Companies Most Vulnerable to Threats Making Strongest Business Cases

NEW YORK, Nov. 1 -- Companies most attuned to security issues are those with the most exposure to a broad range of security risks, according to a survey by The Conference Board, sponsored by the U.S. Department of Homeland Security.

The Conference Board report Navigating Risk: The Business Case for Security is based on a survey of 213 senior corporate executives not specifically responsible for security or risk matters and not chief information officers. The survey was designed to gauge the role and influence of security managers among general senior executives.

The surveyed companies most concerned with security are companies in critical infrastructure industries (including energy and utilities, chemicals, and transportation), large corporations, multinationals with global operations, and publicly-traded companies.

The report describes an analogous pattern with regard to the specific executive functions that are regarded as most supportive of security initiatives inside companies who participated in the survey. Not considering security directors themselves, the executives most supportive of security matters are those in risk-oriented positions, such as CIOs, risk managers, and compliance officers.

But there is a strong disconnect between the level of support for security initiatives and the level of influence over security policy within the companies surveyed. In general, the most supportive executives were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive. In addition, most senior executives surveyed reported that they have little direct responsibility for most aspects of security. Security is an area with a lot of dotted-line relationships, so senior executives are often heavily involved in specific security decisions even though they are not directly accountable for them.

"Security directors appear to be politically isolated within their companies," says Thomas Cavanagh, Senior Research Associate in Global Corporate Citizenship at The Conference Board and author of the report. "They face a challenging search for allies when they need to gain support from upper management for new security initiatives."

ALIGNMENT WITH BUSINESS OBJECTIVES

Executives were asked how effectively their company's security was aligned with their company's business objectives -- in other words, to what extent their own company's security operation contributes to accomplishing the firm's overall mission in the marketplace.

The most effective alignment was found on issues of operational risk, such as complying with government regulations (cited by 79%), protecting confidential information (74%), meeting certification standards (72%), and maintaining business continuity and ensuring customer safety (both 71%). Limiting financial risk (62%) and defending against litigation (60%) are also viewed as areas in which security was effectively aligned with corporate functions.

But companies reported less alignment of security with long-range strategic objectives of the firm. For example, among senior executives, 56% see their company's security operation as effectively aligned with the need to keep pace with competitors, and half of the sample believe security has been effective in reducing insurance premiums. Much lower proportions saw security as contributing toward enhancing the value of the brand (44%), managing the supply chain (36%), or pursuing new business opportunities (35%).

"At one level, these results are perhaps surprising and a bit disappointing, since they suggest that security remains a function that is mired in operations in the eyes of senior executives," says Cavanagh. "But if security executives could successfully relate security initiatives to the competitive posture of the firm -- for example, enhancing the appeal of the brand -- they might be able to bolster the case for such initiatives as part of a long-range strategy, giving them more prominence in the thinking of the board and the firm's senior management."

In critical infrastructure industries, 87% of the executives surveyed see effective alignment of security with compliance needs, compared with 70% in the non-critical industries. Similar gaps are seen with regard to protecting confidential information (77% effective alignment in the critical industries vs. 69% in the non-critical industries), meeting certification standards (77% vs. 65%), maintaining business continuity (75% vs. 68%), and keeping pace with competitors (60% vs. 54%).

CAN SECURITY PROGRAMS BE MEASURED?

The search for effective metrics has become an essential part of the management process in security as in other aspects of corporate life. Increasingly, security directors are asked to present metrics to senior management to establish a business case for undertaking security expenditures.

"Unfortunately, the measures available for analyzing the effectiveness of corporate security tend to be much less sophisticated than those that have been developed for other corporate functions such as finance, human resources, and information technology," says Cavanagh.

Survey participants say the most useful metrics for determining the appropriate level of security spending in their companies are those that enable executives to determine how much a security problem would cost the firm in terms of liabilities or lost business.

The most helpful metrics were the cost of business interruption, cited by 64% of executives; vulnerability assessments (60%); and benchmarking against industry standards (49%). Another group of helpful metrics was explicitly related to insurance costs, such as the value of facilities (44%), the level of insurance premiums (39%), and the cost of previous security incidents (34%).

Loading