EXECUTIVE SUMMARY
The progress among Security 500 organizations is not only measurable. It is visible. Perhaps the best word to describe the changes during the past year is maturity. The executive thought process, the technology solutions, the role of the security executive and the definition and expectations for security have all matured. Even the attitude of others in an organization toward security’s role and goals has matured toward acceptance and participation in a more secure culture.
One clear example of
maturity is in the emergency preparedness for Hurricane Ike by government,
business and citizen organizations to prepare for and respond as compared to
the events of Hurricane Katrina.
Since 9/11, the security role has changed; security programs have
been started and restarted; and many security leaders have been hired, fired
and hired again in an effort by boards of directors, CEOs, college trustees and
others to figure out what they want and how they will know when they get it.
Board level strategy person? Operational level tactician? Security belongs
where? Legal, Ops, Executive? Can’t we outsource the whole thing? Where does IT
fit? Is security a business driver or compliance cost? Or both?
Those spin cycle
issues continue to decline as security departments and leaders find their
integrated place in the enterprise. As security moves forward, these issues
wane in favor of the vision for security’s economic value to the organization.
Security has set course and is expanding its reach and influence beyond past
boundaries as documented in this year’s results.
THE 2008 SECURITY 500 TOP 10 TRENDS
1. Business Resilience and Crisis Management Added
Security’s role has expanded significantly to include business resilience (also know as disaster recovery and/or business continuity) and crisis management. These functions were spread or siloed across most organizations and the departments that had responsibility for pieces of either business resilience or crisis management were not fully prepared in the event of either.
Organizations
completing risk assessments learned they had a gap and moved quickly to
identify resources to close it. Security is the right resource and this major
organizational restructuring included the Emergency Operations Center (EOC)
into the organization. The EOC and monitoring facility created new
opportunities to leverage training and technology. Examples include merging
monitoring and EOC operations and processing and sharing that information with
officers who are trained and able to respond to an open door alert as well as
participate in emergency operations during a crisis.
Business resilience preparedness requires the organization to
communicate and coordinate with external partners including utilities and
emergency services. These are the same organizations with whom security needs
to connect and as a result, this structure gives powerful leverage to the
organization.
2. Benchmarking Is Everywhere (Or So It Seems)
The sharing of data and measuring programs with peer organizations, identifying best practices for assessing risk, setting strategy, developing security programs and comparing outcomes are having an impact. Similar sized organizations (revenue, students, regulatory compliance) in same markets reported comparable organizational statistics. This was especially true among large enterprises reporting security budgets exceeding $25,000,000.
There are a number
of interesting resources and tools (in addition to the Security 500) for
entering security data and receiving benchmarking reports. For example, the
Security Executive Council offers “Benchmarking Security Operations,” which
provides a metrics template and the National Shrink Database offers a free,
online tool for loss prevention benchmarking. Facility Issues provides FM Link
specifically for benchmarking by square feet, one of the measures used in the
Security 500.
.
There is an increase
in benchmarking resources and participation among security organizations. The
result will be better information, better foundations for risk strategy and
budget planning and improved security programs for participants.
3. CSOs Are Really “C’s”
Security leaders, who are expert in security and have demonstrated the ability to become expert managers, are succeeding. Being in the C-suite means being an executive, not just a security executive. The distinction has critical career implications at the board and CEO level.
Are you a management
strategist or a security tactician? If you are perceived as the latter, your
career will be limited to implementing programs to mitigate risks identified by
the board. If you are the former, you have the opportunity to work at the board
level overseeing implementation. Further, you have the opportunity to be an
executive who happens to currently manage security, which implies a broader
career path. Being seen as the top security executive, but only as a security
operations leader, is limiting.
This is a critical
career issue as security applications move to the network and rely more on IT
for enterprise-wide support. There will always be ownership issues at the
implementation level. But you are part of the team setting policy and driving
business at the board level.
One critical test is your business card. Does it have CPP or
other credentials after your name? Does your CFO have CPA on his or her card?
Probably not. While your credentialing is important and should be current, you
may be better positioned by not visibly promoting it.
There is a lot of HR
whammy jammy that goes into this trend. It relates to comfort zones, stretching
yourself to the next level, getting away from what you know so well and
learning new skills. But those that are stretching outside their comfort zones
are more likely to reach higher career levels.
4. Board Level Risk Assessments
The cost of security and/or the increased risk to an organization (which can include compliance risk such as SOX) has led to boards of directors (BoDs) creating risk committees. Where security lives is key to the organization’s approach to risk. Those with security at an executive or legal reporting level tend to be more mature in this area than organizations where security lives in finance or operations. The regular reporting and board level presentations identify risk and present the actions being implemented for mitigation.
The overall goal for bringing risk and security to the board
level is to enable a holistic view of the organization’s risks and mitigation
strategies. Many organizations may be overspending to separately cover
financial, operational or business resilience risks. The trend to move business
resilience and crisis management to security is a sign of BoDs taking a
holistic look and seeing the bigger picture.
As we go to press,
the Security Executive Council is completing groundbreaking research on board
level risk that takes a holistic view of the enterprise and identifies
mitigation actions for each. Another source to consider is the excellent
article by Lisa Hauser, the risk management expert, “Connecting the Dots,” for
more on this topic.
5. Security Is Drawing a Bigger Circle
Since 9/11, most enterprises have been busy creating the security function and the first iteration of those departments has focused on assessing the greatest risks to the organization and taking steps to mitigate them. Security has expanded up to the C and board level, overseas to global operations and outside to its supply chain of vendors and customers.
