ebook img

Security leader insights for risk management : lessons and strategies from leading security professionals PDF

44 Pages·2014·0.899 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security leader insights for risk management : lessons and strategies from leading security professionals

Security Leader Insights for Risk Management Security Leader Insights for Risk Management Lessons and Strategies from Leading Security Professionals Richard E. Chase Contributing Editor AMSTERDAM(cid:129)BOSTON(cid:129)HEIDELBERG(cid:129)LONDON NEWYORK(cid:129)OXFORD(cid:129)PARIS(cid:129)SANDIEGO SANFRANCISCO(cid:129)SINGAPORE(cid:129)SYDNEY(cid:129)TOKYO Elsevier Radarweg29,POBox211,1000AEAmsterdam,Netherlands TheBoulevard,LangfordLane,Kidlington,OxfordOX51GB,UK 225WymanStreet,Waltham,MA02451,USA Copyrightr2015TheSecurityExecutiveCouncil.PublishedbyElsevierInc.Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageand retrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseek permission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangements withorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency, canbefoundatourwebsite:www.elsevier.com/permissions. Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand experiencebroadenourunderstanding,changesinresearchmethods,professionalpractices,or medicaltreatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgein evaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein. Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafety ofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors, assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproducts liability,negligenceorotherwise,orfromanyuseoroperationofanymethods,products, instructions,orideascontainedinthematerialherein. ISBN:978-0-12-800840-9 LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary FormorepublicationsintheElsevierRiskManagementandSecurityCollection, visitourwebsiteatstore.elsevier.com/SecurityExecutiveCouncil INTRODUCTION The changing dynamics of the threat landscape continue to illustrate the need for an enterprise approach to risk management, a more inclu- sive management process that recognizes the value of joint collabora- tion between the security practitioners and the business leaders throughout the organization. To begin such a collaboration, it is important to first define exactly what risk management is and who is involved. The Institute of Risk Management (IRM), a leading non-profit organization for risk man- agement professionals, defines risk management as “the combination of the probability of an event and its consequence ... [which] can range from positive to negative.”1 The benefits of a formal risk man- agement program should be obvious, but who is inevitably responsible for risk management as a business discipline is not so clear. What has traditionally been solely a finance function, the practice of risk management is now a cross-functional team and corporate risk issue. Business leaders and boards of directors have come to expect that security and others can identify the risks to their companies, mea- sure their potential impact, and quantify what profit or advantage the company can win should the risk be deemed acceptable. However, more often than not, security, being a historically reactive function, has been one of the best positioned groups to address many risk issues but has often been the last called to the executive table to work on it. As security professionals, what can we do to prove to business lea- ders that security deserves a seat at the risk management table? How can we balance the business’s need to define acceptable risk levels and leverage security’s mitigation tool kit to protect the business’s assets and information? There is no easy answer to either of these two ques- tions. However, we can look to the experiences of our peers to find shared strategies and possible solutions for the management of our information. 1TheInstituteofRiskManagement,“RiskManagement,”http://www.theirm.org/about/risk-man- agement/,accessedJuly9,2014. x Introduction In Security Leader Insights for Risk Management, we have tapped some of the industry’s most distinguished security professionals for their opinions and expertise on security’s role in risk management.2 This collection of timeless best practices is a quick and effective way to bring staff and/or contractors up to speed on topics related to defining risk, security’s role in mitigating board-level global risk, and being part of a Unified Risk Oversight Process in enterprise risk manage- ment. The short, straight-to-the-point chapters provide the reader with an easily accessible overview of current issues. In the event you are forced to make rapid, significant change within your business or orga- nization, this resource can help guide transformational change. Instead of reinventing the wheel when faced with a new challenge, these proven practices and principles will allow you to execute with confidence knowing that your peers have done so with success. Richard E. Chase Vice president and chief security officer, General Atomic 2Pleasenotethatthesecuritypractitionerswhocontributedtothesearticlesmaynolongerbeat thecompanieslistedatthetimethisbookispublished. 