Security incidents offer unique opportunities to drill down and identify a finding or two that can be used to demonstrate to management that we are not simply responding but digging for root causes of business risk. The message in this simple example is not the cost of one employee gone bad, but the need to set clear expectations for doing the right thing and to use commonsense controls to test for conformance.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, "Measures and Metrics in Corporate Security," may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge, the Council serves all aspects of the security community. To learn about becoming involved, e-mail firstname.lastname@example.org or visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.