The SecureWorld Expo was in Atlanta the last two days, as part of a multi-city tour that heads next to Philadelphia (May 16-17). It's a show that covers both physical and IT security, though the focus is probably about 80 percent information security, 20 percent physical security. The program ranges from sessions on computer forensics to network video, from economic espionage to how Google can be used to help hack. Part of the program is presented by Security Technology and Design and the Security Executive Council (formerly the CSO Executive Council). On Wednesday, one of the sessions was on the topic of unifying risk oversight.
The goal was to share tips, thoughts and strategies in creating a unified risk management program. In attendance were CSOs, directors of information security, and security/risk consultants. The chief concern voiced by all in attendance was that as corporate became more interested in security and risk, there was a broadening of how you need to look at risk. Too often, many said, departments look at risk only through their own stovepipe approach, ignoring how their risk relates to other risks and departments and corporate goals as a whole. During the program, which ran roughly one-hour, there were, I thought 10 key tips/theories about risk oversight that SecurityInfoWatch.com readers would want to see. From how to gain windows into other departments, to how to move from being seen as security, to becoming risk-focused, here's what our round-table members had to say:
1. Business resiliency is the terminology of today - "resiliency" is the buzzword you're sure to hear. In fact it's being addressed in Washington by the Council on Competitiveness, which is saying this business focus will largely be managed by the new generation of security.
2. In managing risk, you have to think about how you transfer risk. Notably, our panel concluded that you have to properly decide which risk management you want to transfer, and which is easier to manage in-house.
3. Senior security managers will face a challenge of being only as security managers, and not as those who handle risk. As you unify oversight into whole-business risk, you need to move beyond solely being seen as security (whether that's gates, guns, and guards....or firewalls, passwords and network access control). For the C-suite, risk is more important than "security".
4. One of the best ways to manage risk and create oversight onto all areas of company risk is to create windows into other processes. That may mean anything from regular security audits to having sign-off rights on new policies, or review of documents and agreements that could add additional risk to your organization.
5. Security is out of date for most departments; risk has become the new paradigm for corporate America.
6. One of the main challenges in overseeing risk is how you will hold your different organizations accountable, put risk metrics on them and ensure adherence to policies. Some risk managers are adding risk metrics into managers' bonus plans. 7. Part of risk oversight is defining your company policies. One thing to keep in mind is that a policy is different from a goal. A policy is something you can monitor and enforce, whereas a goal is something you aspire to. Why is this brought up? Because if you are not complying with your own policies, you may be opening yourself and your organization up to legal issues.
8. Understand how risk is understood around the world. In the U.S., some think of risk only as a component of insurance. In Europe, however, risk is more equivalent to life safety.
9. To create an organizational culture that understands risks, you have to have them want to come to you. Sometimes you have to be the adviser, not the prescriber. "I could create reports on our company's risk all day long and those reports would be great, but no one would read them. I have to target the other managers and develop our program in such a way that they will come to me and ask about our risks", said one senior level security director.
10. Risk and security are changing where they report. More and more businesses are seeing a trend where risk and security report to the legal department.
