ASIS International President Raymond T. O'Hara.
Security Technology Executive editor Steve Lasky recently caught up with current ASIS International President Raymond T. O’Hara, CPP, to discuss issues impacting the security end-user.
Here’s a look at what he had to say:
If you had to highlight two of the most critical issues facing an enterprise-level security director today, what would they be and why?
O’Hara: The two most critical issues facing today’s enterprise-level security director are globalization and virtualization — for the simple reason that businesses operate in a 24/7 global economy. Organizations of all sizes across the spectrum of vertical industry sectors are conducting business in emerging markets around the world. Even the smallest of companies with its domestic customer base finds itself sourcing products globally. The world has grown smaller and the economy more volatile. Organizations are challenged to do more with less, especially within the security function.
Rapid technological advancements have made it possible for organizations to access and communicate information 24/7 from virtually anywhere in the world. For the assembly plant in Des Moines waiting for product from its factory in China, critical status updates are virtually a click away at any point in time from any place in the world.
I spoke last week at an ASIS chapter event in Mexico City. Two ASIS members from the Costa Rican Chapter attended the event and streamed my keynote message and a one-on-one interview for those at home to view.
Globalization and virtualization are a reflection of rapid advancements in technology that are propelling businesses forward. Cloud computing, social media, and various tablets and hand-held devices with advanced software are just a few of the technologies and tools that support and enable these advancements — each of which poses risk to the organization. Enterprise-level security directors are in position to strategically examine and analyze these critical issues and their potential impact on the business.
We have been talking about the converging roles of security directors for almost a decade now. In your opinion, how crucial is this converged approach to security and risk mitigation at the enterprise level?
The convergence of traditional and logical security roles and functions is not only crucial, it is imperative for organizations to be competitive in today’s global marketplace. Increased incidents of complex and unpredictable security-related risks such as terrorism, data breaches, Internet viruses, theft, extortion and fraud require companies to develop a comprehensive approach to protect the enterprise.
Several factors — both internal and external — are driving the continual evolution of security convergence. A rapid expansion of the enterprise ecosystem as a whole is one of the main drivers. Enterprises are becoming more complex to compete effectively and efficiently in a global economy. Outsourcing to a third party, which has become common business practice for many companies, adds another layer of organization and additional security risks in most instances. Secondly, the greatest portion of value is shifting from physical to information-based and intangible assets. This brings about an even greater need to integrate traditional and logical information security throughout the entire enterprise.
With regard to technology, the blurring of functional boundaries of physical — or traditional security — and logical security persists. This trend was first seen in the area of access control technologies, which leveraged the network and merged the physical and logical aspects of security. The rapid advancement of IP technology has introduced new efficiencies in video and other traditional physical security and building operating management systems.
New regulations have certainly driven convergence, but one of the most significant factors impacting this trend is the continuing pressure to reduce cost. Convergence offers organizations new levels of effectiveness and efficiency in security operations. Globalization and virtualization both exist and thrive in a converged world and optimize new business opportunities for organizations.
In a recent survey we did among STE’s audience, they reported that IT management was a key decision-maker in the security technology implementation process. As technology continues to evolve, how is this IT relationship going to impact the role of the corporate security director?
The impact is obviously considerable…on both sides of the relationship. For organizations to effectively mitigate risk across the enterprise and achieve their business objectives, traditional and logical security practitioners must open the lines of communication and work in conjunction with one another. One of the most significant challenges posed to the evolution of the relationship is the knowledge gap that exists between the two fields of security. While the degree of separation varies from professional to professional and from organization to organization, it remains quite prevalent.
ASIS understands the challenges facing its members and the community of security practitioners around the world and has actively sought to identify educational and informational resources to prepare and support these transitional relationships. Where possible, ASIS has entered into both formal and informal partnerships to provide physical security directors and managers access to their logical security counterparts across the industry. To date, ASIS has had the opportunity to work with IT security-centric organizations such as ISACA, ISSA, and (ISC)2.
This year, as a result of a recently signed MOU, the first annual (ISC)2 Security Congress will be co-located with the ASIS International Annual Seminar and Exhibits in Orlando, Sept. 19-22. This important partnership is a reflection of the rapidly converging roles of traditional security and information security. Registrants of both events may attend educational sessions and networking events offered by each organization.
Technological advancements coupled with cross education and dual certification will serve to narrow the gap that exists today and new security practitioner roles will ultimately emerge.
What is the C-level expecting from its security department and how can they deliver?
The role and perception of the security director and his team has changed dramatically over the past decades. Once viewed as “overhead” and perceived as limited in function, business leaders have learned that knowledge and experience within the security function is a vital tool in an age of commerce marked by rapid development of a global marketplace, increased competition, economic pressures, tremendous technological innovations and more. Today, the security director is often called on to work alongside top company executives in an effort to not just protect and preserve assets, but to further business plans and increase the bottom line. It’s a far cry from the security director’s past realm, which is best summed up as “gates, guards, and guns.”
The C-suite has come to recognize that nearly all areas of the business can benefit from the inclusion of the security director who has become the essential leader in risk management across the entire enterprise. Now, a much-valued member of the “total” organization — the security director is a highly skilled individual with a defined role that can strategically influence a company’s future.
CEOs expect their CSOs or security directors to be strategic leaders and to understand the language of business. It is not enough to know business — security leaders need to actively engage in the business of their organization, act and think globally, and be skilled in marketing their security program.
To ensure current and rising CSOs have the required business knowledge, ASIS has partnered with the Wharton School and Northeastern University in the United States and IE Business School in Madrid, Spain, to develop and deliver customized executive education programs that prepare security professionals to meet the complex security challenges they face today with strategic business solutions.
What has been the most dramatic change in the role of security at the enterprise level since 9/11?
Without question new regulation and compliance regimes have most dramatically changed the role of enterprise security over the course of the past decade. As new threats emerge and business transactions become increasingly intricate, more complex regulations and compliance guidelines come forth.
One example is the Payment Card Industry Data Security Standard (PCI DSS). This set of security requirements applies to all companies that process, store or transmit credit card information, providing for a secure environment. Another example is the new security regulations being imposed on critical infrastructure facilities around the country. In this instance, compliance requires a significant and burdensome investment. As security professionals, it is important for us to work with regulatory agencies to reach guidelines that balance risk mitigation and the impact on the business environment.
When looking at how organizations have been impacted by new regulations since 9/11, it seems appropriate to note the trend among global organizations toward the development of risk management and resilience programs. While it is neither possible nor desirable to eliminate all risks, it is necessary for organizations to prioritize and determine a risk strategy to cost-effectively establish adaptive, proactive, and reactive approaches to control risks. To adequately manage the risks of disruptive events and assure resilience, organizations must engage in a comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity, and recovery.
In 2009, ASIS published the “Organizational Resilience: Security, Preparedness and Continuity Management Systems - Requirements with Guidance for Use Standard.” This standard provides steps necessary to prevent, prepare for, and respond to a disruptive incident to manage and survive the event and take actions to ensure the organization's resilience. The standard was adopted by the U.S. Department of Homeland Security (DHS) for the DHS Private Sector Preparedness (PS-Prep) Program. It is available for free download at www.asisonline.org.