Objective: To make senior management aware of the key issues that keep the CSO up at night, to underscore fundamental vulnerabilities and to eliminate plausible denial.
Results Sought: This is about fulfilling the CSO's obligation to inform, to be a positive change agent and to establish a proactive security program that is connected to business strategy. It has to start with telling it like it is. The CSO wants to engage discussion on how to reduce these risks of significant concern and to obtain buy-in on policy reinforcement or sanctions for non-conforming business units.
Risk Management Strategy : In our hypothetical example, which is the basis for the chart above, a new CSO has recently taken over the organization's security program. It is obvious that this security organization has been highly proactive at assessing risk, but it is equally obvious that this CSO's predecessor was asleep at the switch.
An ongoing risk assessment process is the cornerstone of an effective security program. What we see here are the consequences of failing to act on an assessment's results. Moreover, it is clear that security has not previously been aligned with business strategy. The results are potentially very serious, given their breadth and depth.
Non-security upper management has not taken notice of these notable threats and vulnerabilities, and the security organization has never before pushed back to ensure awareness. In this risk-unaware environment, the organization has failed to conduct risk-based due diligence in both leasing and outsourcing. This is exacerbated by other business units refusing to share the responsibility by assessing risks they own, thus failing to intelligently manage access to highly sensitive assets.
The CSO has made line units aware of his concerns and recommendations. They have not effectively responded, so he has decided to take the matter to the CEO and audit committee.
This is a risky step for this new CSO -- he may alienate many of his key constituents or be seen as “Chicken Little.” He is confident that he has given adequate notice to business units, but has not received appropriate acknowledgement of risk or of the need for an improved state of security. He may be seen as incapable of effectively influencing these business unit managers.
It is also risky in that he is taking his first steps toward testing the willingness of top management to buy into security's risk assessment processes and demand change. But these vulnerabilities are too serious to remain unattended, and management's lack of accountability must be challenged. He has no alternative but to escalate.
Where Is the Data? The data is in the design and findings of the multiple risk assessment processes at play here. For example:
• Data maintained by security operations on regional risk assessments or travel briefings;
• The inventory of business units with completed risk analyses;
• Background investigations data;
• Procurement data on outsourced business processes; and
• Security operations review of facilities containing highly confidential data.
George Campbell is emeritus faculty at the Security Executive Council. For more information, visit www.csoexecutivecouncil.com.