Security leadership and value is being tied directly to business unit and organizational goals as the best measure of its contribution. So directly tied, that business unit leaders are paying for risk management and security as a direct service versus an allocation. Further, these internal customers view security as a consultancy, and they are routinely seeking their advice to understand and manage risks enabling them to reach their objectives. The transparency of this relationship allows the business unit to identify security’s value to achieving their goals, resulting in increased reliance, use and spending with security.
As organizations from businesses to hospitals and universities have become single, global entities, the recognition that security should also be a global enterprise with a consistent mission and leadership has evolved at the C-Suite level. A significant trend is the creation of “first” global security organizations led by “first” CSOs at major companies, including SAS Institute and ADP.
The concept of security has shifted from the pre-9/11 law enforcement/life safety to post-event management and investigation with little forethought to risk identification and management, to the all-in belief that security is not only necessary at the strategic planning stage, but rather an accelerator for reaching objectives and maximizing financial results.
The chosen security leader clearly views their role as an executive in the organization who contributes to its success by managing security and risk. They are neither law enforcement, nor security (of the guns, guards and gates era). Equally important, they work in organizations where the C-Suite understands the economic value added and does not view security as a narrow, technical function.
While the foundations for success identified in the 2010 Security 500 report are still vital for success (organizational leadership, subject matter expertise and security best practices), the bar has been raised to apply these skills in a way that measurably supports organizational goals.
As a result of this shift, budgets or funding cannot be guaranteed if either the perceived risk level declines or the contribution of security is not visible to its customer. There is now an increased understanding and appreciation of security’s value at the C-Suite level that is being met by business units having the option, beyond the basic security infrastructure, to independently scrutinize and utilize security as a service.
An organization with a world-class security program earns positive messaging from the C-Suite followed by positive feedback from the business units. This creates continued positive messaging from the C-Suite. This momentum changing influence will greatly impact the security organization, positively or negatively, depending on security’s measurable and perceived value.
Business leaders delivering the most value to their organizations through security are doing so by focusing on areas that most directly and transparently support business goals. And in turn, the security organization is focusing its strategy, time and attention on those programs where funding will be available.
Remarks pointing to this strong correlation include:
With a global footprint of 150,000 employees located in 150 countries worldwide, the challenges and opportunities vary, and as such, enterprise security risk management is critical. Though we have been impacted by the events in Japan, Mexico and the Middle East, due to our robust crisis management and business continuity program, we are more resilient than ever.
—Robert Soderberg,
Vice President,
Global Security, Johnson Controls
Trends Identified, Compared 2011 to 2007 |
|
||||
|
2011 |
2010 |
2009 |
2008 |
2007 |
1 |
Economic Value Added: Connecting Security Directly to Organizational Unit Goals |
“We plan for the worst case but get the budget for the best case.” |
Risk is Up, Budgets are Down…Now What? |
Business Resilience and Crisis Management Added |
The “C”s are Getting It |
2 |
Enterprise Security Leaders….at Last |
So Many Risks, So Little Time: Enterprise Security Risk Management (ESRM) |
Workplace Murders, Suicides and Violence are Soaring |
Benchmarking is Everywhere (or so it seems) |
The Security Organization’s Role Continues to Expand and Evolve |
3 |
Risk Management Overtakes Event Management |
Emerging Markets Bring Emerging Risks |
Nice Plan. Will it Work? |
CSO’s are Really “C”s |
The Best Security Leaders are Proactive and Visible |
4 |
Cybercrime’s Persistent Threat |
Workplace Violence Continues at a Torrid Pace…. |
Hackers, Terrorists and Spies |
Board Level Risk Assessments |
Preparedness is the BUZZ Word |
5 |
Business Resilience: A Holistic View |
How Much Is Regulatory Compliance Really Helping? |
1-2-3 Converge! |
Security is Drawing a Bigger Circle |
Visibility is Back |
6 |
Workforce Protection |
The “Layered” Look is Back in Vogue |
Uncompensated Overhead: Compliance Regulations |
Going Green! |
Organizational Issues Around Security are Being Sorted Out |
7 |
Workplace Violence |
Save the BRAND!!! |
EnterpriseValue Wins; Security Solutions…Not As Much |
Security is Becoming Institutionalized in the Culture |