Security is now going to the next level with public/private
projects in the communities in which it does business. This is true, especially
among hospitals and universities, which have always been a part of their
community, but have more recently added security to this effort.
Security programs
require buy-in and behavioral change to succeed. Reaching out to the community
at-large and immersing themselves creates a dynamic return to the organization.
Changing anonymous employees into neighbors or friends that are making a
difference increases the information sources to report suspicious behavior, for
example.
One growing trend is
that of organizations allowing the community access to their mass notification
systems to receive emergency alerts and further merge organizations with their
broader communities. Read Security October 2008 “Synergy: Focusing Outside” for
more on this subject.
6. Going Green
Green was surveyed last year and didn’t make the list. This year, Going Green is all the rage for security organizations that have a Green initiative. Participation to save the planet, money and be part of the organizational culture is expected and as a result creates one more building block to further integrate security into the enterprise.
The most obvious
change is the use of fuel-efficient vehicles, especially those that rely on
hybrid and/or electric motors. Campuses and malls are especially suited for
using natural gas or electric vehicles.
The less obvious
trend is in the technology centers and the EOCs. IT marketers have been
promoting green systems for IT to both CFOs and CIOs. Now that the security
system is moving onto the network and IT is supporting security, the
opportunity to employ energy efficient technology that merges good citizenship
with cost reductions is being executed.
7. Security Is Becoming Institutionalized in the Culture
All of the training, internal marketing communications, outreach to students, employees and customers is paying off. Slowly but surely we are paying attention and changing our behavior. Employees are embracing security policies ranging from using access ID cards appropriately, to reporting suspicious activity, being friendly to the security officer. Who is even friendlier back.
The buy-in of
surveillance and ID/access being beneficial to the user is increasing. This
trend is slow going but may be the single most important change in creating
more secure environments: individuals
increasing their awareness and participating in their own security and safety.
This critical
learning by the individual to behave with security in mind – protecting
themselves, organization physical and IP assets and to participate as part of a
secure culture – is happening and having a positive impact.
8. Security Is More Fluid than ever: New Threats, New Solutions
By now we have all learned that the world is flat; business is fluid; and, as soon as you identify a security measure, the bad guys will create a new counter measure. In psychology 101, it is taught that shocking a mouse when it tries to get the cheese does not stop the mouse from going after the cheese. But it does motivate the mouse to get to the cheese without being shocked.
Organized retail
crime (ORC) groups are an example of a new threat that, traditional loss
prevention programs, do not mitigate. New legislation, training, technologies
strategies and organizational structures are required to address ORCs.
On the network
security front, it is estimated that the total amount of malware in existence
now exceeds 11 million, according to IT security company Sophos, which
currently receives approximately 20,000 new samples of suspicious software
every single day – one every four seconds.
Identifying the next
threat, such as soaring commodity prices that drive up the prices of copper and
iron, would lead to new threats, creating legal liabilities. has had over 2,500 manhole
covers stolen during the first six months of the year and sold as scrap.
Finding the money and method to secure over 16,000 in the city is very
difficult in hindsight.
But smart organizations are including intelligence, data
collection and analysis in their security programs. Soaring copper prices
creates a new threat to your facilities where copper is installed and assessing
existing measures adequacy and being proactive are core parts of managing
security in a fluid environment.
9. Size Matters: It Can Be a Positive or a Negative
The bigger the organization’s brand, market capitalization, profitability and/or asset valuation, the greater is the investment in security per person, square foot and dollar of revenue.
The government,
through the Department of Homeland Security, is spending the most per employee
across the 16 vertical markets surveyed to protect critical infrastructure,
citizens and government operations at the federal, state and local levels.
Risks include manmade and natural.
Security is not
unlike other operating departments in an organization; the bigger the operation
then the bigger the budget. This trend ties back to trend 3. There are two ways
to get a raise:
- Move to a bigger organization with a bigger staff and a bigger budget.
- Move to a higher level as a strategic executive compared to a security tactician.
This can challenge benchmarking, organizational sizing and budget request efforts. Comparing the University of Pennsylvania’s student body in urban to a similar sized student body in requires insight and adjustment. Size can be limiting if your benchmarking shows your costs above similar sized organizations without considering appropriate environmental factors.
10. Data and IP Security Integration
Traditional IT security staff is well suited to understand and implement network and data protection systems to prevent breaches and reputational risk. But once the horse is out of the barn, the investigation and clean-up often falls to the CSO.
The days of the
stolen laptop being physical security’s issue and the stolen data on the laptop
being IT’s issue are waning. Security, perhaps as a result of the board taking
a holistic view of risk, is leading the proactive effort with IT to address
network and IP security, data breaches, PCI compliance and other traditional
IT-related security issues.
An excellent study by Verizon titled: Business Data Breach
Investigations Report analyzed breaches spanning four years and more than 500
forensic investigations involving 230
million compromised records including
three of the five largest breaches ever reported.
The study shows the differences and similarities among attacks
across four key industries: financial services, high-tech, retail and food and
beverage. For example, insiders are most likely to be a risk in the financial
services market.
Whereas, most breaches originate from external sources but
leverage a partner’s trusted remote access connection as the point of entry
into online repositories of payment card data in the food and beverage
industry.
The risks that
enable criminal activity must be mitigated by security policy and programs that
involve IT, but not necessarily be directly managed by IT, for a successful
outcome.