11 CHAPTER Looking at Risk from a Different Angle to Achieve Results By Robert D. Gates, security executive at a Fortune 100 company Sometimes finding the solution to a security problem is about changing howyoulookatit.Thiscanbeachallenge,particularlyiftheproblem is costly or is a significant safety threat. Our first reaction may be to find the most familiar or simplest way to make an immediate impact on the issue. But true securityleadership requires ustostop and think about the problemthroughtheeyesofthebusinessanditsgoals,andtochangeour tacticsbasedonwhatwesee.Onegoodexampleofthisishowcompanies havedealtwiththeproblemoftheftofcopperandothervaluablemetals. Metal theft has proliferated over the years, and with the steady increase in commodity prices, it is expected to continue in frequency, causing significant financial loss. These thefts have a deleterious effect onthe quality of life in local communities. Copper water pipes, electrical lines, telecommunication, and other critical infrastructure support the lives and daily activities of everyone. Telecom cable theft results in the degradation of emergency communication circuits, putting individuals, first responders, and whole communities at risk. Over the years, numerous solutions to this problem have been debated, proposed, and postulated, with varied results. Companies and law enforcement have invested their efforts, but both find themselves competing for diminishing resources. Recognizing that criminals need to dispose of the stolen material, the scrap andrecycling industryhas advo- cated proactive antitheft initiatives. Yet metal theft remains a significant problemforcriticalinfrastructure(CI)andkeyresources(KR)providers, contractors, government, the community at large, and the professional scrapand recyclingindustry.Thatcould bebecause oftheway theprob- lemisviewed. 4 SecurityLeaderInsightsforRiskManagement Antitheft programs are often focused on the scene of the crime. Catching the bad guy, while well intended, is an expensive, time con- suming, and reactive response, lacking sustainable long-term benefits. Insightful industry leaders, along with progressive law enforcement, have shifted from viewing the problem as a property crime to viewing it as a financial crime. After all, metal has value only to the extent that it can be converted to cash. Therefore, instead of enacting preventive countermeasures and consuming investigative resources solely at the point of the theft, some businesses have found success in shifting scarce resources to the point of the financial exchange: the unscrupulous metal purchasers or facilitators who don’t follow customary industry standards or recommended practices. Recyclers are required to obey applicable ordinances, environ- mental laws, licensing laws, and other regulatory requirements within theirstatesandlocalcommunities. Augmenting traditional law enforcement and regulatory action, some metal owners have begun pursuing aggressive civil remedies, including threatening independent legal action against those who facili- tated the value-exchange by intentionally or negligently disregarding industry standards or by failing to implement reasonable transactional safeguards. When implemented, the value-exchange model results can be dra- matic. In an actual case, a 70 percent decline in financial losses in a one- year period occurred. These are quantifiable financial results, something business leaders and executives will understand and appreciate. This strategy does require investigative due diligence: (cid:129) The metal owner must know the trusted players in the recycling industry and vice-versa. (cid:129) Positive relationships, including mutual education, must evolve between ethical local recyclers and the metal, CI, and KR owner/ operators. The parties need not be adversaries. (cid:129) Theft incidents require promptly focusing on the points of conver- sion, not the point of thefts. (cid:129) Suspect and informant questioning needs expansion beyond actual thefts, to identifying transactional facilitators. LookingatRiskfromaDifferentAngletoAchieveResults 5 (cid:129) Once evidence of stolen material is located, the exchange facilitator must be held accountable. In short order, exchanging stolen metals for cash increases in diffi- cultly, and the risk-value equation becomes out of balance, resulting in fewer incidents of theft. While