Initial Planning and Design Increasingly Include Security |
8 |
Budgets: Money is Tight. Budgets: Plenty of Money, Justify Your Business Case For It. |
You’ve Got Steal: Cyber Crime |
What Will They Outsource Next? |
Security is More Fluid than Ever: New Threats, New Solutions |
Technology Design is Being Driven by Security Specifications |
9 |
Securing the Joint Venture |
Driving BCP While Looking in the Rear View Mirror: Business Resilience/Crisis Management/Disaster Recovery |
Let’s Share Risk! |
Size Matters: It Can Be A Positive or a Negative |
Career Security Professionals are Crossing the Chasm to Successful Business Executives |
10 |
Staffing and Training and Retaining Talent |
Never Out of Style |
Not In Our House! |
Data and IP Security Integration |
You’re Global |
We are a “full service” department that is consulted in many areas on a day-to-day basis, including topics such as executive protection, workplace violence and training, being a liaison with law enforcement and performing vulnerability and risk assessments. We are finding ourselves more as a partner in enterprise risk management than simply a provider of traditional physical security services.
~Mike Cummings,
Director, Loss Prevention Services Aurora Health Care
At the same time, many non-global organizations are focusing their security investments to achieve specific bottom-line or measurable economic value. For example, the ports, education, government and healthcare sectors are typically local or regional, yet are leveraging risk management and security processes for improved performance through the same processes and best practices as large, multinational organizations.
“There is lost revenue when you have an ER bed that cannot be used for an ER patient, plus all of the intangible benefits of getting the behavioral health patient appropriate treatment in a timely manner.”
— Bryan Warren,
Director, Corporate Security, Carolinas Health Care, explaining how security’s transit program for behavioral health patients resulted in more than $800,000 in
additional ER revenue.
Lou Barani, security director of the World Trade Center, is applying security processes and technologies to create a situational awareness platform across the entire 16-acre World Trade Center site, involving commercial stakeholders, city agencies, law enforcement and life safety and private security organizations. Although not a global footprint, this is the first time a project of this scale and complexity has even been developed.
A key sign of security’s value being better understood and recognized is the increase of security leaders reporting to the CEO/President or Board. More than 15 percent of respondents report into this level. Similarly, those reporting to the CFO or Finance increased from 11 percent to 12 percent. An important trend is that more than 48 percent report to a C-level executive or board member. Declines were reported among security organizations within Administration and Other.
The security organization’s responsibilities shifted showing an expanded role during the past year. An increased percentage of survey participants manage Corporate, Business Continuity, Regulatory Compliance and Insurance. Declines were reported for Brand/Product and Supply Chain. A new category this year is “Intellectual Property,” where 23 percent of respondents have security oversight for this area.
As the movement toward supporting organizational goals and away from post-event management continues as a core trend directly related to security’s measurable and perceived value, risk management discipline increases. About 87 percent of respondents report having a formal risk management program in their organizations. And the security department is involved in that formal process in 85 percent of those organizations. That is a strong 97.7 percent of organizations with a formal risk management process that include their security organizations.
Dr. Goodnight (CEO) does not view security as only an enforcement organization. He recognizes that security facilitates business operations and enables successful growth.
— Alan Borntrager,
CSO, The SAS Institute
The combined impact of security’s economic value add, elevation in reporting structure and increased responsibilities has resulted in increased security budgets among 45 percent of organizations. Of those reporting an increase in budget, the average dollar increase was 22 percent. Security organizations with a decrease in budget reported an average decrease of 11 percent. Overall, 82 percent of organizations reported an increased or equal budget compared to 59 percent in 2010.
Key Trends Show Security's Increased Role and Executive Level
1. Economic Value Added: Connecting Security Directly to Organizational Unit Goals
Leading security programs clearly recognize their value as an enabler for the overall organization to succeed, and they view those who use those services as customers. This evolution within the security organization is the outcome of several phenomena coming together. Those include:
1. Security leaders gaining direct communication with the C-Suite and understanding enterprise-wide thinking, expectations, goals and security’s contribution.
