Objective: To inform key constituents of the causes of loss in key areas.
Results Sought: Increase management's awareness of the actions and situations that contribute to security-related incidents. Boost the business units' accountability for improved risk management. You want this presentation to lead to some tangible demonstration that we have learned from our mistakes and that business units are taking ownership of the protection of corporate assets.
Where is the data? If you have an ongoing program of incident post-mortems or lessons-learned analysis, you should already have the useful, actionable data needed to create this chart. If you don't have such a program, now is the time to launch one.
Risk Management Strategy : You report on losses due to various incidents. What have we learned from these incidents? How and why did they occur? How can we reduce our loss experience?
Charting security-related losses is a bland exercise. Instead, this chart attempts to plot some of the knowledge we gain from events, to make the point that lack of security and inattention to policy have consequences. The five categories in our sample graph could easily consume a half-hour to hour-long presentation on what has occurred, what we have learned as a result, and what is being done to address the problem. For example, in “Loss due to failure to address known vulnerability,” the key word is “known.” The risk had been previously identified, but corrective action obviously was not taken. Who failed to follow up? What process should be in place to better ensure attention to known risk?
This is not about taking prisoners; it is about learning to avoid future risk.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, Measures and Metrics in Corporate Security, may be purchased through the Security Executive Council Web site, www.csoexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.