The Security Circle

EP 116 Presilience® in Business: Making Risk an Opportunity with Dr Gavriel Schneider

Yoyo Hamblen Season 1 Episode 116

Share episode

Send us a text

Podcast Summary: Interview with Dr. Gavriel Schneider on Presilience and Risk Management

In this podcast, Dr. Gavriel Schneider discusses the concept of Presilience, a proactive approach to risk and resilience. He contrasts traditional compliance-driven security measures with a more dynamic, opportunity-focused mindset. Dr. Schneider shares insights from his career in close protection, risk psychology, and high-performance leadership, explaining how decision-making under pressure, stress inoculation, and integrated risk management are crucial for both individuals and organizations. He also highlights how AI and automation will reshape risk strategies and why adaptability is key in today’s fast-changing world.

Six Key Talking Points

  1. Presilience vs. Traditional Resilience
    • Presilience is a forward-thinking approach, focusing on proactive risk intelligence rather than reacting after an event occurs.
    • Compliance is necessary but insufficient; organizations must go beyond resilience to anticipate and leverage risks.
  2. Decision-Making and Risk Psychology
    • Many organizations operate in a reactive mindset, investing in security only after incidents occur.
    • High-performing leaders understand human engagement as the missing link in effective risk management.
  3. Stress Inoculation and High-Performance Culture
    • Training to thrive under pressure is more effective than just enduring stress.
    • Modern workplaces must integrate psychology, neuroscience, and physiology to improve decision-making.
  4. AI and Automation in Risk Management
    • AI will enhance human decision-making, but only if professionals adapt and integrate it effectively.
    • The best performers will be those who learn to use AI as an assistive tool, rather than fearing automation.
  5. Risk as an Opportunity, Not Just a Threat
    • Traditional risk management sees risk as something to be avoided, but uncertainty can drive innovation.
    • Successful leaders shift from fear-based security approaches to opportunity-centric risk strategies.
  6. Masterclass and Future of Risk Management
    • Dr. Schneider is launching a masterclass with Rochester Institute of Technology to teach Presilience.
    • The program condenses years of research into practical tools for security professionals, managers, and leaders

https://www.linkedin.com/in/dr-gav-schneider/

Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a fab review. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Yoyo:

Hi, this is Yolanda. Welcome. Welcome to the Security Circle podcast, the award winning Security Circle podcast. IFPO is the International Foundation for Protection Officers, and we are dedicated always to providing meaningful education, information, certification for all levels of security personnel and To make a positive difference where we can to our members, mental health and wellbeing. And if you're new to the security circle, welcome. This is where the journey begins. Our listeners are global. They are the decision makers of today and tomorrow. I want to thank you very much,, wherever you are around the world for being a part of the security circle journey. So we are on all podcast platforms. Don't forget as well, when you see the posts and LinkedIn to subscribe or even better, just like comment and share. The LinkedIn post. Thank you for your company today. Well, this gentleman needs no introductions, but he's going to get one anyway. He is part of the Security Circle alumni, Dr. Gavriel Schneider. Welcome to the Security Circle podcast again. How are you doing?

Gav:

Thrilled to be back. It's wonderful to see how the podcast has grown and evolved since I was here last time. I couldn't believe that there's well over a hundred episodes.

Yoyo:

Yeah, we are on a roll and our listener numbers have never been so high and it just, it's only because Gav, you know, the class of, guests, if the guests were boring and dull and didn't have anything to give in terms of listening power, we wouldn't be as successful as we are. So I can't really claim, the credit for all of that.

Gav:

We'll discuss presilience and risk and everything, I'd probably say there's three variables. It's you, the interviewer, who you interview and the audience and the combination of nailing all three of those and aligning them is what creates a winner. So well done to you and you should give yourself some kudos to that too.

Yoyo:

I personally, I give the kudos to the guests because I think what a wonderful echo chamber. My brain is constantly healthy, thinking of new ideas and new thoughts and it's only because I'm surrounding myself with some of the greatest minds in our security community. to great minds. We knew this book was coming, didn't we? It's been on the cards. Certainly, um, if we look at your history, this isn't the first book you've written, but I'd like to ask you, first of all, if we look at the book, Presilience, your new book by Dr. Gavriel Schneider, we're going to go through some very thought provoking questions about the origins of this book and the big. Why behind it? What inspired you to develop the concept of Presilience for those people who don't know you? And how does it differ from traditional resilience?

Gav:

I think a few things. So fundamentally for me, it's about efficacy and how people understand. So throughout my journey, and for the listeners who aren't aware, I started my career in close protection and defensive tactics back in South Africa, well on 30 years ago now, almost. We're getting a bit older, but teaching self defense and defensive tactics and then becoming a protector and then growing a protection business, one of the things that always amazed me was how bad people are at decision making, particularly when it comes to security and risk. And that became an area of significant interest for me where my PhD looked at high consequence decision making associated with use of force. So if you look at an origin story, that's probably where it started around looking at flawed decision making around security. And fundamentally, I think it's interesting. One of my core frustrations was this reactive methodology that most of our clientele seem to use. They'd wait for something bad to happen before they'd invest in some sort of security measure, which led me into the world of risk, going, well, if this is a risk thing, then how do we understand risk better to enhance protection and security? Across the journey, in about 2015, my business, won a contract with Australian Catholic university. We partnered with them and developed a postgraduate program in the psychology of risk. That was sort of a fundamental transition point for me from focusing really purely on protection and security to looking at human centricity, risk decision making and corporate high performance. Along the way, I'd always ask my students and I had well over three, four hundred graduates through the initial batch of that graduate certificate because I ran that program for almost a decade. I started getting some really influential high level chief risk officers, CEOs and executives on the program. I'd always ask them why you have, if you've got your C suite job, you're earning the money you want, you don't need to come and do another program. And they always say to me, the frustration they had was that what they're doing for them is not incredibly effective. They're very good at following regulations. They're very good at following processes. The gap area seemed to be in human engagement. How do we get people to want to make better decisions? How do we get people to want to engage with risk in a meaningful way instead of just tick a box? Guess to your next question, the risk resilience intercept and where Brazilians came from. Originally, we started looking at this idea of risk intelligence. And as you've seen, you've got an advanced copy of the book. You know, risk intelligence is fundamental underpinning piece to Brazilians. If we can't get people to be risk intelligence, Teams to function in a risk intelligent manner and organizations to adopt a risk intelligence based methodology. Well, we're stuck in a compliance mindset where people only do stuff if you force them to, and we've seen that hasn't worked really well. And there were kind of two primary reasons for that. One, most of those things were built in an era that was much slower. Pre the internet age, pre hyper connectivity, and part of the challenge with that is we're in this weird space now, as humans, we've got a bunch of the old, so if you can't be compliant, you can't operate a business, you can't get a license, you probably can't even participate in any relevant way to the security industry in a meaningful way, then compliance has to transition to resilience, right? Compliance is always backwards looking. So the idea is, compliance is the stuff I have to do, resilience is what I need when the stuff I have to do doesn't work properly, or something I've missed. If that was enough, we should be seeing a drop in global instability, a drop in crime, a drop in terrorism, and we should be seeing an improvement in the performance of humans in the way we protect things. All of those things we're not really seeing, but we're almost seeing the opposite. So it tells you we're using the wrong tools and wrong skills. That was the birth of Presilience. Initially, I wanted it to be, and it did start off actually as proactive resilience, but as we started to roll it out from a consulting perspective, we kept getting this really simple feedback. Resilience equals react, respond, recover. And the idea of doing something after, or in response to, was what we had to shake. We had to change the mindset. As we developed this resilience methodology, initially it was a bit more focused on proactive prevention around the resilience suite, but as we researched it and explored more, we found there's really two main pieces. There's before an event and after an event, where Presilience comes into play. Over the last few years, and you asked why now, in terms of the book? It takes a while to incubate, articulate and get these concepts polished in a way that people get them, and it's taken me almost a decade to do that to get to the point where I can articulate this in book format, where somebody could hopefully just pick it up and gain the knowledge as opposed to having to do a year or two course. Really the key differentiators. That we've learned our compliance stuff. You have to do resilience, the stuff you need when compliance fails, resilience, the flavor of proactive prevention and opportunity centrism in the mix. If you don't get the compliance and resilience pieces, resilience is wishful thinking, but we're seeing this maturing of organizations where they're now realizing resilience isn't enough. And we're also seeing this in individual humans. I mean, if you just think your listeners, how many people do you know who are having a tough time, you know, struggling with a job that they do, struggling to stay motivated, struggling with their family, to your point, what do we do? We tell them it's a mental health issue or they need to be more resilient. We tell them they need to be more agile. So for me, the real piece was, that's great. I agree with all of that. Let's do, let's give the tools on how to do it. And that's really what the book is about. It's about those tools, how to develop the skillset to achieve two things. Sustained high performance during our business as usual and to thrive in uncertainty and make disruption an opportunity, not just something that you have to survive every time something unexpected happens. I wish it was a short explanation, but I think that answers your first two questions.

Yoyo:

What was interesting to me is coming to the realization, especially working in governance, risk and compliance, is that governance is looking back. I thought, Oh, no, I've only just realized that. Thanks for telling me. Um, but look, on a serious note, you integrate psychology, neuroscience and physiology into your framework. Which of these areas do you think businesses underutilized the most?

Gav:

The short answer is all of them, what we keep finding, and you'll know from the book, I talk a lot about this concept with the whole of person model, your work life, your personal life, your virtual life. We're still relying on a very outdated way of motivating and managing people. And that was really based on findings that came out of the first, second and third industrial revolution on how to get great efficiency and outputs. But that had nothing to do with what makes humans motivated, engaged, and want to be productive. Part of the challenge we've got is we're using the wrong tools for the problems we've got now. If you look at what we have to shift and what we have to change around that, it's not just as simple as going, Hey, let's just keep a little bit of a backup in place. I mean, you're in cyber. You're actually one of those wonderful humans that I love very much that crosses domains and actually achieves this weird thing called convergence, which shouldn't be so hard to do. Right? Practically, what we need to be thinking is how do we thrive and what do we do that will enable better performance. Part of the challenge with that is it's not simple. It's not easy. And if we only look at, for example, neuroscience, we find that there's this body of research that is quite useful. But if you apply it by itself, you think better, potentially. And your brain functions better. But most of the neuroscience research shows us that physiologically, if we're not healthy, fit and keeping our body in shape, our brain doesn't work properly. Then fundamentally, if I actually look at the way I need to, function in the world, let's just look at remote. I mean, we're sitting in totally different parts of the world. We're talking to each other without a problem. The psychological componentry is the part that really attracts me. But the problem with a lot of these disciplines is the academic. And the academic knowledge is often too far removed even from corporate ability to apply it. So think about your frontline security manager, your frontline security supervisor, even a security guard standing in front of an access control point. They're making decisions all the time. They're evaluating what's happening all the time. Most of the tools we've given them are compliance based tools. You follow this checklist. These are the five things you look for. If this happens, do these six things. So what we're seeing more and more now is that because of this hyperconnected world because of gen AI, and that's another whole topic, the skill sets that are going to enable humans to thrive are the things we haven't put that much work into over the last 200 years or so. We need them now more than we've ever needed them. So that probably sets up a segue for what some of those things are,