2. The CEO’s focused understanding of security’s contribution to achieve goals by enabling business operations to perform effectively, thereby increasing revenues and reducing costs. That contribution is primarily to reduce risk and to ensure resilience.
3. Business unit/Profit center/Departmental leaders positioned as security’s customer and having direct communication with security (acting as a service provider) to explain their objectives and “purchase” those services that will best contribute to a positive outcome.
The execution of this strategic relationship moves Security from an allocation to a direct purchase by internal customers, and in some cases, those customers are external. This shift removes friction created by indirect communication and ambiguity in the value of the service by creating transparency for the measurement of security’s value.
By engaging directly with its customer, security integrates risk management and security processes into the organization’s activities. This is a significant shift from traditional security programs. Processes are both constant and consistent, whereas programs begin and end. Processes are also instituted at the strategic planning stages and rolled out with the overall business or organizational strategy to identify and mitigate risks, as well as provide security and event response when necessary.
This important change elevates security to a consultancy role for its customer, especially when the customer asks risk questions related to goals. For example:
“Can we build a dorm for our growing student population off campus?”
“What do we need to do to open a factory in Mexico?”
“Is this a good location for our regional sales office?”
Typically, the phrase “good location” brings employee safety to mind. But risk analysis also includes resilience against weather and power outages, providing valuable information for the customer.
As an expert consultancy on the front end of planning, the security organization gains an in-depth understanding of its customer’s goals and how they perceive security’s value. This relationship enables the organization to understand its customer’s future goals and to forecast, hire and train to directly meet those risk management and security requirements.
2. Enterprise Security Leaders….at Last
As organizations have expanded globally or set enterprise policies to better manage their compliance regulations, the benefits of a unified risk management and security organization and leader have solidified. In addition to mapping security as a service to an organization’s operating units or profit centers, there are obvious challenges with unique policies, procedures and technologies within an overall organization or across geographies.
Having a single security entity is achieved by naming an enterprise-wide security leader and consolidating security silos into one organization. Examples include both geographically disperse operations around the world, 20 schools within the same district, or a city with varying departments and facilities. In all cases, each unit has myriad security programs, policies, technologies and leaders. This structure creates challenges and impedes the overall organization from reaching its goals. Instead, the shift to a single structure matching up with the overall organizational structure enables a consistent and constant risk management and security program.
Once the enterprise-wide structure is in place, the organization can identify common organizational risks and security requirements. The risk mitigation strategy and plan includes the hiring of subject matter experts or qualified solution providers whose cost and value is directly measurable to organizational goals.
For example, in 2009 the city of Toronto instituted a single corporate security policy and leadership position. The framework included enterprise-wide responsibility for all aspects of proactive risk management and event management. The single framework includes compliance policy for risk assessment and policy adherence. The result is a very finite envelope of resources that are applied economically.
Another common benefit is global contract officer sourcing, often resulting in six or seven figure savings for the organization.
CSO’s Top Area of Responsibility |
|
Physical Security |
96% |
Investigations |
90% |
Corporate Security |
86% |
Emergency Management/ |
85% |
Executive/Personnel Protection |
72% |
Disaster Recovery |
61% |
Business Continuity |
55% |
Regulatory Compliance |
45% |
Brand/Product Protection |
38% |
Supply Chain/Vendor |
28% |
Intellectual Property |
25% |
Other |
23% |
Cyber Security |
19% |
Drug and Alcohol Testing |
18% |
IT Security |
15% |
Insurance |
7% |
3. Risk Management Overtakes Event Management
Several CSOs in this year’s Security 500 survey note they are using the word “security” less and “risk” more in their presentations and plans. Logic follows with the advent of “business first” considerations across enterprises, proactive planning against identifiable and measurable risks to protect planned investments and people is required.
Risk management includes intelligence gathering and situational awareness at a higher level than traditional security programs. Therefore, many Security 500 organizations have invested in operational command centers that include identity, access, surveillance, monitoring, weather and fusion intelligence (such as OSAC reports) to identify and mitigate risks.
