Integrated security frameworks help mitigate risk

March 7, 2016
Industry experts discuss topic in-depth at SEC's Next Generation Security Leader event

There has been an increased push by security executives across various disciplines and vertical markets in recent years to transform the C-Suite’s perception of security departments as being reactive cost centers into proactive business enablers. The challenge for today’s CSO, however, is in trying to mitigate the myriad risks presented by an ever-evolving threat landscape while at the same time meeting the goals and expectations of management. Although high-profile incidents, such as data breaches, terror attacks and the like have demonstrated the importance of having a robust security program, many security executives still struggle to adopt an all-hazards risk framework that not only adequately addresses the threats they face but also articulates the value of security to the organization as a whole.   

The development of these frameworks and the various risk factors security executives should take into account when adapting them to their own companies was one of the major themes of the Security Executive Council’s Next Generation Security Leader event that was held last week in Atlanta. Security leaders from across North America gathered for the two-day event to network and learn from their peers about how to best advance the role of security practitioners in both the public and private sectors.

Bob Hayes, managing director of the Security Executive Council, said that during his time as the CSO of Georgia Pacific and as security operations manager at 3M, he wasn’t as much focused on where his program was at or where it had been, but rather where it was going. Hayes explained there are several trends which are, in essence, creating a requirement for today’s security leaders to have a plausible framework in place to figure out how they are going to drive their risk mitigation plans throughout the organization. Some of the trends identified by the council include; corporate/organizational change; the global risk landscape (increased risk of terror attacks); crime (rise of cyber-attacks and the proliferation of malware); technology; economics; security sector changes (changing dynamics and knowledge required to protect different industries, acquiring and retaining talent); and increased emphasis on organizational excellence.

“I will tell you that San Bernardino and the Paris attacks are having an impact on programs not related to shooting, shooters or anything else. This global risk landscape is impacting us,” Hayes said. “I think if we have a few more of these international incidents, you’re going to see people not want to do international travel. We’ve received calls from people saying, ‘we have employees saying they will not take a trip overseas right now after the Paris attack because they said they don’t feel safe.’” 

In the evolving threat/risk paradigm for today’s security leaders, Hayes believes the thing that has changed the most from past years is management’s knowledge and expectation of security.

“Invariably, at least in my experience, wherever I have the best programs, the best penetration, the best security coordinators, the best trained people, was never where the incident occurred,” Hayes told attendees. “It always happens at your biggest Achilles heel and then you’re playing catch up trying to explain why things happened.”

When it comes to developing innovative approaches for modern day security programs, Delta Airlines is at the forefront of the conversation. Randy Harrison, Delta’s managing director of corporate security, has taken the bold step of integrating his security management system with the airline’s safety program. The idea to take the flight safety framework and integrate it with security actually originated with one of the other senior leaders at Delta several years ago and, according to Harrison, it was met with much resistance in the beginning from his perspective. Although, as Harrison pointed out, security risks are driven by malicious actors through calculated actions while safety risk is driven by unintended consequences, there are still ways to align security with safety and vice versa.   

“I said, ‘We’ll do it, I’ve got it, I understand and we will take on the challenge.’ It’s around a four pillars: policy, risk management, security promotion and security assurance. I learned from that exercise because as I began to map things to these pillars, it very quickly became evident where we have holes in our security management system,” explained Harrison. “For example, with policy, you’ve got all of the documentation not only from a corporate perspective but from a departmental perspective; budget, goals and objective; key indicators; roles and responsibilities; and, authority. How do you measure your risk, how do you quantify your risk and how do you communicate your risk within a 4x4 matrix? What does your senior-level leadership understand? How do you articulate it, how do you quantify it but more importantly, what are your mitigation strategies?  It also drives into various programs; kidnap and ransom, travel programs and all of those things that we began to list out and put within these four pillars.”

Today, Harrison can qualify threats across more than 100 international locations using the threat matrix they’ve developed based off of this framework. “That is a part of our management system today, but it is all driven by us as a security organization,” said Harrison. 

While the airline is obviously obligated to have a comprehensive security management program in place due to industry regulations, Harrison said he and his team want to stay ahead of regulations because just taking a government compliance checklist approach to security is simply not good enough in this day and age.

“We have a lot of regulations that we have to comply with; I think there is a great opportunity for us to begin driving those regulations instead of the government driving us. I don’t say that negatively, but it is more efficient from our perspective,” said Harrison.

From an IT security perspective, Herbert Mattord, Ph.D., CISM, CISSP, assistant chair and associate professor of ISA at Kennesaw State University, said while frameworks may have various origins – laws, regulations, standards, etc. – security practitioners have to be careful not to fall into the trap of thinking that just because they may be in compliance with a certain framework that their organization is secure.

“Don’t ever fall into the belief for an instant that compliance to framework or compliance to regulation is a substitute for actual security. In fact, they are pretty much unrelated,” said Mattord. “My job is telling you that your job is to have actual security that works, by hook, by crook or any means necessary. Your objective is to get security to function.” 

Mattord also warned that security professionals should not waste their time trying to comply with a framework that is not legally required under the law. 

“If you’re out beating the bushes trying to gain some kind of compliance assessment against a framework you are not required to meet, you may in fact be distracted from your real objective which is an improvement in your security posture,” he added.

With that being said, Mattord said frameworks can also be very beneficial as they provide sound guidance for an organization’s security strategy.

“The idea of a framework being a benefit to you is that it can be a source of good information, it can inform you and it can act as a means of giving assurance to those above you in the hierarchy that you’re doing it the right way,” said Mattord. “You already may know more than the framework, but that doesn’t matter. No prophet is ever respected in their homeland, so no matter how good you are they will never believe you know the right thing to do. Frameworks can be your friend when they lineup well with what you want to do.”