Yoyo:

well, the next question is around opportunity centric mindsets. You've emphasized that, you know, organizations genuinely need to shift from a fear based approach, don't they, to one that embraces opportunity. But when you consider the larger the organization, the more cumbersome and slow and ineffective they become, these are quite significant and important things to talk about, aren't they?

Gav:

It's really interesting to your point. And this is where, you know, the idea of understanding a bit of sociology comes into play. If we don't understand how dynamics change as groups grow bigger, and we don't understand how social psychology, for example, impacts group decision making, we often fail to scale effective performance. And I think back to a lot of security jobs I did where you land up on this team, you're given a task, you don't always get to pick the team, you don't know the players you're working with, but your life is in their hands now. Somebody else's life is in their hands. Or if you're doing asset protection, you're protecting something quite significant. And the people who do really well in those environments are the people who are general all rounders. And they're the people who've got the right tactical skills, the right planning skills, the right people skills, the right comm skills, etc, etc. If you think about the challenge of the world we're in today, we've moved from the structure of being hyper specialized. So for example, if you imagine putting together a security team to solve whatever problem it is. We often can't afford to have all the specialists we need in every single area to have a best practice solution, but we've created this mindset for people that they should become specialists in one thing, which doesn't really work well for complexity and chaos only works well when things are highly stable and we have unlimited resources. I don't know anybody who's working in an environment that's incredibly stable with unlimited resources.

Yoyo:

Um, the king, maybe

Gav:

I would, I would still say, look at the geopolitical challenges around there. So all these things are coming at all of us that we can't control. if you just look, for example, at what's happening all over the world, there's this reckoning of hold on a second, there's limited resources. We've got to be thinking smarter about where we allocate those resources. Now, if you pull that down to you on an individual level, you want to grow in your career, hopefully you want to be a hot performer to enable that growth to achieve. How do you limit? How do you manage your limited resources? What do you do in your own head that enables you to perform better? So those are some of the things I wanted to glue together. In fact, in the book, um, while a lot of what I teach does have an organizational lens to it. I found that initially I wanted to make it about the individual. I wanted someone to be able to pick the book up, read the concepts and be able to apply them for themselves. You'll know, there's only two chapters that really talk about teams and leadership and organizations out of eight or nine. So I could have written the whole book on that and it probably would have been more attractive to business buyers. It still should be attractive to business buyers, but fundamentally if we want to see a shift, it has to start in the mindsets of everyone who wants to do things better.

Yoyo:

I find I'm there. All right. I've got, something that I've learned through watching Formula One is an optimization brain. So for example, even if I go swimming in the swimming pool and I do 32 lengths, the next time I go, I want to do 33 and do it in the same timeframe. That's how the best way I can apply how I apply my brain to just normal day to day. Functionality and work tasks. I don't like time wastage, so I get it. This mindset piece is really interesting. Let's talk about stress though, because stress inoculation is intriguing. I was in this section of the book, I remember thinking, you know, when I was younger, how much I thrived on a healthy level of stress. When I look back, I thrived, but I don't thrive with that same healthy level of stress now. I've evolved out of it. I'd love to hear from you, perhaps, if that's just a thing about getting older and getting wiser and realize you can do things a different way, but in the book, you look at how individuals train themselves to thrive under pressure rather than just endure it. And it is, isn't it? It's about accepting it rather than pushing against it.

Gav:

Absolutely. And that really came back to my PhD research, looking at best practice around use of force decision making and training. And we can train people to make great decisions under stress, but you can't do that unless they can manage their own adrenal response, their own flight or fight. Instincts. So that part, even if we take a little segue to some of our sister, vocations like emergency management, business continuity, et cetera, all of those require people to be able to perform under stress. So what's interesting is that we are all wired slightly differently. Most of us are wired for flight, actually, which is kind of interesting, particularly, and I'm no exception to that. I think back to my martial arts career and how scary it was to overcome, you know, that fear of flight response when you had to spar somebody who you knew was better than you. I think back to my original clash protection jobs. When you know you're deploying and somebody is trying to kill the person you're protecting, it's not ambiguous. Your job has to be done well or the consequences are great. are horrible. So practically, one of the challenges we've got in the modern world is, we've created this perception and particularly in first world countries like the US, the UK, Australia, that we should legislate safety and wellbeing for our people and that it becomes the responsibility of the government, the responsibility of the employer. The domain piece that's missing is you, the individual. And part of the shift we've got to do and how we start to change that is look at how you cope with stress. Because if you can't cope with stress, you can't thrive through uncertainty. So it's an interesting equation. To your point, it's not necessarily just an age thing. It's a bandwidth thing as well. It's a physiological thing as well. It's a psychological thing as well. So part of the challenge with this stuff is we try to, we, in many cases, we often try and dumb it down. We sort of just go, ah, you're getting older, you can't handle the same stress. It's, in some ways it's true, and there's a little interesting segue I'll discuss it very briefly in the book, but my idea of toughness changed continually through my own evolution. So when I started training martial arts, I was like, look how good these guys are. Then I got onto the South African Full Contact Taekwondo team, and I thought these guys were good. Then I went to Israel and trained in a very hard school of full contact martial arts and basically just had the crack beating out of me for an extended period of time. But then I started working with close protectors and saw these people who could go for two or three days with limited sleep and perform incredibly well. Then we got contracts with special forces operators and I went, holy beep, I can't break these people. They are that tough. But then there was a different piece. As I started running my businesses and growing my business career, some of the toughest things I've ever had to do is let go of good staff when we couldn't afford to keep them. Like actually telling somebody who you really care about, who's not a bad performer, that you can't afford to keep them, it hurts tremendously. And I think back to some of those moments, and they were totally different types of toughness, but they were just as hard. Part of the challenge with a lot of these things is we don't necessarily look at things the same way as we age and as we change positions. So I look at being a business owner, corporate executive, et cetera. I would trade, if the money was the same and the opportunity presented, I would trade going back on the tools any day. I would trade being exposed to, you know, constant threat to the stresses of running a multi million dollar business. Because they are significantly different. So the interesting piece is, I can't really trade that. Now I'm almost 50 years old, nobody wants a 50 year old protector. And also from my perspective, the bigger and more impactful I can be in terms of running my businesses, the better I can change the way people think. So it's a bit of a mission for me now, as opposed to what I personally choose to do. Stress inoculation has been proven time and time again, when done properly, to slowly prepare your physiological system to deal with stress. To prepare your mind and brain to cope with these changes that happen under stress, so that you're enabling yourself to make better decisions under that stress. As you get older, while the physiological componentry sometimes diminishes, the psychological componentry increases because of life experience and learning. So to your point, you probably don't get as stressed now because you're experienced and you know what's happening around you and the stuff that used to stress you out when you were young doesn't anymore because you've grown, you've evolved. So it's not a simple question, but practically if you're the frontline person thinking, how do I get better at thriving through uncertainty and disruption, learn to manage your adrenal response and manage your stress. You have to do that in and out of the workplace, because if I only do that in one domain, the others just creep in. And just imagine this for a second. I love the job you do, BISO, because you're integrating these concepts. If you think about it from a different perspective, imagine you are running a security team, and you know somebody has just hacked your credit card. Right now, how focused are you going to be on running that security team or worrying about how much money is coming out of your credit card right now?

Yoyo:

The latter.

Gav:

So, this idea that we have to separate work, personal, professional, cyber life, it just doesn't work anymore. It did work really well in an era where you woke up, went to a factory, and came home. It was, there was a lot of stability and a lot of control. Things moved slower. It does not work anymore in a world that is so dynamic and changing so quickly. as well. This is the other catch to that. And I know we're deviating a bit, but we need ambidextrous capability. And I'm hoping as you looked at the book, you saw that idea starting to evolve to be a high performer in the world today. You can't just be one thing. So you can't be really good at stress management only and really good in a crisis, but not good in situations that are relatively stable and under control. You actually need the ability to do both to thrive. The hard part we found in the research was that You know, most people aren't wired that way. Most people are wired for one or the other. And we have to train ourselves to be able to do that. We have to train our brains, train our minds. So if you think of just a security risk assessment, one of the things I love about security risk is that it teaches the individual to think in different minds. I worry about what my opposition is trying to do. I'm trying to understand them. And then I'll hopefully be putting together my mitigation strategy based on the threats that I'm facing and the vulnerabilities that manifest. So we're already holding two minds when we do that. So this idea of multilevel or multidimensional thinking is not a new idea for security experts. What we haven't done is translated it into all facets of performance.

Yoyo:

Talking about personal resilience has always been a favorite of mine, probably because it's something that I feel that I can talk to, very comfortably. I feel very lucky because I know that the lack of personal resilience can really affect somebody very deeply and affect them to their core how they apply themselves both professionally in their workplaces and at home in their environments and relationships with family and spouses. I want to ask you in all of the experience that you have, whether you've found out what the magic is to why some people have it and are very comfortable with it and why some people don't.