As the movement toward supporting organizational goals and away from post-event management continues as a core trend directly related to security’s measurable and perceived value, risk management discipline increases. About 83 percent of this year’s survey respondents report having a formal risk management program in their organizations. The security department is involved in that formal process in 82 percent of all organizations. That is a strong 98.8 percent of Security 500 organizations with a formal risk management process that includes their security organization.
4. Cybercrime’s Persistent Threat
Sony Entertainment, the poster child for cybercrime, recently hired top gun Philip Reitinger, formerly the director of Homeland Security’s National Cyber Security Center, for its newly created position of chief information security officer and a senior vice president. His role is clear: secure customer information (all that a hacker needs for ID theft) that is entrusted (and stored) on Sony’s premises (its data center or a cloud vendor).
But in most Security 500 organizations, neither cybercrime’s exact definition nor ownership to mitigate this threat is clear. And while Reitinger’s role as CISO will be well-defined to protect customer information, who within Sony owns the illicit sale of counterfeit Sony Playstations on the Internet, which is also considered a cybercrime? And what about the accidental release of data or IP by organizations? For example, Stanford Hospital recently admitted that the data of 20,000 patients were posted on a commercial website for nearly a year until it was discovered and removed.
With the move to mobile devices, remote workers and globally traveling employees, valuable information and intellectual property are not only going mobile, they are unprotected. It’s unclear whose job it is to secure that data. For example, only 19 percent of Security 500 survey respondents report that they oversee cyber security. That number is down from 20 percent last year.
While this trend continues to increase as a business problem that requires risk mitigation and security, most organizations are not responding to the threat, but rather only act after the crime. The annual Verizon Data Breach Study identifies several important trends to consider:
• Cybercrime is the result of stagnation by victims not using, under using or misusing something old, rather than the cleverness of adversaries.
• “The Cloud” does not factor into most cybercrime incidents. The problem is not the control of the data asset, but rather not managing the associated risk.
• In 2010 the Secret Service arrested more than 1,200 suspects for cybercrime violations involved in more than $500 million in actual fraud loss and prevented more than $7 billion in additional losses.
Key to having an enterprise focus and program related to cybercrime is two-fold:
1. Don’t become the cybercrime’s next poster child.
2. In most cases, recognizing the risk and determination against being victimized is sufficient.
To that point, some key data points from the Verizon Data Breach Studyinclude:
• 83 percent of victims were targets of opportunity
• 92 percent of attacks were not highly difficult
• 76 percent of all data was compromised from services
• 86 percent of breaches were discovered by a third party
• 96 percent of breaches were avoidable through simple or intermediate controls
• 89 percent of victims subject to PCI-DSS had not achieved compliance.
5. Business Resilience: A Holistic View
A driver for single, enterprise security leadership is the consolidation and oversight of business resilience planning. Enterprise risk management strategy, by its definition, requires the organization to have a single business resilience plan and program. Business resilience is in the center of the triangle with Crisis Management, Business Continuity and Disaster Recovery at its vertices. The holistic view adds complexity and requires an ongoing process to evaluate risks and reassess business resilience programs. Organizations with silos will not identify risks as thoroughly and their multiple resilience plans may not perform as effectively.
Traditionally focused on data recovery within the IT department, business resilience program objectives have expanded to ensure situational awareness and communication, continued business operations and regulatory compliance. A crisis will impact an entire organization and risk-minded executive management recognizes this. The process of identifying a risk, concluding that the risk requires a resilience plan and that the investment of time and money, is justified is a best practice.
Just as security is everyone’s business, exemplified by DHS’ “See Something, Say Something” campaign, business resilience requires participation among all stakeholders within the organization, in addition to outside partners. Yet, the decision to create an effective business resilience program rests on the CEO view of the programs value against cost.
“I am championing a culture of security so that security becomes the personal responsibility of each and every one of us. The goal is for associated accountability at all levels of the company. With business resilience, emergency management and critical incident response responsibilities, this new goal is logical. We want to get all stakeholders to believe in themselves through training to drill and prepare so they know their role during an event.
