The progress among Security 500 organizations is not only measurable. It is visible. Perhaps the best word to describe the changes during the past year is maturity. The executive thought process, the technology solutions, the role of the security executive and the definition and expectations for security have all matured. Even the attitude of others in an organization toward security’s role and goals has matured toward acceptance and participation in a more secure culture.
One clear example of maturity is in the emergency preparedness for Hurricane Ike by government, business and citizen organizations to prepare for and respond as compared to the events of Hurricane Katrina.
Since 9/11, the security role has changed; security programs have been started and restarted; and many security leaders have been hired, fired and hired again in an effort by boards of directors, CEOs, college trustees and others to figure out what they want and how they will know when they get it. Board level strategy person? Operational level tactician? Security belongs where? Legal, Ops, Executive? Can’t we outsource the whole thing? Where does IT fit? Is security a business driver or compliance cost? Or both?
Those spin cycle issues continue to decline as security departments and leaders find their integrated place in the enterprise. As security moves forward, these issues wane in favor of the vision for security’s economic value to the organization. Security has set course and is expanding its reach and influence beyond past boundaries as documented in this year’s results.
THE 2008 SECURITY 500 TOP 10 TRENDS
1. Business Resilience and Crisis Management Added
Security’s role has expanded significantly to include business resilience (also know as disaster recovery and/or business continuity) and crisis management. These functions were spread or siloed across most organizations and the departments that had responsibility for pieces of either business resilience or crisis management were not fully prepared in the event of either.
Organizations completing risk assessments learned they had a gap and moved quickly to identify resources to close it. Security is the right resource and this major organizational restructuring included the Emergency Operations Center (EOC) into the organization. The EOC and monitoring facility created new opportunities to leverage training and technology. Examples include merging monitoring and EOC operations and processing and sharing that information with officers who are trained and able to respond to an open door alert as well as participate in emergency operations during a crisis.
Business resilience preparedness requires the organization to communicate and coordinate with external partners including utilities and emergency services. These are the same organizations with whom security needs to connect and as a result, this structure gives powerful leverage to the organization.
2. Benchmarking Is Everywhere (Or So It Seems)
The sharing of data and measuring programs with peer organizations, identifying best practices for assessing risk, setting strategy, developing security programs and comparing outcomes are having an impact. Similar sized organizations (revenue, students, regulatory compliance) in same markets reported comparable organizational statistics. This was especially true among large enterprises reporting security budgets exceeding $25,000,000.
There are a number of interesting resources and tools (in addition to the Security 500) for entering security data and receiving benchmarking reports. For example, the Security Executive Council offers “Benchmarking Security Operations,” which provides a metrics template and the National Shrink Database offers a free, online tool for loss prevention benchmarking. Facility Issues provides FM Link specifically for benchmarking by square feet, one of the measures used in the Security 500.
There is an increase in benchmarking resources and participation among security organizations. The result will be better information, better foundations for risk strategy and budget planning and improved security programs for participants.
3. CSOs Are Really “C’s”
Security leaders, who are expert in security and have demonstrated the ability to become expert managers, are succeeding. Being in the C-suite means being an executive, not just a security executive. The distinction has critical career implications at the board and CEO level.
Are you a management strategist or a security tactician? If you are perceived as the latter, your career will be limited to implementing programs to mitigate risks identified by the board. If you are the former, you have the opportunity to work at the board level overseeing implementation. Further, you have the opportunity to be an executive who happens to currently manage security, which implies a broader career path. Being seen as the top security executive, but only as a security operations leader, is limiting.
This is a critical career issue as security applications move to the network and rely more on IT for enterprise-wide support. There will always be ownership issues at the implementation level. But you are part of the team setting policy and driving business at the board level.
One critical test is your business card. Does it have CPP or other credentials after your name? Does your CFO have CPA on his or her card? Probably not. While your credentialing is important and should be current, you may be better positioned by not visibly promoting it.
There is a lot of HR whammy jammy that goes into this trend. It relates to comfort zones, stretching yourself to the next level, getting away from what you know so well and learning new skills. But those that are stretching outside their comfort zones are more likely to reach higher career levels.
4. Board Level Risk Assessments
The cost of security and/or the increased risk to an organization (which can include compliance risk such as SOX) has led to boards of directors (BoDs) creating risk committees. Where security lives is key to the organization’s approach to risk. Those with security at an executive or legal reporting level tend to be more mature in this area than organizations where security lives in finance or operations. The regular reporting and board level presentations identify risk and present the actions being implemented for mitigation.
The overall goal for bringing risk and security to the board level is to enable a holistic view of the organization’s risks and mitigation strategies. Many organizations may be overspending to separately cover financial, operational or business resilience risks. The trend to move business resilience and crisis management to security is a sign of BoDs taking a holistic look and seeing the bigger picture.
As we go to press, the Security Executive Council is completing groundbreaking research on board level risk that takes a holistic view of the enterprise and identifies mitigation actions for each. Another source to consider is the excellent article by Lisa Hauser, the risk management expert, “Connecting the Dots,” for more on this topic.
5. Security Is Drawing a Bigger Circle
Since 9/11, most enterprises have been busy creating the security function and the first iteration of those departments has focused on assessing the greatest risks to the organization and taking steps to mitigate them. Security has expanded up to the C and board level, overseas to global operations and outside to its supply chain of vendors and customers.
