What the CEO Thinks
In the face of a slowing economy and pressures on budgets, chief executive officers, when asked about their security operations, say it is most important that the chief security officer (CSO) execute his or her plan effectively and also protect the reputation of the enterprise.
Security Magazine, with the assistance of Maddry Associates, surveyed 100 CEOs relative to what they think about security and their security operation. The annual program discovered that, this year, the focus is even more on business issues.
There is no doubt; chief executive officers are more knowledgeable and appreciative of their internal security operations. One in ten of CEOs polled by the security research firm Maddry Associates on behalf of Security Magazine say they are more involved in the planning, impact and effectiveness of their organization’s security operation today as compared to only five years ago.
UNIQUE CEO POLLTo gain a perspective on CEO perceptions of security, Maddry Associates conducted a series of telephone and e-mail surveys with 100 chief executive officers and corporate presidents during a two-week period in February 2008. Confidentiality was assured and individual responses were not identified by person or company.
At the heart of the poll: 14 specific missions in which the CEOs were asked to grade their security operations with an A for excellent, a B for good, a C for average, a D for not as good as expected and an F for failure. While a few CEOs gave out F grades, when the 100 scores were added up, none of the specific missions received less than a D. As was the case last year, CEOs polled rated their security operation high on traditional elements such as securing property and protecting employees.
What’s new this year is the importance of execution of the security plan and the need to protect the reputation of the enterprise.
Also new this year, the chief operating officer (COO) has taken a greater role in connecting to security. As with last year’s survey, risk management, the corporate counsel, human resources director, facilities manager and plant manager still play a close role with security.
Convergence also is impacting the ways CEOs view their security operation.
This dramatic change is thanks to the integration of physical security and information security coupled with the realization that supply-chain management and human resource management must become integrated in the organization's overall security strategy.
The integration of physical security and information security has been forecast for several years but it finally looks like it has begun to happen, according to the Security Magazine CEO survey. Physical security systems and surveillance are moving to IP-based devices. But CEOs realize that the skill set required to manage both environments make it a challenge.
KNOW IT ALLIntelomics estimated that physical security professionals are ahead of information security professionals in their efforts to become cross-trained for work in the integrated security environment. The CSO must be educated in both areas if they are to lead their organization’s integrated security program. While this may seem trivial, one corporate training organization that asked not to be identified said, “The know-it-all attitude of the IT security personal is the biggest roadblock to this integration and the biggest risk to securing the enterprise.”
The CSO must now work with the leaders of supply-chain in two specific areas. The first is to ensure that all hardware and software are authentic and not counterfeit. Just recently the FBI arrested individuals that were selling counterfeit Cisco equipment and confiscated over $70 million worth of fake hardware. The challenge for the CSO is to work and evaluate the controls suppliers have in place to safeguard against product tampering during manufacturing and also to be able to ensure the products they have and will purchase are authentic.
The second area of supply-chain where the CSO needs to be involved is in assessing the risk of top tier foreign suppliers that could be impacted or disrupted by a cyber attack/cyber war or an act of cyber terrorism against their country.
In a recent poll conducted by Spy-Ops less than 1 percent of companies had addressed cyber attacks in the business continuity/contingency plans and only 4 percent addressed major viruses.
With all the recent attention that cyber warfare, cyber attacks and cyber terrorism is receiving, the CSO is on point to provide the answers and to be held accountable for the combined physical and information security environment.
Of course, overall security is heavily dependent on the people that work inside the organization. Eighty-one percent of security breaches were done by or assisted by organization insiders.
According to CEOs, the CSO must work with HR throughout the entire employee lifecycle to manage this risk. Given the expansion in their responsibilities, CSOs must retool themselves and acquire the skills necessary to operate in an ever changing combined threat environment. It is no longer good enough to be a skilled practitioner in one area of security.
The next five years will be fraught with challenges for the chief security officer. Another recent survey of 2,000 chief executive officers found that almost a third of them regarded staffing senior-level and mid-level management positions as their greatest challenge – a greater concern even than the headaches of dealing with an uncertain economy.
EXECUTION TOP CONCERNExecution is taking precedence over profit and top-line growth as a focus for CEOs around the world, according to the Security Magazine survey and a global survey of chief executives by The Conference Board.
The Conference Board survey of 769 global CEOs from 40 countries is from The Conference Board report, CEO Challenge 2007: Top 10 Challenges.
When asked to rate their greatest concerns from among 121 different challenges, chief executives chose excellence of execution as their top challenge and keeping consistent execution of strategy by top management as their third greatest concern. In the Security Magazine study, security execution ranked a B.
“This year’s overall top challenge shows that CEOs from around the world are realizing that strong execution is a critical factor in driving profits and revenues,” said Jonathan Spector, president and CEO of The Conference Board. “These executives are also becoming increasingly aware of the crucial role that people play in growing their companies.”
Corporate reputation is increasingly able to either generate or rapidly destroy shareholder value, according to the Security Magazine study and a complementary report by The Conference Board.
The Conference Board report, Reputation Risk: A Corporate Governance Perspective, provides recommendations on how corporate CEOs and their CSOs can ensure companies develop a robust reputation risk management process integrated within their enterprise-wide risk management (ERM) program.
