www.securitymagazine.com/articles/81164-2010-security-500-the-state-of-the-art-1

2010 Security 500: The State of the Art

November 1, 2010

To the naked eye, the security profession is expanding and shrinking at the same time. Security’s role is expanding as organizations elevate the function by recognizing and addressing enterprise risk management issues. Security is expanding globally as company growth objectives require emerging market exposure and increased risk. And it is shrinking as the homogenous guns, guards and gates security management style continues to evaporate into early retirement or lower supervisory levels of the enterprise, and business minded executives combine the power of leadership and subject matter expertise in their sector and best practices. The outcome is that while many of the conversations with leaders in different sectors were similar, they were also very unique to each sector.

The great opportunity and challenge for the 2011 security leader is to intertwine risk management into the fabric and culture of their organization’s goals without getting ahead of themselves. It’s a brilliant notion the folks at the Security Executive Council term Organizational Readiness (and we will visit this concept in detail later).

While guns, guards and gates has evolved to people, processes and technology to execute a successful security program, today’s security leader must be strategically focused on enterprise risk management that does not eliminate risk, but manages risk so that the organization can achieve its goals.

Bob Hayes, CEO of the Security Executive Council, shares how security leaders need to have an understanding of their organization’s state of readiness when developing and rolling out their programs.

“One of the elements for how fast and far a security leader can move their program through their enterprise is to factor in their organization’s ‘state of readiness’ for levels of risk mitigation,” he says. “Every organization is unique; if a security leader tries to push programs regardless of cost, culture or without it contributing to business value, then they are putting themselves up for failure. Identify the organizational readiness before a risk mitigation program is implemented or enhanced; this results in aligning the enterprise and security views of risk reduction success. Through research we have found there are seven ‘readiness states’ an organization usually falls into. The drivers that create these states are diverse, but include things like regulatory pressure, response to a recent major incident or an internal champion that ‘gets’ the value of security. Knowing the state of readiness in the organization creates a situation where the security leader has a better chance of implementing change.”

When the initial research for the re-launch of Security magazine was conducted in late 2005 and early 2006, it was common to hear: “When the CEO hired me he said he wanted me to be the CSO but didn’t know what he wanted me to do,” and unfortunately that resulted in an unhappy parting of company. The main complaint from the CEO’s office was that they wanted a strategy person, but they hired an operations person or the opposite. Either way, early retirements, firings and resignations seemed excessive. Now, organizations and their leaders are getting their heads around risk management, which they understand and are prioritizing managing risk appropriately across the enterprise.

The person leading security and risk management is critical for this formula to succeed. They have to have a strong leadership persona to bring it all together. The three key trends of successful security leaders in this year’s research report are Leadership, Applying Best Practices and becoming Subject Matter Experts. That deft and rare combination defines those who are listed among this year’s 500 best leaders.

LEADERSHIP

Leadership is an issue for every executive role in every organization, and one only needs to Google Mark Hurd and be directed to the childhood board game “Chutes and Ladders” to understand the challenges and risks. Last year we wrote that CSOs were truly “Cs” based on how their pace of firings was catching up to other C-level functions. During the past year, partly due to the recession and mostly due to a need to align security with the overall business by having a strong leader who could “play well with others” and gain the respect and buy-in of the business leaders, the pace of early retirements accelerated.

As Dr. Mario Moussa, academic director for the ASIS/Wharton Program for Security Executives, pointed out earlier this year, “CSOs need to figure out how they can eliminate a C-Suite blind spot, not be one. CEOs are focused on growth and performance and the CSO needs to focus on business resilience and continuity. Security needs to be involved in overall organizational performance and avoid being viewed as a narrow, technical function.”

Successful security leaders are either transforming themselves into effective business executives or being replaced by people who are perceived to be. The keys to leadership are to establish credibility and trust, position oneself as a competent business person versus a technical specialist and to build relationships within the organization. The security profession is marching toward this goal every day.

BEST PRACTICES

At the opposite end of the leadership spectrum, but equally important, is excellence in best practices. Either you or members of your department must be expert in all aspects of security for which you have responsibility. Whether broadly defined as physical or corporate security or specifically outlined within loss prevention, investigations or cyber security, the risk management function must be expert in the identification, prevention or response to events.

Directly within the central finding of this year’s report, that the profession seems to be both expanding and shrinking at the same time, the security leader is expected to have excellence in basic blocking and tackling as well as be a strong leader and contributor to organizational goals.

SUBJECT MATTER EXPERTISE

At the junction of leadership and best practices is subject matter expertise. The successful security leader is a part of their organization’s business. As Maureen Rush at the University of Pennsylvania clearly stated in an interview, “Our business is not law enforcement, it is higher education. Every CSO needs to understand the business they work for and service; it is never security or law enforcement. That approach doesn’t add value, it fails.”

As the subject matter expert, the successful security leader is the person who most effectively manages risk, thereby enabling the organization to achieve its goals.

Note the above sentence states “manages” – not eliminates risk. The security leader’s personality and risk management program cannot succeed without buy in. And that starts in the CEO’s office.

