Since the Sept. 11 attacks, the overall context of global business has reshaped how security and risk are perceived. The emphasis has moved past technology solutions — where the ultimate goal was to prevent or deter incidents — to more of a consultative tact. Mitigating risk in today’s business environment means helping C-level executives assess and calculate risk, then provide them enough data to make an informed decision related to the level of risk they figure the business can assume.
With the landscape of risk mitigation evolving into a multi-disciplined exercise involving business units, IT and security, traditional systems integration firms like Seattle-based Aronson Security Group (ASG) are taking bold steps to better serve the market, by creating a separate Security Risk Management Services (SRMS) group within its company. Moving beyond its traditional systems integration and consulting offerings, ASG will provide research, assessment and strategic planning to end-user clients and also work with technology vendors to help them better understand market needs.“We have succeeded because we listen to what the market is saying and how it is behaving,” explains Phil Aronson, President and CEO of ASG. "For example, security executives were saying that the Value Added Reseller's place in the industry was to share information about the products they represented and then install them if the customer accepted the value proposition; however, what they really needed was help in creating a program that was valuable to their company while mitigating the risks.
“This would require a business process mindset," Aronson continues. “We are seeing security executives realizing that the risk strategy is sub-optimized because of the silos within their own company. A 360-degree picture of their program and the risk is needed. At the same time, they turn to their service providers and see a mirror image. So they have a conundrum yet to be solved. A new category of service provider must emerge. And so we evolve once again to meet an expressed and unexpressed need in the market.
”While doing their due diligence and research for this shift in the ASG profile, Aronson, and his two principals in this venture, William Plante and Wendi Walsh, considered the drivers that were forcing CSOs and C-suite executives to reassess their risk picture and response. When asking the question of “what keeps you up at night”, four responses were constants:
- We do not have the budget or the resources to hire all the subject matter expertise we need to drive to a 360-degree program;
- We need a process that helps us lead innovation and change in our people, processes, and technology;
- We need measures of performance that help us continuously improve our program and that is meaningful to our business counterpart; and
- We need innovative new ways to deliver our services faster and cheaper.
There is also no denying that technology migration and the move to more IT-centric security systems has also helped change the risk paradigm with an organization. Plante, a 25-year security management veteran and the former CSO of Symantec, says that as the rapid progression of technology continues and organizations embrace more and complex solutions in the cloud and in-house, the threat risk increases. But taking a balanced approach to assessing and reacting to risk is crucial.
“Balance is an agreement between stakeholders and contributors as to what the balance point is," Plante says. "Complexity is a large number of simple things brought together, so managing risk-related technology is an exercise of ensuring all the stakeholders have a clear understanding of their role and requirements, and to establish and maintain operational rigor over systems management. Adopting a rigorous data, application, and network design for a physical security systems program via the enterprise InfoSec team is highly recommended.”
Alignment with the business values and drivers is certainly a critical element of managing risk at the enterprise level. As a former CSO of Amazon.com, Ed Bacco — who is heading up the new Enterprise Security Risk Group for ASG — is very familiar with creating metrics and assigning risk value to the C-suite. Bacco admits that as the security professional has matured and aligned itself more with the risk side of the business, understanding who owns risk and how to react to threats remains a work in progress. That is one of the drivers for ASG’s approach.
“If you ask security executives ‘who owns the risk in your organization’ — many of them will respond like I did when I first became a manager by saying that they do themselves," Bacco says. "But in reality, do not we own risks such as the loss of cash, a breach of contract with a compliance agency or even the safety of the work environment, these risks are most likely owned by the CFO, HR or Chief Lawyer. Aligning the risk with both its owner and with the business drivers will increase the support of the security programs.”
Editor's Note: Read the full version of this article at www.securityinfowatch.com/12191043.
Steve Lasky is the Editorial Director of the Southcomm Security Group, which includes SD&I, SecurityInfoWatch.com and Security Technology Executive magazine. He is also the Director of the Secured Cities Conference (www.securedcities.com).