“Despite a recent surge in research on the topic, corporate reputation remains a highly disjointed field of study,” said Matteo Tonello, senior research associate at The Conference Board Governance Center and author of the report. “There is still very little guidance on the oversight function of the board in protecting and enhancing this corporate asset.”
“The report increases the awareness of reputation risk as a corporate governance matter and offers guidance on how corporate boards can approach their fiduciary responsibilities in this area,” Tonello added.
The Security Magazine CEO survey looked at the issue of reputation from the angle of protecting the brand.
“Corporate governance is the system of checks and balances instituted by the board of directors to ensure that an organization is suited to meet its business objectives, not the interest of insiders. Since corporate reputation is the perception of the firm by a variety of stakeholders, board members should consider having an organizational program in place to oversee any material event that may affect stakeholder relations so as to ensure that such events do not compromise the company’s ability to achieve its long-term goals,” Tonello concluded.
KEY RECOMMENDATIONSCEOs, CSOs and boards of directors should reach a common understanding of the concept of corporate reputation and tie its discussion to a comprehensive analysis of the firm’s stakeholder base. Corporate reputation oversight represents a formidable strategic opportunity to strengthen stakeholders’ relations that pertain to the company’s long-term business objectives.
Top management should become familiar with management’s rationale for prioritizing stakeholder relations and be persuaded that the selected relations are instrumental to achieving the firm’s long-term objectives. In doing so, directors should be aware that executives and other insiders might attribute different importance to the same group of stakeholders, according to the degree of interactions they have experienced with such group or the potential private benefit they may derive from certain relations.
Boards should discuss and understand the nature of reputation risk as an effect of certain business operational incidents, not a separate and distinct category of uncertainties. Accordingly, directors should consider objecting to the establishment of a dedicated organizational platform to address reputation risk, as it would conflict with current risk management integration best practices and retard the development of a full-fledged enterprise risk management program. Failing to embed reputation risk into ERM could lead to inefficiencies and disparities in the company’s response to risk events; in addition, it could undermine the firm’s ability to foster a cohesive culture of risk awareness.
CEOs and their CSOs should oversee the design and implementation of a strategic, top-down, and holistic risk management program where all business events with potential consequences on the firm’s reputation capital are identified, measured vis-à-vis tolerance levels and appetite to risk, and addressed in a timely manner. Enterprise risk management enables the company to elevate relevant reputation issues to the board level, where they can be analyzed strategically and in relation to their possible impact on long-term shareholder value.
CSOs and their senior executives need to identify, categorize and prioritize business uncertainties, even with respect to their reputation effects. They should ensure that prioritization criteria and other techniques used in compiling a risk portfolio comprise, among others, a set of reputation metrics. Specifically, the inclusion of a risk event in the portfolio should also be decided based on likelihood and impact of the event consequences on the company’s reputation capital.
In addition, the Security Magazine study discovered that CEOs and their boards of directors are more involved in enterprise risk management. Limiting risk gets a B- in the Security Magazine scorecard.
ENTERPRISE RISK MANAGEMENTAccording to The Conference Board, more corporate boards are driving enterprise risk management, but despite progress, ERM has yet to become embedded in most companies’ day-to-day activities.
The report, sponsored by Oliver Wyman, a leading global management consultancy, is based on a survey of risk, audit and finance executives of 200 companies from a range of sectors including manufacturing, financial services, healthcare, energy/utilities, wholesale/retail, communications/transportation/warehousing, and business/professional services.
Fifty-five percent of The Conference Board survey participants indicate that their corporate boards are a top driver of their enterprise risk management program, up from 49 percent two years ago.
Still, ERM, a strategic method of understanding and managing risks, is not being integrated in corporate cultures. The progress has been mainly in early stage efforts, such as creating a risk inventory and assessment process. As such, key ERM benefits in managing the overall corporate risk profile and portfolio have not yet accrued in most companies. While CEOs in particular are slightly less certain that ERM is crucial to performing their own role, this result could be partly due to many CEOs delegating risk management responsibility to chief risk officers, chief security officers and other high-level executives.
Beyond execution of a security plan and protection of reputation, most CEOs surveyed insist upon life safety, according to the Security Magazine CEO survey.
In an ideal world, security would be a back-office function that, like accounting, operates in the background. But the world is hardly ideal. More and more things can go wrong, and corporate security officers find themselves juggling an ever-growing number of areas of responsibility -- headquarters security, background checks, information security, disaster recovery, Sarbanes-Oxley compliance, executive protection.
Dealing with each of these -- keeping up with fresh threats and ensuring systems are current -- requires both input and buy-in from top management. Corporate security officers don’t always get that support. “CEOs are skeptical of the value proposition of security,” said one security officer, “because security has always meant guards, guns, and dogs -- most of them sleeping. It just doesn’t resonate with them.” No surprise, then, that in a recent Conference Board survey of senior executives, less than one-third called their CEO “extremely supportive” of security spending. It’s not that security has a low profile -- 9/11 focused attention on physical safety, and revelations about data breaches pop up regularly in the daily press. But whether chief security officers have trouble making a solid business case for programs or CEOs have trouble hearing officers’ concerns, there’s often a disconnect.
