Home » Magazine Archives » May 2007
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
Identify Five Top Security Concerns
The Latest from SIW
Security prepares for largest presidential inauguration The security week that was: 11/21/08 Sources: Napolitano likely to be named DHS secretary TSA's 'behavior detection' draws scrutiny in light of few arrests Survey: National security a bigger issue prior to economic crisis Eye on Video: Specialized intelligent video applications
Objective: To make senior management aware of the key issues that keep the CSO up at night, to underscore fundamental vulnerabilities and to eliminate plausible denial.
Results Sought: This is about fulfilling the CSO's obligation to inform, to be a positive change agent and to establish a proactive security program that is connected to business strategy. It has to start with telling it like it is. The CSO wants to engage discussion on how to reduce these risks of significant concern and to obtain buy-in on policy reinforcement or sanctions for non-conforming business units.
Risk Management Strategy : In our hypothetical example, which is the basis for the chart above, a new CSO has recently taken over the organization's security program. It is obvious that this security organization has been highly proactive at assessing risk, but it is equally obvious that this CSO's predecessor was asleep at the switch.
An ongoing risk assessment process is the cornerstone of an effective security program. What we see here are the consequences of failing to act on an assessment's results. Moreover, it is clear that security has not previously been aligned with business strategy. The results are potentially very serious, given their breadth and depth.
Non-security upper management has not taken notice of these notable threats and vulnerabilities, and the security organization has never before pushed back to ensure awareness. In this risk-unaware environment, the organization has failed to conduct risk-based due diligence in both leasing and outsourcing. This is exacerbated by other business units refusing to share the responsibility by assessing risks they own, thus failing to intelligently manage access to highly sensitive assets.
The CSO has made line units aware of his concerns and recommendations. They have not effectively responded, so he has decided to take the matter to the CEO and audit committee.
This is a risky step for this new CSO -- he may alienate many of his key constituents or be seen as “Chicken Little.” He is confident that he has given adequate notice to business units, but has not received appropriate acknowledgement of risk or of the need for an improved state of security. He may be seen as incapable of effectively influencing these business unit managers.
