Could there be a drier, more boring headline on a column? Probably not.

But right now recession management is all the rage and grabbing the attention of security and business leaders around the world. In fact, the recent Security Executive Council (SEC) presentation, “The Impact of Economic Recession on Security Program Management,” focused on recognizing and managing the shift in business and risk assumptions.

Let’s jump to the finish line: The chief financial officer’s (CFO) job is to manage risk. Cutting the security budget (imprudently) can increase risk. There are metrics and measures you can use to make this case and present the reasons for versus against spending. Amazing, but Recession Management just got kind of sexy. A CFO in any position other than “freefall” has to respect risk management realities and recognize there is a point where the risk cost exceeds the budget savings.

Tackling the Big Issues

Never shy to tackle our industry’s toughest issues, the SEC brought together their thought leaders: proven chief security officers (CSOs) with the experience, track record and expertise, to authoritatively discuss this topic and provide reliable and straightforward management direction. It was part of the SEC Live series. Included:

Richard A. Lefler, vice president, worldwide security, American Express (retired) and current Dean of Emeritus Faculty, Security Executive Council, who also is a member Board of Advisors of IPSA International, an international investigative consulting firm.

George K. Campbell, a managing partner in the Business Security Advisory Group, a professional security consultancy and is a member of the Emeritus Faculty of the Security Executive Council. He retired in 2002 as CSO at Fidelity Investments, the world’s largest privately owned financial services firm.
He is the author of Measures and Metrics in Corporate Security.

Joe Nelson, CSO of Teradyne (retired), and current Emeritus Faculty of the Security Executive Council moderated the session. His background as a security leader within IBM, Lotus, Teradyne, CMGI and Digital helps ensure these events are built and organized for real world problems and real world solutions.

Applying the Assumptions

The group presented business assumptions that most organizations are facing today. They posed a number of rhetorical questions that allow you to consider how those business/risk assumptions would apply to their organization, including:
  • Negative revenue growth
  • Reduction in force
  • Flat/negative earnings growth
  • Increased regulatory/compliance requirements
  • Decreased employee travel
  • Increased criminal activity
  • Increased risk of insider threats
To each assumption, questions about related risks were asked, for example, risks related to scaling back background investigations. In a tight economy, it may seem obvious to reduce funding for background investigations and using a lower standard of review. However, research shows that during periods of higher unemployment, candidates are most likely to embellish qualifications. Please read the ENTERPRISE SOLUTIONS article on this topic elsewhere in this issue.

Lefler and Campbell provided facts and action steps for participants to follow to create a successful approach to right-sizing your security program for the current economy. Some of the critical questions they posed and that readers might think about answering include:
  • Will investigative requirements for the company increase or decrease with reduced sales and revenue?
  • If there is a business contraction strategy in place in your company, does it include a risk assessment process around the potential for theft, sabotage or other risky actions by disgruntled employees?
  • How effective is the level of workplace violence risk awareness, planning and collaboration between security, human resources and business units?
  • Do you develop special plans associated with employee or vendor terminations or reduction in force actions in business units possessing highly sensitive or critical business applications or processes?
  • How well known are the vulnerabilities in IT infrastructure to an insider or trusted vendor population who may be targets of reductions in force?
Among the summary statements from the presentation:
  • All security programs and their costs must be aligned with your organization’s goals.
  • The ranking of risks in a changing economy determine the value of security programs as mitigation strategies.
If you would like the presentation and speaker notes that guide the thought process for recession management or information about other SEC Live events, please visit the Security Executive Council Web site at the link below.