2010 Security 500 Trends

1. “We plan for the worst case but get the budget for the best case.”

While the recession may be easing, the stress to get funding to manage risk and deliver on security programs is increasing. But unlike the organizational cuts due to poor economic conditions a year ago, the gap in funding versus program goals this year is due to:

1. Business expansion, especially to emerging markets.

2. Additional responsibilities, for example, business resilience and corporate travel.

3. Increased regulatory compliance that increases training and reporting costs.

4. A changing focus on risk management to justify spending.

In fact, 82 percent of benchmark survey participants reported increased or equal budgets to the prior year. So, while they have more money, they do not have enough of an increase to achieve additional goals.

Business expansion, business resilience and corporate travel each point to a very healthy trend of helping business units achieve goals. Mapping risk management and security policy and programs into the business results in shorter time to market and allows business people to focus on their jobs versus worrying about security issues, such as travel safety. In most cases, approvals for additional staffing were for business resilience and corporate travel/international security management positions directly supporting business goals.

Regulatory compliance increases were reported across most sectors, primarily related to the Department of Homeland Security. Costs for compliance include keeping policies current with changing regulations, training and educating staff, reporting procedures and documentation and dealing with inspections, audits and potential fines.

Comments accompanying submissions also pointed to a healthy trend of risk based planning, which first recognizes and evaluates risks and then funds their mitigation. The implementation of this process delays expenditures during the research and evaluation period, thereby making funds more difficult to obtain. (See trend #2: Enterprise Risk Management).

2. So Many Risks, So Little Time: Enterprise Security Risk Management (ESRM)

The move from responding to events to predicting and preventing them opened a new science in the security and risk mitigation world. It also pointed to the reality that you cannot protect everyone and everything from all things. Enter ESRM, a comprehensive approach to protecting the enterprise.

ESRM applies traditional business enterprise risk management principles, including executive leadership:

• Creating a risk management culture used in all decisions

• Setting clear risk parameters and having them followed

• Utilizing risk management regardless of business/economic conditions

• Having clear metrics and measures for accountability and performance

Specifically to the application of security, ESRM requires a holistic look at the organization where:

• All functions work to identify and mitigate risks

• Physical and logical security is integrated

• Organizational response to events to reduce its impact

Key to ESRM is that the risks to be mitigated, managed or ignored are based on business decisions and their potential impact on the organization. ASIS and ISACA started The Alliance for Enterprise Security Risk Management to help members meet their ESRM goals.

3. Emerging Markets Bring Emerging Risks

As the world economy means growth and profits will come from emerging markets, there is an increased reliance on security to help organizations securely achieve their goals. Security cannot be seen at the people who say “No,” but it is a challenge to allow the business do business without placing employees, intellectual property and brand reputation in harm’s way.

Two trends as a result of increased risk to traveling employees and expanding business footprints are corporate travel and international security programs being centralized within the enterprise security organization.

Companies are opening in new geographies to achieve revenue growth, requiring international security infrastructure, local law enforcement relationships and travel security policies and programs. The only barrier for many companies to expand into new areas is if they cannot keep their people secure. And having a robust international security program, including policies, training, travel and on the ground support enables business to grow and security value as a business driver to flourish.

4. Workplace Violence Continues at a Torrid Pace….

Despite policy changes, access control and identification programs, lock down drills and training, workplace violence continues to rise at an alarming rate. And it is not just the grownups that are the problem: Schools are dealing with bullying and cyberbullying. More than half of emergency nurses report being physically attacked, spit on or verbally abused. And the workplace has resorted to a “No guns at work” policy that some organizations have taken to court to fight. Every sector surveyed this year reported workplace violence as a critical issue.

Every sector is facing higher litigation costs, insurance costs and training expenses in an effort to reduce the frequency and severity of incidents. While homicides have remained flat, aggravated assaults have jumped tenfold since 1951, according to Bob Hayes at the Security Executive Council.

Yet, in many cases the offending person has exhibited behavior including threats and past violent behavior, thereby increasing perceived liability and financial exposure as a result. Organizations continue to seek successful mitigation programs to identify and reduce violent behavior.

5. How Much Is Regulatory Compliance Really Helping?

Regulatory requirements include implementing training, tracking and reporting on programs to ensure that your organization is compliant. Yet the cost of compliance is often out of sync with programs such as ESRM.

While many of the DHS programs have clear guidelines to follow, in some cases organizations find it challenging to understand and know if they are meeting the intended rules. For example, a hazardous material used in the manufacture of a product and stored at a waterfront facility will fall under Coast Guard and MTSA regulation, if the amount stored exceeds a certain amount (the amount deemed to be a threat/risk). However, materials used in work in progress manufacturing are likely to be both above and below reporting requirements at a given day and time. Therefore, it is challenging to comply with the reporting rules and requirements.

The greater concern is that DHS has been unclear in how organizations should manage this situation, and depending on the inspector and the interpretation of the rules, organizations may be fined. That can take scarce security resources away from addressing more effective security programs.

