NGSL Research Results: Influencing Change for Nimble Global Risk Mitigation
In November 2016, MITRE Corporation hosted an Security Executive Council (SEC) Next Generation Security Leader (NGSL) forum. Sessions took place at two campuses and virtually via Skype. NGSL events are peer-reviewed, research-based sessions that recognize evolving global security risks that require collaborative and cross-functional security risk mitigation management. Sessions are based on research from SEC's Security Leadership Research Institute (SLRI), which has been investigating corporate security risk leadership issues for over 10 years. Led by SEC subject matter experts and faculty, including academics from the University of South Carolina's Darla Moore Risk and Uncertainty Center and Kennesaw State's Coles College of Business, more than 100 security practitioners (the majority from large international companies) met in person or virtually for two days of Collective Knowledgeâ„˘ collaboration.
Influencing Community, Corporate, and National Security ResilienceTom Mahlik, MITRE's Director, Global Security Services, Joel Jacobs, MITRE's VP and CIO, along with Al Grasso, MITRE's CEO and the recent recipient of â€śSecurity's Most Influentialâ€ť award, addressed the event participants reiterating the value of Security for meeting and exceeding brand expectations from a Federally Funded Research and Development Center point of view. The MITRE leaders celebrated convening diverse next generation talent in a trusted environment to learn and continuously improve - not only from successes, but from failures and near misses - to build incremental confidence in clearly uncertain times.
Next Generation Cyber Threats and Solution ConsiderationsColes College of Business Associate Professor Herb Mattord introduced a State of the Industry session on the threats to information protection. Panelist Brian Barrios, National Director, Cybersecurity of MITRE's FFRDC Portfolio, emphasized simplification as a means of addressing risk and mitigation complexities. Bobbie Stempfley, MITRE's Director of Cyber Strategy, discussed implementation, revisited the scale of interconnectivity, the world's largest data breeches and mitigation resources. Nate Gabehart, Boeing's Senior Manager for Enterprise Government Cybersecurity, emphasized that people are key, fatigued leaders are ready for solutions, simple hygiene provides value and artificial intelligence may be a prime forward-looking risk mitigation contributor.
Interactive Group Session I: Information and Physical Security - Convergence or Cross-functional Collaboration?Herb Mattord, Greg Niehaus, Professor and Department Chair of the Finance Department at the U of SC Darla Moore School of Business, and George Krempley, Instructor in the Finance Department, and Co-Director of the of the Risk and Uncertainty Management Center at the U of SC Darla Moore School of Business, led a spirited exercise on the current and future state of convergence. Attendees self-identified as cyber, physical, converged and hybrid security units. They next identified key elements of their evolution of operational excellence and identifying impediments to success. The exercise closely followed SLRI research findings depicted below (see Survey Results section). Facilitators observed participant confidence gains for subject matter discussions.
Assessing All-hazards Risk Mitigation Capacity for Organizations of the FutureSEC Subject Matter Faculty member Sean Dettloff led panelists Tom Mahlik and Al Eaves, MITRE's Manager of Security Mission Assurance, Global Safety & Security, along with Ray Gerwitz, Director of Risk Strategy and Ops Excellence, UTP at MD Anderson Cancer Research Center, in a discussion of internal value analysis to optimize security service delivery. Identifying high value services and abandoning lesser value activities was the common strategy for evolution and growth even in constrained fiscal circumstances; with an eye for continuous optimizing through governance and organizations of the future.
Interactive Group Session II: What are your Service Model Considerations for Forward-looking Protection-in-depth?Our academic partners once again guided participants to further identify current state and future state service deliverables for their security operational units; leveraging the internal value analysis elements detailed in the previous session. Next Generation leaders further identified cross-functional evolution opportunities for operational excellence.
