Managing Risk for Security Governance

In the converging world of information and physical security emerges a new risk element: managing "Security Governance."

The 2003 Council on Competitiveness Corporate Security survey conducted by Wilson Research Strategies found that:

• Most business leaders see security as a top or high priority – 86%;
• Risk management assessments are conducted frequently – 83%;
• Connections to critical infrastructure are becoming a focus for risk management;
• Corporate leaders see opportunities for positive returns on security investments – 71%;
• Business leaders believe that the private sector should take the lead in setting security standards-- 66%, and
• The majority of executives believe that the public and private sectors share equal responsibility for homeland security – 57%.

"Corporate Security is no longer viewed as a matter of guards, gates and guns, but of interconnectivity and interdependence of networks, the survey states". "But 9/11 was only a moment in time—and there is no accepted business model for integrated security management. The need to identify and institutionalize a set of best practices--security processes that create positive returns on investment—remains largely unmet."¹

The ethics and issues surrounding the business world of Corporate Governance since Enron and WorldCom command center stage. Now, the ethics and human behavior of the security and intelligence community are snaring headlines in the wake of recent memoirs by former and current White House officials.

When poor business governance spills into Security Governance, it’s time to wave a red flag. These events demand that we revisit and rededicate ourselves to the discipline of Security Governance, which is the means for directing and controlling corporations or governments, and refuse to compromise for any reason the policies and codes we stand by. Established frameworks must not only hold managers accountable but also empower stakeholders to intervene if they witness violations of security ethics or policies. Security Governance, like Corporate Governance, requires oversight by key individuals on the board of directors. In the public sector, people from the executive, judicial and legislative branches may compose the board.

In watching Richard Clarke’s testimony in front of the 9/11 commission, I was struck by our former counterterrorism tsar’s ability to deliver precise salvos of devastating sound bites. Witnesses may or may not back up his statements. If anyone can uphold the foundational policies of Security Governance, it is Mr. Clarke. And you have to admire a person who stands up for their beliefs, except when those beliefs begin to erode the management system for Security Governance.

The basic responsibility of management, in government or a corporation, is to protect assets. Risk and the enterprise are inseparable. Therefore, Security Governance requires a robust management system approach. For a corporation to survive and prosper, it must take security risks. A nation is no different. When management systems lack the correct controls to monitor and audit enterprise security risk, they expose precious assets to the threats that seek to undermine, damage or destroy our livelihood.

An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks, including a board-level policy that focuses on managing risk for Security Governance. The Security Governance policy should mirror the deeply felt emotions of the organization or nation to its shareholders and citizens. It should also reflect a positive and trusting culture capable of identifying, removing, minimizing, controlling or transferring strategic adverse risks.

All enterprises confront a category of unforeseen risk. Such risks hinge on events that "might happen," but haven’t been considered by the organization and, therefore, yield too little information to disseminate to stakeholders. However, stakeholders can demand a management system for Security Governance that is comprehensive, proactive and relevant. The management system, as provided by executives, board members and oversight committees, includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources. The system also incorporates a top management strategic policy that focuses on managing risk for Security Governance while reflecting the location, assets and purpose of the organization, enterprise or entity.

The policy should:

1. Include a framework for governance and objectives;
2. Take into account the legal, regulatory and contractual obligations;
3. Establish the context for maintenance of the management system, and
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined.

In establishing a process for risk assessment, the organization should consider:

• Impact, in the event the risk event is realized;
• Exposure to the risk on a spectrum from rare to continuous, and
• Probability based upon the current state of management controls.

An organization will encounter dynamic strategic security risks. Its executives must use the management system to identify and assess these risks, develop a strategy for dealing with them to achieve Security Governance.

Security Governance is evolving rapidly and taps the thinking of various standards organizations, including OECD, BSI, NIST, ISSA, GAISP, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, it must weight the attitudes of the employees and stakeholders.

Unless these stakeholders fully understand the motivation behind tasks and guidelines, the system will fail. The organization that embraces change and introduces a Security Governance framework that manages not only the foreseen human risks but also the unforeseen will greatly enhance its chance of survival. Culture plays a paramount role in the risk for Security Governance because:

1. Any changes in risk management may require changes in the culture and
2. The current culture is a dramatic influence on current and future security initiatives.

Internal controls can provide reasonable assurance that an organization will meet its intended goals. Yet people (Human Factors) will fail an organization in material errors, losses, fraud and breaches of laws and regulations. People will generate constant change, and this cumulative uncertainty mandates a resilient management system for Security Governance that controls risk.

With the system in place, the board of directors soon realizes that managing risk for Security Governance rivals Section 404 of Sarbanes-Oxley as a key to success. In fact, without Security Governance, rules won’t matter and the stakeholders will again ask: How could this happen to us?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.