As developing security threats continue to challenge businesses, the world of IT security has become an ever-present discussion in board rooms and executive committee meetings. Securing corporate assets in the world of data breaches and malicious cyber attacks raises new challenges that security teams need to meet. It is with this in mind that many companies and security professionals are moving towards implementing security governance programs. Security governance is a holistic approach to security that encompasses both cyber and physical security under a definable and clear understanding of the risks an organization faces. When implemented properly, an effective security governance program can de-silo the segments of a company, encouraging cooperation in the development of organization-wide policies and procedures for handling known and developing security risks.
Pierre Bourgeix is the VP of Business Development for SecureState. Within the security industry, he spent 12 years as a global security business development consultant, at such global leaders as Tyco, ADT, HySecurity. Bourgeix has years of experience within the physical security arena, and has been involved in developing security governance programs.
At far too many companies, physical and cyber security are treated as separate realms, each with their own problems that they alone are responsible for. Over the years, physical security has become fairly stagnant; barring catastrophic events such as September 11th and the Boston Marathon bombing, most corporate physical security programs have had very little motivation to change. Cameras, access control, alarm systems, and visitor management have become the defaults at most companies, and are often left to the facilities or loss prevention teams at a company to manage and maintain. Similarly, cyber security has traditionally been relegated to IT departments, who are often staffed to a bare minimum and find themselves struggling to keep devices updated while staying on top of whatever threats the company is facing. While many IT professionals are stuck using the same tools to manage security risks across their organizations, new threats develop constantly, and these teams often do not have the kind of leverage within an organization to ensure they have the resources needed to combat these threats.
However, it is becoming clear to the executives at these companies that security can no longer be siloed off to smaller departments and needs to become an enterprise-wide concern. Security must become the responsibility of the entire company, a corporate decision encompassing all stakeholders in determining the goals, policies, and procedures across departments. The fallouts from recent breaches have shown that more companies are starting to examine security as an executive level issue, as CEOs are being held accountable for significant breaches, including Target’s former CEO, who was ousted after their giant breach.
Matt Neely is SecureState‘s Director of Strategic Initiatives. His area of expertise are rich in the fields of research and innovation, as well as profiling. His in-depth knowledge of wireless and physical security, as well as new technology and incident response, make him one of the best in the country in information security.
As the executive team becomes more involved in security, the specific silos of IT, loss prevention, and asset protection break down, and security becomes a broader discussion of defining the threats faced by the company and identifying controls and protections against them. This only can happen when there is a clear understanding of the symptomatic security issues which plague most companies. These issues cannot just be defined within closely guarded silos; rather, they must be discussed across the organization and defined properly by decision makers that have financial and operational liability, such as Risk and Compliance officers, CEO, President, CFO etc. As an executive-level discussion, security brings in all areas of the business, including finance, human resources, operations, administration, and sales. Security governance offers a logical approach to breaking down the silos that exist between these departments, allowing for the development of a security program that incorporates cyber and physical security across an organization, encouraging formerly separate departments to work together to improve the risk posture of the company as a whole.
In many industries, the walls between IT and Loss Prevention have become a major stumbling block for progress in security. These departments find themselves fighting for the same budget and resources, and eventually end up waiting for an incident to occur to demonstrate their need. This type of reactionary approach wastes time and resources while often only addressing immediate concerns that do not align with the overall goals of the business. The only true way to bridge the chasms between cyber security, physical security, and the rest of the company is to define the organizational need through the proactive development of a unified security governance program, starting with the assessment of policy and procedure across all departments. As the governance program develops, more sectors of the enterprise can be brought into the fold, helping refine and create a comprehensive security program that is no longer relegated to certain people, but is the concern of the whole organization.
The benefits of a governance program are clear. As lean and six sigma have become more essential in how people do business, more companies are looking to break down the silos, and setting up a full governance program is an essential step in this process. Additionally, governance programs are being encouraged and emphasized by regulatory bodies such as the SEC and ISO, especially for publically traded companies. The most important benefit, the increase in a company’s bottom line, lies in building a collaborative decision making process, focused on the mitigation of risk throughout the organization. Simply put, reducing risk simply leads to increasing profits, and no company will argue with that kind of result.