Gav:

So there's a small section in the book where I talk about this idea of dandelions and orchids. When I was doing research for the book, I reached out to a pretty well known, I think he's a genetic molecular biologist by the name of Dr. John Medina. He wrote a book called Brain Rules. We struck up a bit of a rapport to the point now that the book is done, we still talk to each other and compare notes. And what was really interesting for me is I wanted to understand from the experts a little bit more about brain science. Because I can read a book, I can read a paper, so can you. Who are the people who have been researching this stuff for years? Where have they got to? And as I was chatting to John one day, he's, you know, we kind of got onto this nature versus nurture discussion and he started talking about this awkward dandelion thing. I'm like, what? So far removed because that was research done on child education and how to set up the right performance for kids in an education setting. What it really found was that roughly 20 percent of kids are fragile, need to be sheltered and need different ways. to develop comfort skills and coping mechanisms. Most kids will perform fine anytime, but there's that one out of five roughly that needs something a bit different. Now that doesn't mean they can't be a great performer, it doesn't mean they're not going to be incredibly successful in life, it just means they're wired a bit differently. So the question in my head then was what happens when, you know, these kids grow up and we see this mix? And then the more I discussed this with John, the more it became clear that we're all a bit of a mix of both. We all have these things that, you know, we're really confident you could throw me in the middle of anything and I could take any of the challenges that that issue throws at me. And then we've got stuff that absolutely freaks us out that we don't want to touch, don't want to deal with, even if it's irrational. Part of the challenge is starting to understand ourselves. And if we can understand ourselves well first, so to your point about personal resilience. It befuddles me where people are hired into these organizational resilience functions, business continuity, et cetera, et cetera. Cyber is a great one because if our digital domains are not protected, we can't function. Equally, so is HR. If our people are broken, they don't work. So one of the challenges we've got is how do we allow people process and tech, not just in a stand in an ISO standard where everybody ticks the box and goes, Oh, that's ISO 27, 000. No problem. Cause you talk to tech people and they'll go, yes, but the order is always going to be, you know, tech process, then people and people are the problem. To your point, for the listeners, you can't see, she's shaking her head and nodding her head in agreement. I can see this is a daily battle you have.

Yoyo:

Yes, because people are the cause of everything.

Gav:

But, but here's the trick, right? So, and, and if we, if we think about this with a criminologist hat on, right? We're trying to understand why do people perpetrate crime? Why do they do bad things? And what are the things we can put in place to stop them doing that often ahead of time? Or how can we motivate them to not want to do that, etc. So I think every security person should be a criminologist. Like if you're in the world of security and you're not trying to understand how criminals think, you're making a big mistake. But to your point, if you're working in an organization, you think people are the problem, guess what? You're right. But if you think they're the solution, you're also right. If you think they're the opportunity, you're correct. So it does come back to what is that perception in our minds are, and for those of your listeners who are involved with like insider threat management, for example, what constantly amazes me is how rarely when you look at high performing organizations and you look at the way they manage insider threat, most of that is not based on this vigilance based poke and prod and we don't trust anybody anywhere. It's based on this idea that we build an environment of high trust. We're very careful who we let into that environment, and we monitor their attitudes, their behaviors, and their performance to see that that sits within the cultural dynamics. So it becomes a self regulating, high performing culture. When you have a dysfunctional compliance based culture, which the majority of organizations older than 30 years were built on that model, they were built on the idea that the organization is fundamentally more important than its people, and people are just cogs that you plug and play to solve problems and get an output. Now, if you, again, if you have a high degree of control, high degree of certainty and efficiency and outputs are the only driver you have for the short term, then that may work, but we very rarely see environments like that in the modern world. Most of the time now it's quite different. So really what we want to be doing is just changing the idea that if I'm not personally able to make great decisions, handle stress, learn, grow, adapt, what employer would want me because I'm not going to do that for their business. So part of the challenge we've really got now is that it's an employer challenge to how are we going to ignite our humans to be high performers, build the right processes that enable that to happen and technologically enable it. I often get asked the question of, can you give us the case example of where you've seen this work perfectly? I have seen it work really well for short periods of time within some organizations. But eventually personalities get in the way, budgeting gets in the way, disruption gets in the way, people's bias gets in the way. For me, it was one of the things getting in the way, how do we teach the skills to manage the things that get in the way so we've got a better chance at sustained high performance. To close that loop without being personally resilient, none of that works.

Yoyo:

You were almost describing AI there as well, the ability to learn, adapt, you know, change the circumstances. And I'm thinking, wow, AI has got an advantage, hasn't it? Because it won't have necessarily a bias if it's not programmed to have a bias, for example. In fact, that's a good segue to my next question, but let me let you make a response.

Gav:

Thank you. Yeah. And I'll be quick on this one because we could go down a big rabbit hole and I, practically the skills we need as humans to thrive in a world where AI will do those things you just discussed. It will sort huge amounts of data out. It will pull knowledge out into workable chunks. It will give you a best practice recommendation. For those who started using, you know, check GPT version one to where we are now, you can already see how it's evolved incredibly. So practically the thing that's going to make you as an operator, security professional, a manager, a leader indispensable is going to be your human skills, not your knowledge base. It's going to be how you apply the knowledge base because I won't be able to do that, at least in the short term,, there'll be a crossover at some point where robotics and AI will intersect. But practically, then it's going to be the human component tree that enables high performance using those tools. So if we're in, I see we're in an incredibly, opportunity for a full environment now. The problem is it's so it's happened so fast. So that's another reason for the book. Humans can't keep up. I look at me and I think we're a similar age, but we grew up without an internet. I didn't, you know, I grew up when I started working as a bodyguard, we never had cell phones. Like we had pagers. You know, the office would send you a pager, so you take that and then you fast forward now to 24 seven plugged in hyper connectivity, misinformation, disinformation, malinformation,, we've missed a lot of the skill sets humans need to thrive because the stuff has happened too quickly. People growing up with it have had to learn on the fly, and we haven't had the safeguards to make this work, and we're learning as we go. since we chatted last, that's probably been a big learning for me, and writing the book helped a lot. Some of the consulting projects we've done have helped a lot. To be high performing in the modern world, you actually need the right balance of compliance, resilience, and Presilience. Not one or the other. And if we have no compliance, you have no frameworks or structure. You have no resiliency from weather disruption. You have no presilience. You're only looking backwards and you're a victim of circumstance. So I'd ask your listeners, where do they want to sit in that equation?

