If you’re like me you either played Whack-A-Mole as a child or with your children or grandchildren. As we know the challenge was to be ready to whack the mole when its’ head popped up in one of several holes in front of us. In a way some companies play a version of this game when it comes to security. Everything is reactive. They see the problem and hit it over the head with a quick but not well thought out solution. They then wait for the next problem to arise and repeat the process. Whack-A-Mole meets Bill Murray’s Groundhog Day.
There is a better approach. A sound and well conceived security strategy is an important element of a company’s risk management process. In larger companies it may be an element of enterprise risk management. The risks to people, product and property incurred in normal day-to-day activities in an organization constitute operational risks. They require a collaborative and holistic approach to mitigating risks that involve many moving pieces. For this article we’re going to focus on alignment, optimization, and maturity.
I sought out the executive responsible for strategic planning after joining a Fortune 100 company as their chief security officer. I wanted to know more about the long-term strategy of the company so I could ensure security alignment as part of that strategy. The 80-year-old company had never had an embedded global security function; and I was struggling on how to effectively move management to a proactive posture. The culture to that point had been very reactive; focused on the outdated security concept of gates, guards, and guns.
Failing to align our security risk mitigation efforts with the mission, values, and business objectives of our company leave us on the outside looking in. Security can only be seen as a true partner when it is properly aligned.
The Global Security Risk Management Alliance (GSRMA) and UCONN School of Business recently collaborated on a white paper “Security Governance – A Critical Component to Managing Security Risk”. In the paper the authors noted the close partnership between security and other business function leaders. Successful alignment efforts have resulted in discussions around risk tolerance, value-added security risk mitigation, training and awareness, and quality and educated decisions on security risks.
During a security risk assessment at a manufacturing site a few years ago, I discovered the plant had three separate video surveillance systems. One for the building exterior; another for the human resources offices, and a third for the parts department. When questioning the contract security guard supervisor about how they monitored the three disparate systems, his response was priceless. “We don’t monitor any of those systems – plant management doesn’t trust us to do that”.
You might think this example the exception – it’s not. All too often companies don’t fully optimize their security personnel or other resources in the security tool-kit. Video surveillance is not integrated with access control systems or intrusion detection systems. On-site security officers are not given access to the tools because of a lack of understanding, training, or trust. Companies spend six figures on cyber security tools and systems, but fail to validate the effectiveness of those tools. Thousands of dollars are spent on physical security to protect against an outside intruder, when in-fact the more serious risk is from the insider threat.
Successful organizations follow security alignment efforts by drilling down on the most cost efficient tools and resources at their disposal. They use a collaborative and holistic approach in their optimization efforts.
A few years ago Ernst & Young (EY) partnered with Caterpillar’s corporate security team in developing a physical (corporate) security maturity model. Their model was based on work done by Carnegie Mellon University and EY’s cyber security maturity model. The physical security maturity model identified several levels of maturity, from the initial model with limited resources or organizational support; to a defined model with significant technology and tools for some but not all resources and people; to a full optimized level. As noted in their work, EY and Caterpillar found security needed to be at an advanced capability, consistent across an organization and working to enable effective governance. Not all companies may embrace moving to a higher level of security maturity. But, in a world on constant threats and risks, the alternative is unacceptable.
There is an old saying; lead, follow, or get out of the way. Visionary and progressive companies embrace and leverage security in their business. It is not something “bolted” on at the last minute, but part and parcel of an enterprise risk management process.