26 April 2004

Managing Risk for Security Governance - A Series

By Peter L. Higgins
Managing Director

Part IV and last in the series

The 2003 Council on Competitiveness Corporate Security survey conducted by Wilson Research Strategies See Study had the following findings:

· Most business leaders now see security as a top or high priority – 86%
· Risk Management assessments are being conducted frequently – 83%
· Connections to critical infrastructure are becoming a focus for risk management
· Corporate leaders see opportunities for positive returns on security investments – 71%
· Business leaders believe that the private sector should take the lead in setting security standards- 66%
· The majority of executives believe that the public and private sectors share equal responsibility for homeland security – 57%

“Corporate Security is no longer viewed as a matter of guards, gates and guns, but of interconnectivity and interdependence of networks, “ as the survey states. “But, 9/11 was only a moment in time—and there is no accepted business model for integrated security management. The need to identify and institutionalize a set of best practices – security processes that create positive returns on investment—remains largely unmet.”

Security Governance is evolving rapidly and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why they are being asked to do things, rather than just following the rulebook, the system will fail. The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival. The role of culture in the risk for security governance is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations. This is why the risks the organization is facing are constantly changing and therefore why a management system for security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for Security Governance is just as important to the success of the organization as Section 404 of Sarbanes-Oxley. In fact, without Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves; how could this happen?

No comments:

Post a Comment