What Keeps You Up at Night?

Oct. 27, 2008
We believe the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities, and management.

- The 9/11 Commission Report

It is perhaps America 's failure in imagination, as the 9/11 Commission called it, that continues to keep security professionals from every industry on their toes and thinking well into the wee hours of the morning. A directive to protect the company's reputation and thereby shareholder value lies heavy on the hundreds of CSOs, CISOs and security directors now responsible for everything from physical threats to cyber threats, to threats that haven't yet surfaced.

What keeps most security professionals up at night? The challenges are far reaching.

Mitigating Shifting Risks

One security professional who works in the financial services market said that one of her biggest challenges is “ensuring that my existing resources are adequately covering each of my locations of responsibility. When, not if, an emerging event occurs, each location [should] respond consistently and professionally to address the issue or situation.”

Dennis Treece, director of corporate security for the Massachusetts Port Authority (Massport), must work hard to mitigate potential risks that could have devastating effects on millions of people. Massport is responsible for developing, promoting and managing airports, the seaport and transportation infrastructure. Security is so important to the organization that Treece reports directly to its CEO. “I brief the board personally at all our board meetings. The chairman of our board is also the chairman of the board's security committee, of which I am a member,” he said.

Funding and Support

Massport understands the challenges that safety and security must contend with, and the organization funds initiatives appropriately. “We spent 14% of gross revenues last year on security, both capital and operating expenditures,” said Treece. “This is an extraordinary statement about the commitment of the organization to security.”

Not all of Treece's counterparts are so lucky. One corporate security director said proper funding to address issues was slow in coming, but added that positive changes were on their way.

“Who wouldn't like to have an open checkbook?” said Chris Berg, senior director of corporate security for Novartis, a leading pharmaceutical company. “All in all, I think our funding is reasoned and metered, and well in line with the appropriate application of security for our business. I'd say our funding is in direct proportion to our ability to appropriately justify, occasionally educate and routinely provide reasonable business solutions for the company.”

Others feel their budgets may hinder them from properly securing the corporation. Some, like the director of security for a financial company, are challenged in achieving “an adequate budget to not only maintain but upgrade and expand our capabilities with emerging technology.”

Corporate Reputation and Mission

Novartis was named one of the world's most admired companies by Fortune magazine last year. Attention to the corporate character is a priority Berg takes seriously.

“From a pure security standpoint, almost all of the high-risk/high-value issues and incidents that we see every day can impact the company's reputation and ultimately shareholder value. Protecting our reputation and shareholder value is the big picture, is a key focus,” said Berg.

Ensuring that corporate security is aligned with the overall business mission is another issue that many security professionals see as a fundamental component in an effective security program.

“We are very fortunate to have a seat at the table with our executive team,” said Berg. “Not all organizations get that opportunity. In my opinion, that seat at the table is essential if you're to be successful in helping management mitigate risk for the corporation.”

Convergence Concerns

The security programs in many corporate sectors are in a state of flux. Some companies are merging physical and IT security to centrally address the risks coming from both sides. “I (act as) both the CSO and CISO. Fortunately, I have experience in both the physical and the virtual security arenas,” said Treece.

Many security directors do work on day-to-day operations with their IT counterparts, maintaining a good working relationship. While most companies have not moved toward converging the physical and IT security directors' roles into a single security executive title, most companies do admit the ongoing need for monthly meetings.

Some security executives, like Treece, have dotted-line supervision and input into IT security policies.

Regulation and Compliance

The U.S. government's corporate security regulations are impacting organizations in various markets. Such directives are a mixed blessing; they often mean policy and technology overhauls, but they also mean greater protection and better security. Still, many are seeing their budgets suffer.

Treece has seen some sectors more impacted than others. “New federal security directives and the post-9/11 security imperatives have had an enormous impact on security roles and missions and costs for every critical infrastructure sector in this country, and particularly with aviation.”

Thinking Globally

For Novartis, like many global companies, a critical challenge goes beyond U.S. compliance and regulation. Berg sees a need to “think globally and act locally.” The company has operations in 140 countries.

“As we grow and enter emerging markets and new geographies, we will always have a lot to learn, said Berg. “Factor into that the new business challenge itself, new governments, changing or new compliance requirements and regulation as well as what may ultimately be the key factor in success, understanding the culture and its impact to the business.”

Are We More at Risk?

“Every organization is at more risk than before 9/11,” said Treece. “The difficulty is in determining how much more risk, of what type, and what to do about it.”

With the need for new security initiatives, directors are educating employees about potential threats. “We are a much higher-profile company [post 9/11],” said a senior corporate security director. “However, we have significantly increased overall associate awareness and provided a solid, comprehensive security plan.”

“Anecdotally, I'd say that as the company grows, markets emerge and we enter new geographies, our risk grows,” said Berg. “The key here is, do we effectively mitigate it? I believe there is more risk out there, but I believe we are doing a better job at mitigating it.”

But each enterprise is unique and requires ongoing analysis. “Where federal or state regulations have mandated certain actions, the choices are easy. Where there is no such guidance from regulatory agencies, each business is left to build its own business cases based on its own analysis of its vulnerabilities and the consequences of hostile actions against them,” added Treece.

Pass the coffee.

Kathy Scott is a freelance writer located in Georgia . She is a frequent contributor to Cygnus Security Group publications.