Critical Incident Management â€“ Top Down or Bottom Up?SEC Emeritus Faculty member Dean Correia posed a question to subject matter operational experts regarding the readiness for growing global all-hazard risks for proven practice resilience protocols. Randy Harrison, Managing Director of Corporate Security for Delta Air Lines, established corollary events for recognized global risks and lessons learned that relevantly inform stakeholders of mitigation options. Gary â€śBubbaâ€ť Gordon, Senior Manager Business Continuity for The Boeing Company, underlined the importance of event response, recovery, and critical business continuity transitions within life safety and infrastructure dependencies. Alan Borntrager, Red Hat's Head of Global Safety, Security, and Business Resilience, added context for communicating about opportunities, critical events and near misses. Alan Snow, Director of Safety and Security for Boston Properties, shared lessons learned and epiphanies for high-rise and municipal planners following the Boston Marathon bombing.
Insider Threat Revisited â€“ Innovations, Proven Practices, and Brand ExpectationsBob Hayes, Managing Director of the SEC, introduced the session with a definition of insider threat supported by SLRI research; noting that insider threats were wide and variable from espionage to workplace violence. Rowan Kelly, Senior Manager of Insider Threat at The Boeing Company, visited the past, present and future discussing a Chinese spy ring case and Prevent/Monitor/Detect/Respond modeling. The conversation included how to improve the modeling using predictive analytics. Randy Harrison of Delta Air Lines, emphasized predictability as the forward-looking program value for leaders that may not yet fully understand insider risk dimensions or brand reputation implications. Ray Gerwitz cited the dependencies for evolving collaborative, strategic partnerships for insider program success.
SURVEY RESULTSBefore the forum, participants were asked to take a survey to help understand where aspects of their security programs were and to provide context for some of the sessions. Non-participants that have been to at least one NGSL forum in the past (â€ťNGSL Alumniâ€ť) were also invited to take the survey. Fifty-four answered the survey; following are the results. Note: because this was a small group and in some cases multiple employees from an individual organization answered the survey, the results are not necessarily reflective of the security community as a whole.
The following are highlights from the survey:
46% describe their organizational unit's primary mission as physical/corporate security.
Over 50% report their organizational unit's security leader reports to a senior / executive VP or above.
Equal numbers of participants thought it unlikely (48%) compared to likely (48%) regarding expectations of internal structural change in their organization.
24% rated their confidence level as â€ś7â€ť that they are sufficiently staffed to meet future threats to their brand (1=extremely pessimistic 10=extremely optimistic.) Note: The Y axis denotes frequency.
57% report their organizational unit provides security metrics
There was almost an even split amongst participants when asked to select the organizational maturity level that best described their operating unit.
PDF Version of this ReportA downloadable version of this report is available here:
The Security Executive Council (SEC)The SEC is the leading research and advisory firm focused on corporate security risk mitigation solutions. Having worked with hundreds of companies and organizations we have witnessed the proven practices that produce the most positive transformation. Our subject matter experts have deep expertise in all aspects of risk mitigation strategy; they strategize with security leaders to transform security programs into more capable and valued centers of excellence.
View the SEC's Twitter site to read tweets from the November 2016 forum.
Contact us for more information about NGSL including hosting a customized company and industry-specific event at your organization at email@example.com
Click here for more information on participating in the next NGSL forum scheduled for April 2017.
The SEC's Security Leadership Research Institute (SLRI)The Security Leadership Research Institute (SLRI) provides independent and actionable research to the security and risk community. The SLRI was formed because of the need by the security industry to document the entire spectrum of corporate security risk mitigation through research. The SLRI conducts benchmarks like this one and many other forms of research such as practitioner quick polls, state of the industry and trend reports, and custom research for individual companies and security leaders.
The Coles College of BusinessThe Michael J. Coles College of Business at Kennesaw State University is the second-largest business school in Georgia, with more than 6,000 students, 160 faculty members and a powerful alumni network. At Coles, we're dedicated to the success of our students, our university and the business community. We are accredited by the Association to Advance Collegiate Schools of Business (AACSB) in both business and accounting, and hold many national and global rankings.
The Risk and Uncertainty Management CenterThe Risk and Uncertainty Management (RUM) Center at the Darla Moore School of Business (University of South Carolina) has three main objectives: (1) enhance the educational programs at the Moore School, specifically the Risk Management and Insurance major and minor, (2) facilitate interaction between the university and practitioners on issues related to risk and uncertainty, and (3) support research on risk and uncertainty management.