What an Increase in Security Planning Might Mean for CSOs

The coming years promise an increase in security planning to support strategic business planning. Will it be a CSO's dream come true or one big nightmare?

What's keeping you awake at night these days? Sharing such security concerns with one another is nothing new. And we mostly do it for good reasons: It's one part learning, one part giving back, and one part enlightened self-interest. The idea is that your problems today will likely be my problems tomorrow, especially if we're in the same business sector.

So I think I keep a fairly good handle on what is in front of us as CSOs, but I'm always struck by the insights of my fellow security colleagues when I ask them about their concerns. I hear a lot about balanceor, more specifically, imbalance. I hear about more risk, less resources. More to do, less to do it with. More regulations, higher expectations.... Well, you get the picture.

"The risk landscape is hugely visible, perhaps the highest it has been in my 25 years in the business," says one security exec. Terrorism now dominates the public mind-set and creates the mistaken impression that it is a much greater threat than anything else. We need to strike the right balance between our biggest worriespeople and process integrity, workplace violence, fraud, product tampering, counterfeitingand terrorism.

Yet there's an interesting dichotomy to the continuing impact of 9/11. The tragedy in September 2001 caused attention to security risks as part of the critical infrastructure to dramatically increase. But since then much of the focus on safety and security has waned, and fears seem to be inversely proportional to the length of time since the last incident. "All this DHS color crap has everyone totally turned off," is how another friend puts it.

I can't imagine a company that doesn't have security somewhere on its radar these days, if for no other reason than the daily threat of malicious and criminal attacks on our networks. Thanks to the insecurity Microsoft has brought to our IT world, most companies have had to get good at virus and patch management. A backhanded plus, I guess.

Another plus is that network management is getting more attention. That said, remote access capabilities such as virtual private networks continue to keep our IT security friends tossing and turning.

We've all watched the cyber side of our businesses get increasingly more insidious. "Keeping a strong enough control environment on every device is very hard and very costly," says a CISO colleague of mine. "As a result, many people are coming to the conclusion that we need to use gateway technology internally to create partitioned networks within the enterprise's wide area network to either protect the contents from higher risk outside the corporation or to wall off high-risk activities from the rest of the enterprise WAN," he says. "We're doing better at defending against the worm and virus attacks, but it's costly." The Cost of Doing BusinessMeanwhile, the concern for cost management is universalit continues to put pressure on all but the most immediate risk-oriented security budgets. The struggle seems more and more like a permanent fixture rather than a wait-until-things-improve business focus. Most of us believe that the cost pressures are here to stay. Thus, we need to recognize that security is part of the cost of doing business and get smarter about our management of scarce resources.

A number of CSOs also believe that the current business models will have serious consequences for corporate security, what with heavy emphasis on international outsourcing and global business-to-business relationships. Manufacturing opportunities in developing countries, for example, raise potential risks for employees, travelers and transportation of products.

"Do you realize how many countries we're in with really risky processes where we can't perform effective due diligence on people and companies?" says one CSO. "Mainframe access? It's absurd!"

We give our "partners" the keys to our most sensitive information and processes, and what do we get from the proponents when we say, "Wait. Who are these guys and what assurances do we have that they will abide by our policies and safeguards?"

Even the most elementary look at the risk profile in the countries we have selected to provide these critical functions will point to a need for concern. Product diversion, theft, employee and family safety, investment and reputational risk, personal integrity and a host of other threats not typically understood by North American business executives confront this cost-management trend.

A CSO friend in London shares this concern but emphasizes the impact of U.S. policy. He believes the risk landscape will get much worse "if the postwar management of Afghanistan and Iraq continue on their current, inadequate path and the tense Arab-Israeli issue remains ineffectively addressedall escalating rather than reducing the risk of terrorism," he says. "The prospects of a more effective global jihad increases, as does the likelihood of a serious weakening of the links between the United States and its natural allies."

In my view, many of our non-North American colleagues have a much more realistic view of terrorism and business risks associated with it. They have lived it at home and in various countries in which they have served in both public- and private-sector lives. They see threats to employee safety and business continuity firsthand almost on a daily basis.

Then, not too long ago, SARS joined up with our anthrax angst and the continuing cyberhits to reaffirm the potential impact of terrorism on international commerce and to put yet another threat benchmark on business interruption. Getting Closer All the TimeWith all this new attention on security, has access to the senior management improved? "It wasn't an issue to begin with," is the general consensus. "Established CSOs were already in front of senior management. Access didn't need to improve."

The times, however, have given a push to business units that often have laryngitis when it comes to cheerleading team security. Several CSOs commented that better visibility post-9/11 has generated more requests for service from disparate customers and some new ones. "We're getting closer to the business units than ever before, and we are now moving from a consultative role to that of a business adviser on product launches, M&A activity and fraud risk," says one.

Many CSOs support the view that security is viewed completely differently. "We're much more respected by a broader population than ever before," says another. "My department is changing dramatically. Proactive versus reactive, strategic versus tactical, influence versus dictate, big picture solutions versus the one-off Band-Aid, managing expenses for reduction versus spending to budget. The expectation from the top is that we will be more business-minded and worldly."

And just about everyone comments on a continuing concern for the lack of a real public-private connection. There are glimmers here and there, and from a few officials in the DHS who understand the problem. I find it fascinating that they're the few who are former corporate security professionals.

And, finally, the regulatory environment is on the radar these days. "Conflicting regulations will add to the cost of doing business without adding anything to overall national security," is how CSOs articulate their frustration. The Patriot Act inquiries roll on in financial services. The chemical industry is facing the prospect of having regulatory oversight of security by the Environmental Protection Agency. Now, I seriously doubt that anyone at the EPA can even spell security, but it's a way for them to fatten their already bloated budgets. Where the Action IsTrend-wise, we're seeing CSOs being given added responsibilities as compliance officers (but without adequate resourcing, they add). And previously established employee hot lines are receiving a boost from internal advertising and audit committee monitoring. One U.K.-based CSO has benefited from such an environment. "Both the board and the group audit committee invite me now into their meetings as a matter of course. And my department has become integral to the creation and maintenance of the corporate governance manual, and that has helped improve access to some of the business units," he says.

The good news is the affirmation of a real connection between CSOs and their senior management and the visibility of that support by the next few tiers below. These are the tough sells, and getting them aboard is where the real action is. Like one of our international CSO colleagues, you'd likely have a good weekend after hearing your CEO sum up his perception of security at the annual general meeting: "Security added real value by being an integral part of the business rather than working on its fringes."

These are especially challenging times for corporate security. For those of you who have foolishly asked for a manageable crisis to awaken management, don't look now. You have a menu of crises to choose from. But be careful what you ask for. The question is whether it's really manageable where you already are.

Copyright © 2003 IDG Communications, Inc.

8 pitfalls that undermine security program success