11 May 2004

1SecureAudit LLC - United States - Managing Risk for Security Governance - Mondaq

1SecureAudit LLC - United States - Managing Risk for Security Governance - Mondaq:

Article by Peter L. Higgins

In the converging world of information and physical security emerges a new risk element: managing "Security Governance."

The 2003 Council on Competitiveness Corporate Security survey conducted by Wilson Research Strategies found that:

* Most business leaders see security as a top or high priority – 86%;
* Risk management assessments are conducted frequently – 83%;
* Connections to critical infrastructure are becoming a focus for risk management;
* Corporate leaders see opportunities for positive returns on security investments – 71%;
* Business leaders believe that the private sector should take the lead in setting security standards-- 66%, and
* The majority of executives believe that the public and private sectors share equal responsibility for homeland security – 57%.

"Corporate Security is no longer viewed as a matter of guards, gates and guns, but of interconnectivity and interdependence of networks, the survey states". "But 9/11 was only a moment in time—and there is no accepted business model for integrated security management. The need to identify and institutionalize a set of best practices--security processes that create positive returns on investment—remains largely unmet."1

The ethics and issues surrounding the business world of Corporate Governance since Enron and WorldCom command center stage. Now, the ethics and human behavior of the security and intelligence community are snaring headlines in the wake of recent memoirs by former and current White House officials.

When poor business governance spills into Security Governance, it’s time to wave a red flag. These events demand that we revisit and rededicate ourselves to the discipline of Security Governance, which is the means for directing and controlling corporations or governments, and refuse to compromise for any reason the policies and codes we stand by. Established frameworks must not only hold managers accountable but also empower stakeholders to intervene if they witness violations of security ethics or policies. Security Governance, like Corporate Governance, requires oversight by key individuals on the board of directors. In the public sector, people from the executive, judicial and legislative branches may compose the board.

In watching Richard Clarke’s testimony in front of the 9/11 commission, I was struck by our former counterterrorism tsar’s ability to deliver precise salvos of devastating sound bites. Witnesses may or may not back up his statements. If anyone can uphold the foundational policies of Security Governance, it is Mr. Clarke. And you have to admire a person who stands up for their beliefs, except when those beliefs begin to erode the management system for Security Governance.

The basic responsibility of management, in government or a corporation, is to protect assets. Risk and the enterprise are inseparable. Therefore, Security Governance requires a robust management system approach. For a corporation to survive and prosper, it must take security risks. A nation is no different. When management systems lack the correct controls to monitor and audit enterprise security risk, they expose precious assets to the threats that seek to undermine, damage or destroy our livelihood.

More...Risk for Security Governance

No comments:

Post a Comment