In a recent security barometer quick poll conducted by the Security Executive Council (SEC), respondents were asked what they thought would be the single most meaningful metric to have for their security function. The overwhelming selection – almost four to one -- was to achieve a “measurable reduction of targeted risk attributable to security initiatives”. It seems to me that the appeal of this metric reflects our struggle with the proof of value challenge and how to demonstrate a clear connection between our expenditures and an equal or better return on security investments.
This metric reflects this struggle. The manager confronted with the security events we see in this chart knew that making real reductions in these trends required discipline in uncovering the root causes of each incident, then developing specific plans to attack the vulnerabilities uncovered, and finally tracking results to ensure real elimination of the risks rather than a temporary lull in the exposure. He believed that the value story would follow this disciplined approach.
Note that there is a 24-month duration covered in this chart. The story here is about connecting the dots, not about isolated one-offs. If you really look at the five measures this security manager selected for his pitch, which one stands out as the most indicative of the problem at this company?
The correct one is, the “documented and unaddressed high risk vulnerabilities!” This manager hasn’t been asleep at the wheel; he has been out there investigating and learning with an aggressive risk assessment program. His organization learns by thoroughly investigating what has happened after an event and using this data to direct proactive probing and assessing the effectiveness of the company’s safeguards and internal controls to identify exploitable gaps in protection.
The learning here is that these multi-site security events reflect a systemic lack of engagement by business unit management. This is a clear common denominator and a root cause linking these costly enterprise security risks. To be sure, there is a lack of local security awareness here as well, but it’s much more about the failure of business units to take real ownership of people and asset protection. Consider the summary facts:
The South Production plant has a variety of labor issues boiling that have fed those engaged in vandalism and theft. Security had repeatedly recommended a mitigation strategy and management finally agreed to increase hours for directed patrols and surveillance of security coverage in mid and late shifts.
- Both of these tactics combined to successfully close a series of incidents here and gain recoveries.
- The laptop thefts and thefts of personal and company property at multiple leased locations also reflect absence of local management’s discipline for security policy regarding access control and information protection standards; never mind the risk to employees from uncontrolled access.
- Workplace violence at Plant 3 is about the total lack of established connection between first line supervisors, human resources and local management to address a set of protocols proposed by Corporate Security and Legal Counsel to investigate and mitigate these events.
The most telling fact in this story is that Security had alerted management in multiple risk assessments that had gone unaddressed in spite of quarterly reporting on lack of remedy. Security Director’s objective with this presentation was threefold:
To use this chart to demonstrate the power of a collaborative, engaged and accountable process of enterprise risk management.
- To provide evidence of a persistent effort to proactively address known risks and show the value of these efforts.
- To seek approval for moving the matter of quarterly unaddressed risk assessment findings to the Audit Committee for compliance review.
All three were accepted by the CEO. And that is the real story.
