When Encryption Isn't Enough—A Sidewalk Interview and a Global Wake-Up Call
I was in Washington, D.C., when the story broke. Reports surfaced that U.S. officials had used Signal—a consumer-grade encrypted messaging app—to coordinate sensitive military operations in Yemen. I was finishing a dinner meeting after a full day of engagements when my phone rang. It was the BBC reaching out for immediate commentary on a fast-developing national security story.
Stepping outside onto a quiet stretch of sidewalk just blocks from some of the most secure buildings in the world, I spoke to the journalist on the record. The irony wasn't lost on me. Here we were, discussing secure communications, while the actual risk had nothing to do with encryption protocols—and everything to do with how risk is understood, governed, and managed.
In the interview, I said what I continue to believe is at the heart of this incident:
"The channels that are generally used for communications within government systems are monitored and well-secured from a usage standpoint. With outside tools, it appears there may be no authorization protocols in place. Something of this sensitive nature should really require some very strict protocols in terms of communications… I was very surprised they would be using this sort of solution."
I also noted a concern that's grown louder in the days since:
"This incident might make U.S. partners abroad think twice before communicating sensitive information to American officials."
The event wasn't just a lapse in process—it was a missed opportunity to approach risk in a more integrated, strategic manner. And it wasn't an isolated failure of execution; it was the result of something far more common and dangerous: the complete absence of integrated risk thinking.
Integrated Risk Thinking is Needed in Every Organization
Integrated Risk Thinking (IRT) means looking beyond the confines of technical controls and understanding how digital, operational, regulatory, and strategic risks converge. And while many organizations claim to practice this, few have embedded it into their day-to-day decision-making.
Looking Beyond the Technical: A Broader View of Risk
In the public conversation that followed, most of the attention centered around technical questions: Is Signal secure? Was any data compromised? Could this app be trusted?
However, these questions, while important, miss the larger issue. The real problem wasn't the technology; it was how risk was conceptualized. This incident didn't happen because cybersecurity failed. It happened because cybersecurity was treated as the entire story. It wasn't a breakdown in integrated risk thinking—it was a case where integrated risk thinking had never even entered the conversation.
Far too many organizations, including those operating in highly sensitive environments, still equate encryption with security and security with risk management. They fail to consider how communication tools function within the broader ecosystem of operational practices, legal requirements, governance expectations, and reputational exposure. In doing so, they overlook the more considerable, interconnected risks that often carry the most severe consequences.
The Limits of Encryption
Encryption has its place. It protects the content of a message during transmission and shields data from interception. However, it does not determine who can use a communication platform nor enforce policy compliance, retain records for legal discovery, or provide the audit trails required by regulators. It doesn't account for human error, like including an unauthorized recipient in a group chat or addressing policy gaps that allow informal tools to become default systems for high-stakes communication.
In short, encryption is a feature. It's not a substitute for risk governance. And when treated as one, it creates a dangerous illusion of security—one that's often exposed too late.
The Risk That Lives in the Gaps
This incident ultimately reveals the risk that lives in the spaces between functions—in the gaps between IT and compliance, cybersecurity and operations, security protocols, and real-world practices. These are the areas where most organizations are vulnerable, not because they lack the right tools but because they lack the right mindset.
That mindset—what we call Integrated Risk Thinking—is what enables organizations to anticipate and mitigate risk in a unified, comprehensive way. It means looking beyond the confines of technical controls and understanding how digital, operational, regulatory, and strategic risks converge. And while many organizations claim to practice this, few have embedded it into their day-to-day decision-making.
Why Integrated Risk Thinking Is Urgently Needed
Integrated Risk Thinking doesn't just promote cross-functional awareness—it creates the conditions for smarter, more aligned decision-making. It prompts organizations to ask better questions: Is this tool appropriate for the type of information being shared? Do we have governance mechanisms in place to support its use? Are legal, compliance, and cybersecurity teams aligned in understanding how the tool fits into our risk posture?
At Wheelhouse Advisors, we help organizations formalize this mindset through Integrated Risk Management (IRM). Our approach ensures that tools, protocols, policies, and people operate under a common risk oversight model. It moves clients away from siloed decision-making and toward coordinated, forward-looking risk strategies that reflect the complexity of their environments.
The Broader Pattern
The Signal story might involve military communications, but the pattern it reflects is all too familiar. In the private sector, I've seen encrypted consumer apps used to share financial deal terms, unapproved collaboration platforms become default channels for executive communication, and policy breaches occur simply because organizations never anticipated how modern tools would be used.
In these cases, the issue wasn't the absence of security features—it was the absence of strategic foresight. The failure wasn't technical. It was conceptual.
Final Thought: We Can't Manage What We Don't Acknowledge
As I stood on that sidewalk in D.C., offering commentary on a rapidly unfolding story, I realized that the real takeaway wasn't about the app being used. It was about the assumptions behind its use—and the organizational blind spots that made its adoption possible in the first place.
If we continue treating cybersecurity as the end-all solution to digital risk, we will encounter the same problems. Encryption may protect the data—but only Integrated Risk Thinking protects the organization. Until leaders broaden their view of what risk entails and begin embedding that understanding at every level, these incidents will not just persist—they will escalate.
📖 Read the full BBC article here: https://whadv.com/3QQb4Qc
📘 Read our initial response in The RiskTech Journal:
"What Happens When Risk Protocols Fail" → https://www.wheelhouseadvisors.com/risktech-journal/what-happens-when-risk-protocols-fail-lessons-from-the-signal-app-incident
🧭 Learn more about how Integrated Risk Management (IRM) can help embed strategic risk thinking across your enterprise at www.wheelhouseadvisors.com
