A clash of cultures in three distinctly different corporate departments is hindering companies in their attempt to upgrade their worldwide security efforts, concludes a report released today by The Conference Board. The report is based on The Conference Board's ongoing research and discussions with top-level security experts at major corporations.
Security functions are scattered among a trio of corporate "silos": physical security forces, security personnel in information technology units, and risk management executives. Many firms are finding it difficult to effectively coordinate and control urgently-needed security activities among these departments, with many major decisions made by middle managers.
"To effectively manage their total security needs, companies must bridge this clash of cultures and create a common frame of reference for this function," says Tom Cavanagh, The Conference Board's corporate security specialist. "Walling off assets produces silos on the organization chart and it also produces a culture in which vital information may be hoarded rather than shared. As the Federal 9/11 Commission has found, the consequences of organizational silos and information hoarding within the government can be dire indeed. Similar problems often bedevil the private sector."
The primary responsibility for keeping companies secure is divided among employees responsible for protecting people, goods and facilities, protecting company data and communications networks, and protecting company finances. Managers in these three different company units have distinctly different backgrounds and differing degrees of authority and prestige in their companies. Often, they do not communicate readily with each other.
Cops, Geeks and Bean Counters
Physical security specialists are usually recruited from law enforcement agencies and the military and are trained to respect authoritarian command structures. Security units in information technology departments are embedded in the overall IT structure, where innovation and privacy are often admired. Risk managers have financial backgrounds and are largely responsible for maximizing corporate returns, minimizing costs and avoiding losses.
These three units also have different reporting relationships. Physical security is often lodged in middle management and reports to operations managers at the business unit or facility level. Risk management is run by actuaries who generally report through a chain of command to chief financial officers. IT security is vital to all areas of global companies since it manages day-to-day operations.
Says Cavanagh: "Corporate security exists in three different worlds: the realms of cops, geeks and bean counters. Simply getting them to communicate with one another, without a translator, can be difficult."
A Need for Coordination and Cooperation
Despite the widespread differences among these three departments, they have many common denominators. "Security is about defending assets," notes Cavanagh. The key to improving corporate security is getting all three areas to cooperate to assure that security is an integral part of the company's overall mission.
The report points out that security is not only about protecting potential loss. "It is about enabling managers to take advantage of opportunities without assuming undue risk," Cavanagh adds. "The message from the C-suite to the security director is: don't tell me no, tell me how."