Yoyo:

I am very aligned with assistive AI. I think it's phenomenal. In fact, I've got to the point now. It's not a dependency, but I've got to point because I've always advocated Gav that, you know, humans using assistive AI are going to definitely have more to offer than humans not using assistive AI. So that's where we're at. But, I find Alexa's a little lacking right now. I've gotten used to Alexa over the last few years, and I think Alexa needs to evolve because Alexa should know that if I'm forming habits of turning on a certain radio station at a certain time, on certain days of the week, she should be able to understand and preempt what I'm going to need. I'm finding that kind of like, why don't you know that I already need this? So there's the, there's the human acceptance of assistive technology. My question to you about AI and automation impacting risk management strategies in the next decade, will they enhance or weaken human decision making?

Gav:

What a great question so the answer for that is it depends on the application. So I think your statement was exactly right. I don't think AI is going to take people's jobs, but humans who can leverage AI will absolutely take other people's jobs. So part of the challenge now is, yes, our risk frameworks will change because we'll be able to have a different way of understanding what's happening around us, processing information, collating that information. Right now, there's insecurity about that because of some of the flaws with AI and some of the bias that's in the AI systems. Over time, that'll improve, that'll get better. And to your point, it's much easier to manage bias in technology than it is to manage bias in humans., AI has a significant advantage, but as we move forward into this new era, and we're already in it, people like you and I are using Gen AI all the time, because why? It makes us quicker, makes us more effective, and some of the mundane activities, which might be deemed to have just been process driven, Not knowledge application, why would you not use something that makes it quicker effect more effective and, gives you an advantage. So part of the interesting piece now is I truly think humans that are not able to have this growth mindset, this learning mindset, this adapt to build capability are going to find it incredibly hard. We're seeing that now because humans are wired for homeostasis, right? We want stability. We don't like change. Growth comes with change. Change equals growth if you do it right. There's a challenge with that though. And I often say to my clients, particularly when they contact us for, you know, culture change, high performance stuff around risk. What problem are you solving? Because if you just want to change, you're not solving a problem. You're doing change for change's sake. There's so many things we have to change towards. But organizations particularly like to focus on the things that create perceived control and perceived outcomes and generally are driven by bias. That's going to make a certain individual in the organization look good or somebody who's got a high influence personality, for example, they may have additional sway to people who are experts. So what's fascinating is I don't think the human dimension will fade at all as AI comes into play, it's going to become more important. if you, pick up the book and you have a read of it, you'll see I've focused a lot on some of the tools that'll give you the edge, then it's not teaching you how to use things like AI. It's teaching you how to, you can apply different types of risk management to thrive in the world we're in. One simple example of that is the concept of critical risk management and integrated risk management. We have seen so many times and I gave this story in the book, but it's still a valid story because it's true. We were consulting for a pretty large city council. The head of risk came out and showed us their risk register, and she was so proud. It had 800 plus risks on it, well cascaded, well set up, beautiful spreadsheet. And I couldn't but ask the question of, How are you managing all 800 of these risks? She went, Oh, that's not my job. I just keep this thing together. You know, she's not the risk owner. So the problem with that is humans and systems can't manage an infinite number of things. If I look at successes that I've seen in some of our consulting and service provision practices, that's one of the gifts I feel my business has. We are kind of sector agnostic. We hop across so many different sectors. So it was interesting. We did a project with the department of defense at the same time I was looking at what was happening in mining. I saw this idea of, critical risk management, getting a lot of impact in mining and what they've done. And this is not all of them. Some of the better miners had looked at what are the 10 things that will shut us down? What are those fatal 10 risks? Let's make sure we sort those first. If I look at what happens in so many organizations, risk just becomes noise because there's too much and we can't cope with it. So our systems have to change. They are changing. What I urge you to do is think about your own life. If you can think of the 10 things, not more than 10 because it's too much to handle, 7 is better, that will, if they happen, will totally disrupt and destroy your ability to succeed. As well as the things that if they go right, will enable this to happen quicker. So it's not biased in negativity, right? We're trying to find a balance between positive and negative here. You can then take your limited time and energy and improve your likelihood of success. If you never think about stuff like that, then it's a lot more like rolling a dice. And you know, just a simple example. If I look at when I was growing up, and that's probably the same reason you joined the police. We were taught we needed to get a job, a skill, like you'll get that skill for life. Like you need something stable. You look what's happening now. You can gain knowledge so quickly by not going to university, thereby actually just doing short courses, developing skills really quickly, being mentored by others that the conventional academic pathways are changing. I think university sector is getting left behind tremendously. They're not actually able to bridge the gap in many cases between academic, the academic theory and practice. And that's where I see people like me. That's my job, right? I love to be referred to the university I used to work to call, work for, call people like me, scholar practitioners. I prefer pracademic. We're a bit of both. Like we practice and we like academia, but you don't have to have a doctorate or a master's degree to read research and go, is that useful for me? Can I apply it? Or, next time you see a research project running, and you can, contribute as the practitioner. We've got to bust these silos, and that's fundamentally what a lot of these ideas of integrated risk management are about. Because think, let's just take cyber and physical security. The skill sets we need to manage cyber risk are so similar to the skill sets we need to manage physical risk, and I've heard you talk about this many times. I love it when you do, because you've got it. I need to be situationally aware. I can't manage either risk if I don't know what's happening around me. I need to be able to evaluate and critically think about what's happening around me so I can make a great decision. Then I need to actually do something about that decision. If I decide not to do something, it's still a decision. Then I need to be able to monitor, learn, adapt, and see if it worked and tweak it. And that's a continuous cycle. So if we want to get good at thriving and managing risk, we should train the skills, not necessarily just the knowledge based domains. So historically, that's what we've been doing, right? You want to learn cyber, you have to learn, you know, networking, coding, blah, blah, blah. But if you want to learn risk and resilience, those transcend all the different functions. And I think security does too. Because fundamentally in a world that is unstable, changing fast with lots of challenges, the need for protection is not going away. The challenge we've got is people's acceptance and readiness to tackle the real risks versus the perceived risks.

