Broaden your definition of risk. Consider a broad range of operational and related risks to your organization. For some of these non-traditional risks, security may share or lead in mitigation efforts; other identified risks may be referred to and directed by the organization’s Enterprise Risk Management (ERM).
Take off the blinders. Maintain an open and alert posture to accept new challenges and opportunities. This has resulted in security functions expanding crisis management processes, leading business continuity, protecting corporate brand and image and driving corporate resiliency.
Leverage information and capabilities. The security function can provide significant added value to business units through the use of existing security information, intelligence, resources and capabilities. Many security functions currently use this information to assist business units in qualifying customers and vetting partners or suppliers. The depth of existing political, cultural and business information obtained regularly by security can assist business units in numerous analytical processes and decisions related to new investments, timing on operational decisions, and supply planning, for example.
Reach out to partners. Helping key partners, suppliers and independent contractors resolve security-related issues or strengthen their risk management can benefit the corporation, especially in situations when a supplier or partner problem could directly affect business operations and financial results. This is especially useful for smaller partners who may not have sufficient internal resources. Such assistance has to be made within limits and without extending the corporation’s liability.
Apply security platforms to business. It may be possible to extend the use of existing software and/or vendor services to other business units for operational purposes. Examples include mapping supply exposures, understanding the impact from utility losses; confirming contractor time and staff on location, or identifying bottlenecks for just-in-time operations/suppliers.
Expand the audit process. Just as Internal Audit functions can include security issues within their auditing, the security function can also extend security audits to cover information for other functions and business processes, such as compliance or safety related points. This may work best when there are close parallels to processes, risks, and risk controls.
Share video capabilities. Network video images and cameras may be useful beyond the needs of the security group and can be helpful for operational purposes. Network cameras that view an IT communications room can enable off-site review, analysis and direction for problem solving. It’s another method to use existing resources to benefit other company functions.
These are just a few suggestions to stimulate thought for maximizing the value of existing security functions and processes. Each specific organization has its own unique opportunities to expand the value of the security function. Staying open to and looking for opportunities is the key to moving forward.
Aligning Security Services with Business Objectives
Adding value through security begins with strategic thinking. Richard Lefler, former VP and CSO of American Express and now Dean of Emeritus Faculty for the Security Executive Council, lays out a path to a business-aligned security model in his presentation “Aligning Security Services with Business Objectives.” One of the first steps is to examine security programs under a strategic lens to ensure that:• The benefits of the security program outweigh the cost of the program
• Security costs are managed and measured on a program basis
• Relevancy is articulated
• Programs are constantly evolving
• Cross-pollination is an opportunity for improvement