Every CEO should understand the value of preparedness and consider the dynamics of human behavioral effectiveness for a successful and sustainable business in times of security and risk planning. Focusing a percent of resources on safety and security training and education reduces critical risks through both awareness for prevention and response to events.”
— Dr. Krista Osborne, Starbuck’s International Director of Loss Prevention and Supply Chain Operations
The events of 9/11, Hurricane Katrina, the Japan Earthquake and acts of workplace violence are reminders of the necessity for evaluating risks and investing in business resilience.
6. Workforce Protection
The focus on enterprise risk management, combined with direct support of business or organizational goals at the departmental or unit levels, includes the safety and security of employees. Workforce protection includes assisting employees living internationally or traveling on business. This risk-based approach to protecting employees is different than addressing the threat of workplace violence. Organizations that place their employees in international and/or unfamiliar areas have a “duty of care” to understand the vulnerabilities employees may face and to mitigate them.
Key components within security to provide workforce protection include responsibility for corporate travel and subsequently weather services, and political intelligence gathering within the operations center. Integrated with the company’s mass notification and messaging capabilities, employees are alerted to travel delays and to avoid high-risk areas. Business continuity includes alternative travel and housing arrangements as necessary.
The security program also identifies and approves select hotels with adequate security for employees to use. Many organizations rely on external service providers for international travel and emergency healthcare support. With the program come policies and procedures that protect employees.
For example, CNA Financial’s Security Control & Communication Center supports all CNA operations by providing adverse weather notifications, tracking and support for travelers.
“Our daily mission is to protect our people, our brand and our ability to provide uninterrupted service to our customers.”
—Bill Phillips,
CSO, CNA Financial
7. Workplace Violence
Workplace violence continues to be a major risk and cost for organizations, especially in healthcare, where incidents are four times more frequent than the general business population. The statistics have not changed much from last year’s Bureau of Labor Statistics report, with more than 1.7 million people victims of workplace violence annually. One statistic that should catch the attention of the C-Suite: The cost to U.S. organizations is more than $120 billion annually.
That does not measure the cost of reputational risk or brand equity damage. For example, what is your first thought when you hear “Virginia Tech”?
Workplace violence also varies across different sectors. The healthcare sector has the most significant challenge, as 50 percent of emergency room nurses report being victims of violence, usually by patients, according to the Emergency Nurses Association. The public school system is facing rampant cyber bullying issues that lead to higher absenteeism and dropout rates. In rarer cases, suicide has been the result.
Anticipate more, not fewer incidents, in the year ahead. The weak economy, layoffs and the resultant financial and family pressures these events create require increased awareness and investment by both security and human resources to identify and mitigate risks. The increase of mental health patients entering emergency rooms due to the termination of health care benefits is escalating violence in that sector. The explosion of technology used by students has escalated cyber bullying beyond the school’s ability to manage.
Most organizations have implemented policies and programs to reduce the potential for incidents, including:
Policies:
Defining a zero tolerance policy
Background checks on employees (and visitors where appropriate)
Technology:
Identify management/badging
Access control systems
Emergency/Panic alerts
Programs:
Training and education
Communication and resources for potential victims.
We are working to educate employees that being a victim of violence is not just part of the job. We need to change the culture that healthcare workers should expect to be in harm’s way.”
—Bryan Warren,
Director, Corporate Security, Carolinas HealthCare System
8a. Budgets: Money is Tight.
8b. Budgets: Plenty of Money, Justify your Business Case for it.
The economy continues to force security organizations to creatively do more with less while motivating their security teams.
However, most organizations in this year’s survey reported significantly better budget situations, with 82 percent having increased or equal security budgets. And among those with budget increases, the average increase was 22 percent. Among the 18 percent reporting a budget decrease, the percentage was only 10 percent. Budget shortages are focused in specific sectors, including K-12 education, healthcare and government.
Centralizing, staffing and motivating participation in the face of tightening budgets is a great challenge for a CSO. Our focus has to be directly on the most critical issues we need to plan for and mitigate. Shrinking budgets within the divisions make it challenging to identify a problem and the appropriate solution but not be able to afford to address it. This is a management challenge to discuss these issues and motivate the team to provide security as necessary.”