Yoyo:

For a while. Well, you've led very nicely because my next subject is risk as a threat versus risk as an opportunity. In the book, you referenced the traditional view of risk where we all know and understand that risk is seen primarily as a negative concept, something to avoid or mitigate against. This is Common in finance, safety management and insurance, several industries have this kind of core of view. There's a modern view that presilience very much aligns with and it's more about arguing that risk is not inherently bad. It can also present opportunities and if managed properly, uncertainty can lead to innovation and competitive advantage. Why are we not all thinking like that?

Gav:

So let's go back to a few things. One, humans are wired for negativity. That's how species survives.

Yoyo:

So if

Gav:

you think about it, just any of you who work in a bigger organization, do this little test. Examine how quickly bad news travels through your organization and then compare that to how slowly good news and celebratory things travel through the organization. We are wired to try and understand anything that could hurt us and we want it, we want to grab it. There's a small part of the brain called the reticular activating system that lets information into the filter and it lets information into our brain based on only two variables. Interest, so what am I interested in, or harm. So those are my two variables, that's literally what I have to sort, all this information that comes out from a situational awareness perspective. So here's the fascinating piece for me. If you look at most modern definitions of risk management, and I've actually got a project on the go now with five or six global risk experts where we're looking at writing the world's first open risk culture standard. I'm quite frustrated that people still don't know what to do with this stuff, but we should know better. So out of interest, what's fascinating when we start to look at how this creep has happened is go back however long you want to go. Risk management was really around finding food, stopping a predator tribe from attacking us and keeping my family, my unit, my tribe safe. That then evolved into corporates and organizations that felt the same thing, right? I'm competing against somebody for a market share. There's limited resources. I've got to be more efficient. I've got to be quicker. So part of the challenge is we are not wired for opportunity centrism. We are wired for threat management. It's also interesting that along the way, I won't even say this, that it's been practitioners with dubious intent, but fear sells significantly better than benefit. If you look at most organizations, they won't give you budget until something breaks, until something really horrible happens. And then they're like, Oh my goodness, we've got to have this sorted. We can't deal with this. And then you can fix it. That goes back about 14 years. I wrote an article with Professor Anthony Manar on something we call the reactive security safety spending cycle. When I finished my PhD and I was doing my colloquium for a bunch of experts, I couldn't help myself. There were maybe a hundred security managers from some really large organizations. This is in South Africa where there were lots of threats. These are people dealing with tough stuff all the time, and it was a closed door environment. So I asked many of them, who's got a case study of where security led to a great ROI, where it actually made the organization money, where it actually increased productivity and happiness, blah, blah, blah. If they all looked at each other kind of nervous, nobody wanted to say anything, but there were a few that kind of stood up and went, well, it's hard to measure because fundamentally if we do our job right, nothing bad happens. So if nothing bad happens, how do you find the ROI? And that becomes the cycle of denial. Part of the challenge we've got is we don't have infinite resources to manage every risk. So from a corporate or organizational, even governmental perspective. You can't think that we can solve every problem, but practically, if we look at what we can do now, we can start to look at how do we make things better. You don't make things better by only looking at the negative. You make things better by balancing your view. So my view is not only opportunity centric. It's a balanced view, right? We need to look at threat, and we need to look at opportunity, and we need to not ignore the opportunity just because of perceived threat, and that's part of the challenge. If you look at most. Of the best security leaders and managers I've worked with in my career. Those were the ones who would say things like never waste a good crisis. Practically they were the ones who like something bad happened somewhere. They were so good at influencing, communicating up that they got whatever they needed to protect the organization. Very rarely were they the actual victims of bad things happening because they became so good at communicating, explaining, translating, and influencing. Those are skills we don't teach security people. So that's part of what I've had to build into this idea of resilience, because what is the outcome? It's high performance. That's what we want to get.

Yoyo:

How about we look at risk as a science versus risk as an art? Because there's a scientific perspective that you refer to where risk can be calculated, modeled, and predicted using data and structured frameworks. Or there's the artistic perspective where some would argue that risk management is highly dependent on human intuition, experience, and decision making skills that cannot always be reduced to numbers.

