If there’s one thing that has been ingrained in the minds of security executives in recent years, it is the importance of being able to get a seat at the table with decision makers within their organizations. It’s simply not sustainable in today’s business landscape for security directors and their staffs to work in silos. While every organization wants to protect themselves from the myriad of physical and cyber risks they face, the fact is that security practitioners are under ever increasing pressure to demonstrate the value that they bring to their respective companies and to be able to speak the language of business. This point was hammered home at The Great Conversation event this week in Seattle, which brought together end users, integrators and technology providers from across the country.
“The traditional guns, gates and guards are a thing of the past,” Tim Rigg, chief security officer for Alcoa, said in one of the keynote addresses at the event.
According to Rigg, today’s security executive must be focused on enterprise risk management (ERM), business continuity and aligning their departments with the company’s vision. “This puts us in a much more proactive state than we’ve ever been,” he added.
In fact, Rigg said that risk has become more of an executive-level conversation, especially as ERM has become more intertwined with the bottom line. Increasingly, public companies are incorporating risk mitigation strategies into their 10-K filings, which provide an annual summary of an organization’s financial performance.
For those looking to transform security within their company, Rigg said that there must be a sense of urgency or else it is doomed to fail. While these transformations are not easy and don’t occur overnight, Rigg explained that security leaders need to take stock of the risks they face and get feedback from people in the field to learn what’s important to them in order begin this process.
In a panel discussion on the state of the industry, Francis D’Addario, emeritus faculty member for the Security Executive Council and the former vice president of partner and asset protection for Starbucks, said that the velocities of risks, along with compliance and regulatory concerns have all increased. As such, D’Addario said that it’s incumbent upon security leaders to have a firm grasp on the socio-economic conditions impacting their companies and be able to articulate those risks to the C-suite. “We have to be translators of that global risk condition,” he explained.
D’Addario said that it’s also a good idea to anticipate worst case scenarios, such as data breaches, because it helps both the security manager and the organization become more resilient. “Things go wrong and we have the ability to rebound,” said D’Addario.
In addition to being able to speak to business leaders at the highest level, Brian Tuskan, senior director of technology and investigations for Microsoft, emphasized during the panel discussion the need to have cohesion within an organization and how that can help prepare a business for the challenges and threats that may lie ahead. “The one thing that gave us an edge at Microsoft is organizational continuity,” he said.
Through planning and having this “organizational continuity,” Tuskan said that Microsoft, from a security perspective, was well prepared for the company’s recently announced acquisition of Nokia’s handset and services business.
When it comes to the technology front, Larry Trittschuh, executive director of threat management for General Electric, told attendees during the panel discussion that security leaders will be more successful selling solutions to senior management based on the business benefits they provide than on just how they help mitigate risks. “If we sell our initiatives as business projects… we will be more successful,” he said.
With the continued convergence of IT with physical security, Trittschuh said he also believes that the environment is changing for CSOs in how they work with their counterparts in the IT department. Rather than just focusing on managing bandwidth for IP cameras, he said that CSOs are going to have to work with their company’s IT leadership to deliver complete solutions in the future.
Government’s role is fostering public-private partnerships
Since 9/11, the federal government has taken an increased role in the protection of the country’s critical infrastructure assets. While the recent sniper attack at a power substation in California has brought attention back to the threat of terrorists being able to cripple access to vital services like electricity, Caitlin Durkovich, assistant secretary for infrastructure protection with the U.S. Department of Homeland Security, said the challenges facing the operators of critical infrastructure are vast.
Durkovich, who delivered the afternoon keynote address, said that extreme weather and climate change are posing a greater risk to a variety of critical infrastructure sites as the intensity of storms that were once relatively low have become stronger. She also pointed out that much of the nation’s infrastructure is aging and that the demands modern day society is placing upon things like water delivery systems have far surpassed what their original builders could have imagined.
Last but certainly not least is the threat of cyberattack against any one of the nation’s critical infrastructure sites that could significantly disrupt the delivery of essential services. Through executive order, President Barack Obama last year directed the DHS to rewrite the National Infrastructure Protection Plan and also create a baseline framework to encourage the creation and voluntary adoption of cybersecurity best practices among operators of critical infrastructure assets.
Durkovich said the ultimate goal of DHS is develop and foster relationships with partners in the private sector to help them mitigate their risks – be it through conducting threat assessments or sharing information. “You’re only resilient as your weakest link,” she said.
