Business Security – More than Cyber Security
In December 2014 Wired Magazine published a short article titled “The Business of Security is Business”. Although predominantly written from a cybersecurity perspective, I like the title and the article definitely raises a couple of good points.
In the last 15 years we have seen dramatic changes in the geopolitical landscape and a highly dynamic and constantly changing threat environment, both with significant impact on global business.
Today, security risks are definitely on the agenda of corporate executives. With media reporting large-scale data breaches and cyber-security threats almost on a daily basis, IT security has become one of the top priorities for corporate management.
However, there should be no mistake that a comprehensive corporate security program needs to address risks that go beyond technical and IT security issues, i.e. prevention of fraud and corruption, insider threats, terrorism, economic espionage, crisis management, travel security, etc.
Concepts like “Enterprise Risk Management” or “Total Business Security” provide a more holistic perspective on the threat landscape trying to implement security aspects into all corporate processes and operations.
Security is a Management Task
Corporate security managers need to clearly communicate what the impact of any threat is on the business. They need to translate security requirements into a language that CEO’s, CFO’s and other corporate decision-makers understand. A successful corporate security manager needs to be a business manager with a specialization in security. The business of security is business!
Corporate security goes beyond cyber-security
Business security is more than IT security. With all the attention (and budgets) cyber-security gets corporate security managers should make any effort to take a broader understanding of security and build a comprehensive security program that provides a more holistic protection of physical assets, personnel, information and know how, and commercial interests.
Build a security program for real life
It can be a daunting task to keep up with all the security threats and implement a smart protection program, especially if an organization is operating globally. Many computer-based tools are offered on the market to assist in this effort. With all the software tools and dashboards corporate security managers are well advised to make a very careful selection of exactly what tools they need and what these tools actually provide to handle real-life situations. Tools can be a useful support but it is neither the objective nor sufficient to fill a database with lots of data and information. Have a reality check once in a while.
Learn from others (their mistakes and successes)
Here is the good news: Although in today’s world corporate security is a challenging, complex and interdisciplinary task it can be done. Most likely, it has been done before. Nothing is more appropriate than to learn from the experience of other professionals and organizations, both their failures and their success stories.
Why don’t they listen to me?
A couple of weeks ago I had the opportunity and distinct pleasure to speak at a corporate management conference. A global company had gathered their top 300 executives from around the world to discuss business matters and the road ahead. I had been granted a 45 minute slot on the second day to talk about security issues. There was no preset topic the company wanted me to address. After a few conversations with the VP Security and some senior executives I decided to talk about the role a modern security function can play in a global organization, the potential for integration of security into the overall business strategy and especially the need to effectively communicate with each other.
I titled my presentation “Why don’t they listen to me?”. I’ve heard this question over and over again from many corporate security managers. In a lot of cases there seems to be a disconnect between the business and the security function. Security mangers describe their difficulties and frustration to get senior management’s attention and buy-in for pressing security matters. Likewise, many business managers elaborate on their perception that the security managers have little understanding of the business requirements of their own company and try to implement policies and procedures that are perceived as an additional burden for the business.
Communication professionals will tell you that whenever you hear the phrase “Why don’t they listen to me?” you have a core communication problem at hand. As a corporate security manager you should not expect your senior executives to speak your language. You need to speak their language. And getting their attention is easy if you describe the impact a security issue has on the business.
My best advice: Don’t tell your boss about just another security problem. Tell your boss about the security issues that you have identified, how you have prioritized them based on business relevance and impact, and most of all tell him what your solution is. And if you’re really up to speed you might even offer some options how to respond to a specific risk together with an estimate how the different options will impact the organization.
Most executives are usually well aware of the many problems facing an organization. What they want and what they need is someone who provides a solution. As the expert in the field of security it is your job not just to identify areas of concern but to find options and solutions.
In most publications about security you will find reference to today’s multi-dimensional threat landscape. However, in reality it seems that many organizations deal with it in a very narrow focus, allocating resources almost exclusively on cyber security. This could be a recipe for disaster.
Yes, the business world is facing a multitude of threats and risks, cyber security just being one of them, albeit an important one. Any responsible security manager will need to educate his audience that a comprehensive and effective corporate security program needs to address all threat dimensions.
There is no security risk, there is only a business risk.