—Dwaine Nichol,
City of Toronto
To that point, budget challenges for security organizations are more the result of dollars coming directly from their internal customers and their need to see security’s value toward their specific goals. In organizations where security has capably identified risks and enabled organizational success, there is no shortage of reasonable funding to “get the job done.” Contrary, security organizations that do not justify the business case for spending are finding tight budget dollars.
The core drivers for budget increases have not changed dramatically from prior years. It is unfair to state that security has been operating in a vacuum from the organization’s overall goals. Rather, the security customer is paying greater attention to security’s role and contribution and the ability to evaluate and measure its economic value. The core drivers for budget increases continue to be:
1. Business expansion, especially to emerging markets
2. Additional responsibilities, for example, business resilience and corporate travel
3. Increased regulatory compliance increasing training and reporting costs
4. Changing focus on risk management to justify spending.
9. Securing the Joint Venture
Many organizations are engaged in joint ventures where risk and security responsibilities require cooperation in the planning and budgeting process. Joint ventures may contribute a significant percentage of an organization’s revenue as well as require dedicated resources and employees. As enterprise risk management has evolved within organizations, the realization of security’s necessary role in joint ventures has risen to protect assets and people.
Each organization may come to the venture with separate policies, procedures, platforms and technologies in place. Often, competing business goals are at odds after the venture is well underway. The potential for corruption may be greater in joint ventures where the complexity of transactions and matrices is greater.
In the 2009 Security 500 report, the trend of “shared risks” was identified to measure the risks associated with employees working outside their organization. When one business sends employees to customer locations to work with clients, these two organizations have entered into a shared risk relationship. It is anticipated that one organization’s employee will be reasonably secure while at another organization’s facility and that the other organization will be secure from that employee. For example, consider an auditor from a major accounting firm at a client site for three weeks.
Joint ventures bring shared risk to a more permanent level for the term of the venture. Security organizations are now routinely participating in the planning stages by crafting security programs to support joint ventures and mitigate risks.
10. Staffing, Training and Retaining Talent
With the significant changes in security from a post-event response organization to a proactive risk analysis and mitigation organization that supports organizational goals, there has been a significant changing of the guard at the CSO leadership position. Having modernized the CSO to a business-minded professional, it follows that similar minded team members are needed across the security organization. The shift is from one CSO that understands organizational goals to the entire security department understanding organizational goals. Talent management has become core to Security’s success.
There is great enthusiasm among Security 500 organizations for this change as new hires are joining with significantly business-centric degrees and skill sets. Current employees are returning for graduate degrees in business administration and organizational leadership, not law enforcement.
Thinking like business executives, CSOs are asking “What’s next? What will the business need from security to succeed? And based on that what types of people with what skills are required?”
“We push ourselves to innovate and ask ourselves: ‘What will security look like 3-5 years out?’ We recognize that being able to respond and change at the speed of business is key for success.”
—Tim Janes, CSO,
Capital One
“We work together and rely on each for our overall success. What I enjoy most about my role has been gathering this team. We have pulled together a diverse group, with different areas of expertise, who work well together to identify the best strategies and get the best results. Our team is able to think strategically and act appropriately.”
—Alan Borntrager,
Director - Security and Safety Dept, Corporate Services Division,
The SAS Institute
There has been a clear shift in the job descriptions, candidates and hires within security to meet new and changing organizational goals. Some of the changes are related to subject matter expertise, including international or cybercrime experience and expertise.
The talent management focus aligns security with the culture and purpose of the organization. Building a team with strong communication and management skills is critical to creating internal client relationships, gaining credibility and having security recognized as a valuable service.
Editor’s note: Security magazine and its parent company, BNP Media, will not solicit our readers directly regarding purchasing reprints of the 2011 Security 500 report. Any solicitation for reprints of the 2011 Security 500 report that you may receive are not affiliated with Security magazine and BNP Media and are not endorsed by either organization. Please contact Editor Diane Ritchey at ritcheyd@bnpmedia.com if you have any questions.