“Everybody says they want to report to the president or the chair of the board,” one CSO said. “But those people are way too busy. When I’m reporting to someone, I want to be able to do a one-on-one and make it meaningful.” Others have no complaints about access to the top. “Our relationship with top management is strong enough that whenever we ask for a meeting or a call back, we are always accommodated,” another CSO said. “Typically most of our contact is at the senior C-level, all direct reports to the CEO or CFO. We just haven’t needed to meet with the CEO very often to get the decisions that affect our mission.” Another CSO agrees: “The relationship with top management is usually very good. I feel respected and empowered. I do get reasonable support, though I would not characterize it as very strong or active, due to the priorities and pace of this organization.” Money can be a different story: “At times,” this CSO continued, “I get the resources I need -- but not consistently. If there is an emergency need, I usually get what I request, but I have less luck getting resources at other times.” Even those CSOs satisfied with their C-suite access, though, note an occasional “understanding and communication disconnect.” One points to the nature of the security function, often seen as purely reactive and defensive: “I think top management doesn’t always or fully understand the value or functionality of security. They understand the importance, but I don’t feel they always understand the proactive or deterrent aspect of our functions or of risk-avoidance with security-related issues. The problem is less a disconnect in communication than a difference in focus, in priorities, and in the way we see the world.”
In a broader sense, CSOs urge a focus on “the value proposition of security,” as one CSO says -- framing security so “it makes business sense and creates value rather than being a sunken cost -- and so it resonates in the C-suite.” Until the security function is truly “about the business proposition,” the CSO continued, “we won’t be taken seriously or be recognized as an appropriate source of expertise upstairs. Until you start getting people to understand, the business isn’t going to listen. They’re going to ask you to go back out to the guard shack and check cars in.”
COO INVOLVEMENTThe Security Magazine CEO survey discovered that CEOs are investing more in their chief operating officers and that the COOs are more responsible for enterprise security. The position of chief operating officer in leading corporations is being transformed — not eliminated.
The report, The Changing Role of the COO, is based on in-depth interviews with executives from companies representing diverse industries and a literature review. Executives surveyed include heads of human resources, regional heads, COOs, CEOs, heads of business unit, and heads of company research.
“The scope and intensity of leadership demands today call for a team approach at the top,” said Dr. Robert J. Kramer, principal researcher at The Conference Board and author of the report with contributing author David Harper, founder and managing principal of The Advisory Alliance. “Some companies are deciding that the composition of that corporate leadership team need not include a COO. Others are changing the duties for which a COO is responsible.”
SIDEBAR: The Sentinel CEOSince 9/11, safety of physical asset is most important for business executives as they deal with some unimaginable events such as pandemics, terrorism, as well as technology hackers. If businesses are to continue in the face of ever-increasing possible fears and threats, then new approaches, driven by globalization will be essential. These sentiments are found in The Sentinel CEO: Perspectives on Security, Risk, and Leadership in Post-9/11 World, by William G. Parrett, former Global CEO of Deloitte Touche Tohmatsu. He discusses thoughts of CEOs all over the world on their new approaches to corporate security and risk management. The book suggests that risk management is developing to become integrated into a corporate culture and strategic activities of a company.
Packed with the viewpoints of top CEOs, public officials, security experts and academics from several backgrounds, the book emphasizes how core values of a corporation may assist them in addressing and recovering from unforeseen threats. It also highlights how organizations that are capable of controlling risks in a holistic sense, in terms of existing assets and future growth, will top others in the long run.
Parrett feels that to help preserve values, the companies must go beyond managing risks in silos and also build an organization-wide risk management function. He confesses that presently, very few companies control the full spectrum of risk and address risk wisely from all quarters and standpoint. The Sentinel CEO also examines several strategies for the CEOs of international companies.
SIDEBAR: PSIM in DC: A SecurityDreamer EventHave you heard about Steve Hunt’s SecurityDreamer events in Chicago, Silicon Valley or Vegas recently? In Vegas he filled a room at the David Burke Restaurant in the Venetian for a dynamic discussion on the future of video surveillance. The next events are in DC and Atlanta.
In DC, Hunt is doing PSIM. In other words, he’s not just going to talk about it, but actually launch the PSIM market. It’s time to really define what Physical Security Information Management means and establish it as a legitimate market segment. Up to this point, PSIM has been a nice idea and a marketing expression. Because of this buzz, revenue around PSIM has grown dramatically.
Are you curious about ways to improve security event management and incident response in the most efficient and effective ways? Would you like to establish best practices for computers, software and networking? For investing opportunities, for deploying PSIM solutions, for partnering with the right people, you’ll want to be in the room. This event is for investors, integrators, resellers, end-users and manufacturers - - anyone interested in making money and solving problems with PSIM. Grab hold of this opportunity and act on what everyone’s been talking about.
If you’d like to know more about our DC area event late this spring, contact: Rachel.Cusick@HuntBI.com, 847.733.0200.