Balancing security with the demands of business

Security executives discuss trends impacting the industry at The Great Conversation

If there’s one thing that has been ingrained in the minds of security executives in recent years, it is the importance of being able to get a seat at the table with decision makers within their organizations. It’s simply not sustainable in today’s business landscape for security directors and their staffs to work in silos. While every organization wants to protect themselves from the myriad of physical and cyber risks they face, the fact is that security practitioners are under ever increasing pressure to demonstrate the value that they bring to their respective companies and to be able to speak the language of business. This point was hammered home at The Great Conversation event this week in Seattle, which brought together end users, integrators and technology providers from across the country.

“The traditional guns, gates and guards are a thing of the past,” Tim Rigg, chief security officer for Alcoa, said in one of the keynote addresses at the event.

According to Rigg, today’s security executive must be focused on enterprise risk management (ERM), business continuity and aligning their departments with the company’s vision. “This puts us in a much more proactive state than we’ve ever been,” he added.

In fact, Rigg said that risk has become more of an executive-level conversation, especially as ERM has become more intertwined with the bottom line. Increasingly, public companies are incorporating risk mitigation strategies into their 10-K filings, which provide an annual summary of an organization’s financial performance.

For those looking to transform security within their company, Rigg said that there must be a sense of urgency or else it is doomed to fail. While these transformations are not easy and don’t occur overnight, Rigg explained that security leaders need to take stock of the risks they face and get feedback from people in the field to learn what’s important to them in order begin this process.

In a panel discussion on the state of the industry, Francis D’Addario, emeritus faculty member for the Security Executive Council and the former vice president of partner and asset protection for Starbucks, said that the velocities of risks, along with compliance and regulatory concerns have all increased. As such, D’Addario said that it’s incumbent upon security leaders to have a firm grasp on the socio-economic conditions impacting their companies and be able to articulate those risks to the C-suite. “We have to be translators of that global risk condition,” he explained.

D’Addario said that it’s also a good idea to anticipate worst case scenarios, such as data breaches, because it helps both the security manager and the organization become more resilient. “Things go wrong and we have the ability to rebound,” said D’Addario.

In addition to being able to speak to business leaders at the highest level, Brian Tuskan, senior director of technology and investigations for Microsoft, emphasized during the panel discussion the need to have cohesion within an organization and how that can help prepare a business  for the challenges and threats that may lie ahead. “The one thing that gave us an edge at Microsoft is organizational continuity,” he said.

Through planning and having this “organizational continuity,” Tuskan said that Microsoft, from a security perspective, was well prepared for the company’s recently announced acquisition of Nokia’s handset and services business.

When it comes to the technology front, Larry Trittschuh, executive director of threat management for General Electric, told attendees during the panel discussion that security leaders will be more successful selling solutions to senior management based on the business benefits they provide than on just how they help mitigate risks. “If we sell our initiatives as business projects… we will be more successful,” he said.

This content continues onto the next page...