you think in our chat:

Join Shawn Woods’s subscriber chat

Available in the Substack app and on web

Join chat

If you’re working on the “future proofing” level of the CSO Development Pyramid, you won’t want to miss this.¹⁸

Until next time,

Shawn Woods

1

Adam Grant, Think Again: the power of knowing what you don’t know (New York: Viking, 2021).

2

Alasdair Roberts, The Adaptable Country: how Canada can survive the twenty-first century (Montreal and Kingston: McGill-Queen’s University Press, 2024).

3

Roberts, The Adaptable Country, 4.

4

Brian Allen, Brandon Bapst, and Terry Allan Hicks, Building a Cyber Risk Management Program (Sebastopol: O’Reilly Media, 2024), 16.

5

Roberts, The Adaptable Country, 11.

6

Roberts, The Adaptable Country, 11.

7

Roberts, The Adaptable Country, 12.

8

Roberts, The Adaptable Country, 12-13.

9

Roberts, The Adaptable Country, 46-107.

10

Paul Ekblom, Crime Prevention, Security and Community Safety Using the 5Is Framework (New York: Palgrave Macmillan, 2011), 41.

11

ASIS International defines the SSE as the most senior individual within an organization tasked with responsibility for the organization’s security function. SSE’s are commonly referred to as Chief Security Officers or Chief Information Security Officers. https://www.asisonline.org/publications--resources/standards--guidelines/senior-security-executive/

12

Martin Gill, “Thinking About the Benefits of Security, and the Barriers to Recognizing Them,” in The Handbook of Security, 3rd edition, ed. Martin Gill (Basingstoke: Palgrave Macmillan, 2022), 999.

13

Roberts, The Adaptable Country, 139.

14

Ronald Heifetz and Marty Linsky, Leadership On the Line: staying alive through the dangers of change (Boston: Harvard Business Review Press, 2017).

15

Heifetz and Linsky, Leadership On the Line, 13.

16

Heifetz and Linsky, Leadership On the Line, 13.

17

Heifetz and Linsky, Leadership On the Line, 13.

18

“CSO Center Development Pyramid,” ASIS International, accessed January 13, 2025, https://www.asisonline.org/membership/cso-center/cso-center-development-pyramid/

Comments

[Shawn Woods]

Frithjof, thank you for commenting on the post. I truly appreciate your time and thought. Let me make that link more explicit in next month's post. In the meantime, I'm going to send you a message as I'd love to hear a bit about your work.

[Frithjof Wegener]

I'm surprised to read "inquiry" in the title and then never again. Could you make that link more explicit?