Just Do It: Should CSOs Wear Nikes?
Before actualization,” a friend once told me, there is the process of “thinking about it.” To summarize the 2007 Security 500 results in a word, “actualization” really nails it.
ActualizationLast year we learned what organizations should be doing, should be measuring and how they should be organized. This year we have seen these ideas put in place at well-structured, organizationally supported and highly effective security organizations making a measurable difference. The leaders on the Security 500 list are not thinking about it, they and their security organizations are doing it, successfully day in and day out.
Industry-wide metrics and benchmarking among security organizations are still in their infancy. However, internal measures applied directly to organizational goals are increasing at a strong pace. Traditional measurement programs in certain markets (shrinkage in retail for example) have been in place for many years and continue to capture useful information for participants.
There is not yet a significant momentum toward measuring security’s value using a set of standard external factors across heterogeneous organizations and industries. And we wonder if there should be such an initiative.
A hospital’s board level security investment to achieve zero risk of infant abduction can be measured by the program's results. Comparing that investment to a retailer’s goal of reducing supply chain shrinkage may be neither possible nor useful to the hospital or the retailer. As we noted last year and reiterate: We will continue to work within our industry to develop reliable measures and benchmarking information on the value of security investments. This year’s result is an analysis within twelve key vertical markets.
A ConundrumThe 2007 Security 500 Survey discussion began with a conundrum that has nothing to do with interest rates:
Question 1: If you provide customer records to the government to improve national security thereby violating your organization’s privacy and data security policies, as Verizon/MCI and AT&T apparently did, should your ranking go up or down? Our simple discussion concluded that the ranking should be unaffected by an action initiated by the federal government.
What impact on an organization’s security ranking do you feel appropriate?
That discussion led to this real-world management case study: Do you know who Mark Klein is? Mark Klein is the 2007 winner of the James Madison Freedom Award for blowing the whistle on the AT&T surveillance program that provided the National Security Agency with customer information. Question 2: If Mr. Klein worked at your organization, would you consider him a threat to or a benefit to your organizational security?
Our editors and advisors would really like to get your thoughts on this issue. Let me know at firstname.lastname@example.org
Finding #11 – PASSION!Perhaps the most important outcome from the Security 500 Report is not in the report: It's the intangible value of passion and dedication among Security 500 executives.
The most successful security executives are very passionate about their careers, security’s contribution to their stakeholders, life long learning, continuous improvement and the adoption of best practices through productive communication with their peers. They understand their organization’s culture, have strong communication skills and proactively solve problems.
The enthusiasm and commitment of each of those we profiled in this issue is inspiring. They were generous to share their stories with all of us, letting us know what keeps them up at night, the successes and obstacles their organizations have encountered and their vision for security’s future. We thank them for their participation in this issue and their vital role in keeping our communities, colleagues and families secure.
Publishers NoteOur research shows that those of you who have thrown away all survey mailings unopened and/or asked our researchers to e-mail you the form only to delete it unread, will be the first to complain about their ranking. Let Bill Zalud know at email@example.com
Our telephone researchers also noted a number of organizations that either did not know how to contact their security departments or if their organizations had a security department or who lead the department.
When asked in a series of follow-up calls what action they would take in an emergency, they said they would call 911. As I write this column, I am preparing to leave for the ASIS Show in Las Vegas and checked the LVCC site for emergency information. After six search efforts I found the security department information on page 12 of a PDF dated October 1, 2006 with the instructions:
“All emergencies should be reported to the Las Vegas Convention Center Security Department first…Dialing 911 will delay the response.” Why isn’t this information and emergency phone number on their homepage? If it is not on yours, why isn't it?