Troubling to the risk mitigating security executive is the realization that this process does not make anyone any safer than they were prior to the regulations being created and enforced. While much of DHS regulatory actions have improved at the national and enterprise level security, there are opportunities to listen to those organizations and sectors impacted by regulations and revisit and update compliance laws on a regular basis.

6. The “Layered” Look is Back in Vogue

There is no security technology “silver bullet” solution, but there are a number of complementary solutions that work together to improve security effectiveness and efficiencies. The concept and application of layered security technologies in the IT security space is a tried and true best practice. For example, it may take three separate identification proofs to enter a particular database. With the IT-izing of physical security technologies and the merging of physical and logical security applications, layering is coming to the physical security world.

“Layering” is getting significant use in the counterfeit product/tampering and supply chain as well as other security programs. Up to ten different technologies may be applied to a product to ensure it makes it from design to the intended customer without tampering, counterfeiting or diversion.

For example, some companies will only accept a delivery from an approved and known business partner. Such chain of custody programs rely on trusted partners along the supply chain and ensuring custody of the shipments at all times. This physical program is “layered” with RFID tagging on each pallet, box or bottle, and in some cases, the product may include inert ingredients that identify it as genuine or counterfeit.

The challenge is continuous, as countermeasures to the latest threats are quickly met with new threats and organized efforts to thwart technological solutions and gain access to valuable commodities.

7. Save the BRAND!!!

In 2009, two Domino’s employees (former, we should say) created a video of themselves doing unsanitary things while preparing customer’s pizzas. The video was posted to YouTube, where it immediately received millions of views. Domino’s was left with a brand risk disaster, and other corporate leaders tasked with brand protection took notice.

The proliferation of the Internet including email scams, phishing and social media are both a boon for doing business and an emerging risk. Terrorism, workplace violence and counterfeiting also put brand names at risk.

This issue is an example of how ESRM applies because it transcends security and involves other departments such as marketing and legal, and buy in must start at the top.

Key to brand protection is business resilience planning, crisis management programs and an enterprise response in place. For example, the lack of an effective and articulate response by BP may have been as damaging as the oil well disaster itself.

8. You’ve Got Steal: Cyber Crime

The most troubling aspect of this threat is that 61 percent of cybercrimes are discovered by a third party, not by the victim, according to the Verizon 2010 Data Breach Investigations Report. In December 2009, an exchange between the Wall Street Journal and Citibank took place in which the paper reported the FBI notified Citibank that Russian cyber criminals electronically stole tens of millions of dollars. Citibank vigorously denied the report. The Journal stood by its story. Citibank stood by its denial.

While the Journal and Citibank may not agree on what actually happened, everyone does agree that cyber crime is a very serious problem of unknown size. A recent FBI report notes, “About one-third of all economic espionage investigations are linked to Chinese government agencies, research institutes, or businesses.” A CIA veteran wrote in 2008 that other nations are becoming willing to support their own industries by acquiring competitors’ intellectual property “the old-fashioned way – they will just take it.”

External threats are not the only ones. Internal threats from social media, thumb drives and even iPods put organizations at risk. New products tracking employee’s online activities including social media usage (both time lost and inappropriate activities) are coming on the market.

Companies are also offering cyber liability insurance to mitigate risks against cyber attacks and intrusions. The Verizon report documents that attacks may come from anywhere:

Who is Behind Data Breaches?

External Agents 70%

Insiders 48%

Multiple Parties 27%

Business Partners 11%

While hacking is the major concern at the organizational or firewall level, most intrusions are the result of people misusing their privileges. Most hopeful in the study is the statement that 96 percent of the breaches were avoidable through simple or intermediate controls.

9. Driving BCP While Looking in the Rear View Mirror: Business Resilience/Crisis Management/Disaster Recovery

Many Security 500 survey participants noted the challenge of keeping people vigilant to be aware of unusual situations and report them. As we pass the ninth year since the Anthrax and 9/11 terror attacks and the thwarted Times Square bombing falls further behind in the rear view mirror, preparing and training for business continuity planning (BCP) actions that may never take place is a challenge in leadership and motivation.

Last year these three functions were brought together and began moving into the security department across Security 500 organizations. The initial implementation of notification technologies and online training programs got the ball rolling. Harder is staying on the ball with audits, updates, table top exercises and ongoing awareness programs.

This year, it will be important to have qualified management and to build out enterprise-wide BCP plans, training, practicing and overall, to certify that the plans will indeed work in a crisis.

10. Never Out of Style

Physical security is front and center as a trend that is gaining more attention, funding and support, despite tight budgets and funding. The issue of protecting property, physical assets and securing facilities and the people that are in them has increased over the past year.

As vulnerabilities change in an ever fluid situation, organizations need to reevaluate risk, update security programs and implement new policies and technologies. As a result, revisiting the strategy at each facility to evaluate and provide perimeter, external and internal protection is a growing trend. Organizations are updating policies and training employees to ensure that security programs such as ID badging, visitor escorts and restricted access are understood and followed.

Good physical security policy and programs are also the foundation for protecting the brand, reducing workplace violence and preventing supply chain diversions. The goals of top line growth and global expansion, tied with increased regulatory compliance issues and risk management planning, is driving renewed funding for physical security programs.

Links