traditional countermeasures against metal theft should not be abandoned,metaltheftistoooftenviewedsolelyasapropertycrimeand theresultingeffortsineffective.Rethinkingtheprobleminfinancialterms opens new and often more effective options and sustainable results: disruptingandremovingthemarketforstolengoodseradicatestheincen- tiveforfuturethefts. What does this mean for the security professional? Reducing finan- cial losses—not merely counting crimes or arrests—defines results and success. Which story facilitates business success, and what does your business leader want to hear? 22 CHAPTER Learning from the Past: Risk Management versus Compliance With insight from Will McCann, director of security training and communica- tions at Capital One It has been more than 100 years since the tragic sinking of the Titanic. Overthelastseveralyears,we’veseentheinnumerablewayspeopletryto eithermemorialize or capitalize on the tragedy,including the re-release of the 1997 movie Titanic in 3D, the production of a commemorative coin, and—believe it or not—a series of Titanic memorial cruises. Some mem- bers of the security community recently chose to remember the event in a moreconstructiveway. Members of the NextGeneration Security Leader(NGSL) LinkedIn Group, which exists to provide participants in the Security Executive Council’sNextGenerationSecurityLeaderDevelopment programwith an opportunity to discuss course material with their peers and instruc- tors, compared the risk management focus of the Titanic’s parent com- pany,WhiteStar,andsomeorganizationstoday. Will McCann, director of security training and communications at Capital One, began the thread: “In [the first session of the NGSL pro- gram], I was struck by the critical distinction one of the speakers made between compliance and risk mitigation. I immediately thought of the Titanic, which, though it carried enough lifeboats to comply with the law, had far fewer than necessary to save everyone on board. “In 1912, U.K. lifeboat requirements were based on tonnage rather than passenger load. And since White Star’s leaders were focused on legal compliance rather than mitigation of risk, they simply bought enough boats to keep theauthoritiesatbayandwenttosea.Onehundredyearslater,Iwonder howmanycompaniesreallymakethedistinction.” 8 SecurityLeaderInsightsforRiskManagement As other members chimed in, the analogy deepened. White Star’s engineers and advisors reinforced a faulty perception that there was zero probability of the ship sinking; therefore, the company based their mitigation decisions on inaccurate data. Decision makers did not believe ariskexisted.Participantspointedoutthatcompaniesactbasedonsimi- lar erroneous assumptions today when they dismiss the importance of fire drills, for example. They perform drills because they are required by law,but they don’t believe they could ever have a fire. While compliance helps—without it they may neglect drills altogether—it is less desirable thaninvestedriskassessmentandriskmitigation. McCann concluded, “Now here’s what I think is really interesting: They chose to install top-of-the-line Welin davits, each of which was capable of holding and deploying up to four lifeboats. They could have purchasedmuchcheaperdavitstosavemoney,buttheyspentthemoney to get the very best. This was likely done in the “nothing but the finest” spirit with which the ship was designed and marketed. And yet they didn’t buy more than one lifeboat per davit, because that’s all the law required. “Now imagine if they’d had a security team that acted as true business partners. Imagine they’d said to the executives at White Star, ‘Look, we’ve already spent the money on high-volume davits. Let’s buy enough lifeboats for everyone on board, passengers and crew. They’re a relatively low, fixed cost; a one-time purchase with minimal upkeep. Evenifthey’reneverneeded,havingthemonboardwillallowustodiffer- entiate ourselves from our competitors and provide a whole other angle with which to market the ship: It’s not only the largest, fastest and most luxurious ship afloat, it’s also the safest.’ But they didn’t. They thought oflifeboatsonlyasacompliancecheckbox,notasapotentialwaytoadd value to the enterprise. In all likelihood, the security team—and their executives—saw safety and security as an obstacle to profitability, rather thanaleverforbuildingcustomerdelight,generatingrevenue,andavoid- ingunnecessaryexpenseandreputationaldamage.” For security to act as a true business partner in the manner McCann describes, they must have influence with other business units and senior management at multiple levels and stages of organizational strategic planning, added another participant. This can be gained through partici- pationinanenterpriseriskmanagementmodel.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.