Gav:

Here's where we have to get into this ability to hold conflicting ideas in mind because it's both, right? The ability to access, understand, translate data so that we get the right information to make the best possible decision is very useful. The challenge we've got is not every decision in life enables us to do that. In fact, most of them, when you look at the research, happen very quickly and intuitively. The intuitive system is the system we haven't trained because it's hard to train. It's hard to monitor. It's hard to manage. It's much easier for me to come up with a set of rules and enforce those rules. It's much easier for me to actually work with facts and data. I love working with data scientists because they often say things like, well, the numbers don't lie. You know, the statistics always tell the truth. If you've ever done any research, you can interpret statistics in so many different ways. I'll give you a great example, I still remember seeing an employee satisfaction survey from a client that brought us in and the CEO was so happy because the employee satisfaction rating went from 55 to 57 percent, a 2 percent increase. I'm like, if I was you, I would be so disappointed that almost half my organization hate working here. They are not motivated. Great. You've had a 2 percent shift. You're tracking in a slightly better direction, but that should not be something to celebrate. Like you need to rethink the way your entire organization runs. You need to rethink the way your people behave. You need to rethink the way you make decisions and allocate resources. Because just think about this, and this is where I won him over. I said to him, here's some research that shows productivity and outcomes, so we get more productivity and better outcomes from an engaged workforce. The more engaged our workforce is, the better they work, the harder they work, the more innovative they are. When we start understanding that piece, it's really interesting because if I can motivate myself, believe in what I do, I perform better. Why isn't that? That works exactly the same for teams and organizations. I often get asked, Hey Gav, you're a shooting, fighting type of guy. that's like what you've done, where you've been from. What are you doing? Talking about psychology, humans, culture change, blah, blah, blah. I get asked that less now because I've been doing it for almost a decade. But the truth of it is, it's incredibly frustrating to train people, develop a process, plug in some tech. And then humans don't use it properly. or they, they land up going, hold on a second. That's too hard to change to the new system. Let's just go back to the old one. Realistically for me, if we can't get an understanding and we can't get alignment, we don't get high performance. So those pieces are the game, and if you're running a security business or you're leading a security team and you don't understand some of these dynamics, please buy my book, because the difference between making great decisions and just doing what you think is right are significantly different.

Yoyo:

I don't think you're going to need to ask people to buy your book, Gav. I think it's going to fly out. Finally, you've got a masterclass, haven't you, happening In a week's time. This is quite an evolution, isn't it? From where you've come from and where you're going now. What I see is I see this amazing connectability that for those people who've Really want to get closer to this, breathe it, touch it, make it a part of their careers going forward. The accessibility to get to you and all of the course content is now going to be there. Take us through.

Gav:

Awesome. Well, I mean, since this is your podcast is supported by the IFPO that works really well, because they're supporting us with this masterclass what's really interesting for me is. It takes time to be able to explain something quickly and simply. So what we've basically done is we've taken our postgraduate certificate, that is a seven month program, and gone, people are busy, they don't have time to commit to that. How can we pull out the core ingredients that will give somebody the ability to perform better after three hours? So that's what we built into the masterclass. What is so wonderful to see is this collaboration with Rochester Institute of Technology. And if you're not familiar with RIT, they're one of the top ten technical training colleges, universities in the U. S. And they're really known for being able to tackle neurodiversity and looking at things differently. For me, part of the interesting piece with this collaboration is not just the fact that we're seeing this idea of Brazilians now translated into the U. S. and globally, but we're actually seeing academia start going, hey, what are you talking about? Do you mind sharing that with some of our audience? Then the last part that makes it even better is that they've let us collaborate with them to make sure it's focused on the practitioner, the manager, and the leader that needs solutions and answers quickly. I will always caveat this with going, if I could give you all the knowledge in three hours, I don't know what I've done with the last 30 years of research and life experience. We have found now with our graduate certificate and graduate diplomas, it takes about a year to a year and a half of study and application. You learn a concept, you apply it. You learn a concept, you apply it to get to the point where a lot of these things become instinctive and high performance. A lot of people go, that's too long. If you went to uni and you studied business, that's going to take you three to four years just to get a basic degree. Then what we're talking about is a lot more complex than just buying and selling stuff and market demand and supply. I think what's interesting too, is for those who want to understand a little bit more of the nuances that are going to be in the book, it's always tough to write. In a way that will attract every audience and relate to every audience. Some people prefer the spoken word. I think the short masterclass format, I'm very excited about it. If you take time to Google it, you'll actually see we've divided that even into three one hour segments. And each hour concentrates on something a bit different. So with that, I'm thinking everyone can grab something from it. It's just whether you want all of it or you want pieces of it. Which is really exciting. And yeah, I'm in case you can't tell listeners, I'm very excited about this upcoming masterclass and the new book release.

Yoyo:

Having seen you, deliver keynotes, I think if anybody who's even on the fence about this, just do it. It's phenomenal. Gav, you do leave, an amazing lasting impression because you really do believe in what you're saying and you can support that with really good, narratives and content. You are, almost kind of breathing the efficacy yourself. I wish you all the best with the masterclass. Wish you all the best with the book. You know that we're always here behind you with the Security Circle and thank you so much for being here on the Security Circle again.

Gav:

And thank you for the opportunity and really thank you to all your listeners because without you, we will not make things better.

Yoyo:

Thanks Gav.