Security is now going to the next level with public/private projects in the communities in which it does business. This is true, especially among hospitals and universities, which have always been a part of their community, but have more recently added security to this effort.
Security programs require buy-in and behavioral change to succeed. Reaching out to the community at-large and immersing themselves creates a dynamic return to the organization. Changing anonymous employees into neighbors or friends that are making a difference increases the information sources to report suspicious behavior, for example.
One growing trend is that of organizations allowing the community access to their mass notification systems to receive emergency alerts and further merge organizations with their broader communities. Read Security October 2008 “Synergy: Focusing Outside” for more on this subject.
6. Going Green
Green was surveyed last year and didn’t make the list. This year, Going Green is all the rage for security organizations that have a Green initiative. Participation to save the planet, money and be part of the organizational culture is expected and as a result creates one more building block to further integrate security into the enterprise.
The most obvious change is the use of fuel-efficient vehicles, especially those that rely on hybrid and/or electric motors. Campuses and malls are especially suited for using natural gas or electric vehicles.
The less obvious trend is in the technology centers and the EOCs. IT marketers have been promoting green systems for IT to both CFOs and CIOs. Now that the security system is moving onto the network and IT is supporting security, the opportunity to employ energy efficient technology that merges good citizenship with cost reductions is being executed.
7. Security Is Becoming Institutionalized in the Culture
All of the training, internal marketing communications, outreach to students, employees and customers is paying off. Slowly but surely we are paying attention and changing our behavior. Employees are embracing security policies ranging from using access ID cards appropriately, to reporting suspicious activity, being friendly to the security officer. Who is even friendlier back.
The buy-in of surveillance and ID/access being beneficial to the user is increasing. This trend is slow going but may be the single most important change in creating more secure environments: individuals increasing their awareness and participating in their own security and safety.
This critical learning by the individual to behave with security in mind – protecting themselves, organization physical and IP assets and to participate as part of a secure culture – is happening and having a positive impact.
8. Security Is More Fluid than ever: New Threats, New Solutions
By now we have all learned that the world is flat; business is fluid; and, as soon as you identify a security measure, the bad guys will create a new counter measure. In psychology 101, it is taught that shocking a mouse when it tries to get the cheese does not stop the mouse from going after the cheese. But it does motivate the mouse to get to the cheese without being shocked.
Organized retail crime (ORC) groups are an example of a new threat that, traditional loss prevention programs, do not mitigate. New legislation, training, technologies strategies and organizational structures are required to address ORCs.
On the network security front, it is estimated that the total amount of malware in existence now exceeds 11 million, according to IT security company Sophos, which currently receives approximately 20,000 new samples of suspicious software every single day – one every four seconds.
Identifying the next threat, such as soaring commodity prices that drive up the prices of copper and iron, would lead to new threats, creating legal liabilities. has had over 2,500 manhole covers stolen during the first six months of the year and sold as scrap. Finding the money and method to secure over 16,000 in the city is very difficult in hindsight.
But smart organizations are including intelligence, data collection and analysis in their security programs. Soaring copper prices creates a new threat to your facilities where copper is installed and assessing existing measures adequacy and being proactive are core parts of managing security in a fluid environment.
9. Size Matters: It Can Be a Positive or a Negative
The bigger the organization’s brand, market capitalization, profitability and/or asset valuation, the greater is the investment in security per person, square foot and dollar of revenue.
The government, through the Department of Homeland Security, is spending the most per employee across the 16 vertical markets surveyed to protect critical infrastructure, citizens and government operations at the federal, state and local levels. Risks include manmade and natural.
Security is not unlike other operating departments in an organization; the bigger the operation then the bigger the budget. This trend ties back to trend 3. There are two ways to get a raise:
- Move to a bigger organization with a bigger staff and a bigger budget.
- Move to a higher level as a strategic executive compared to a security tactician.
This can challenge benchmarking, organizational sizing and budget request efforts. Comparing the University of Pennsylvania’s student body in urban to a similar sized student body in requires insight and adjustment. Size can be limiting if your benchmarking shows your costs above similar sized organizations without considering appropriate environmental factors.
10. Data and IP Security Integration
Traditional IT security staff is well suited to understand and implement network and data protection systems to prevent breaches and reputational risk. But once the horse is out of the barn, the investigation and clean-up often falls to the CSO.
The days of the stolen laptop being physical security’s issue and the stolen data on the laptop being IT’s issue are waning. Security, perhaps as a result of the board taking a holistic view of risk, is leading the proactive effort with IT to address network and IP security, data breaches, PCI compliance and other traditional IT-related security issues.
An excellent study by Verizon titled: Business Data Breach Investigations Report analyzed breaches spanning four years and more than 500 forensic investigations involving 230
million compromised records including three of the five largest breaches ever reported.
The study shows the differences and similarities among attacks across four key industries: financial services, high-tech, retail and food and beverage. For example, insiders are most likely to be a risk in the financial services market.
Whereas, most breaches originate from external sources but leverage a partner’s trusted remote access connection as the point of entry into online repositories of payment card data in the food and beverage industry.
The risks that enable criminal activity must be mitigated by security policy and programs that involve IT, but not necessarily be directly managed by IT, for a successful outcome.