A Brief Introduction to the Value of Corporate Security for Non-Security Professionals
Created By: Bob Hayes, Managing Director and Kathleen Kotwica, Ph.D., EVP and Chief Knowledge Strategist, Security Executive Council
Have you ever wondered how companies prevent or respond to issues that could result in injured or killed employees, damaged or lost assets, law suits, regulatory fines, or loss of important corporate information? Most the Fortune 500 companies have experienced these types of incidents and many have established a corporate security department to minimize the impact and losses from these kinds of issues.
Business activities that managers have overseen for years have recently become more complex and potentially damaging. Examples include:
• Employee disagreements with other employees or managers.
• Corporate travel to new countries to buy materials or considering selling products to.
• Keeping others from stealing new innovations, secrets to operating success or even customer lists.
• Government regulations and requirements are more wide-spread and onerous. They often carry significant penalties for things such as failing to protect employees, products, property and computer systems that take significant time and resources and can result in unwanted costs and publicity.
• Depending on the company size and industry, corporate security can mean different things to different organizations. Security Leadership Research Institute research has identified 20 different responsibilities that fall under a corporate security department.
Some companies have elevated the security manager position to the executive level by creating a Chief Security Officer (CSO) position. While a typical Chief Security Officer position does not exist in corporate America, there are areas of security that different CSOs at different companies will be responsible for (see purview chart below) depending on the industry or sector and what risks/threats are perceived to be important to address.
What is residual risk?
Residual risk is the risk that remains after efforts to mitigate the risk have been made.
It is essential that the CSO works closely with other C-suite level functions and leaders, such as HR, Legal, IT, Finance and individual business units. This has recently become more critical than ever to help effectively reduce security risks to the organization. The diagram below creates a visualization of Unified Risk Oversight (URO), where all the company organizations and leaders work in concert to reduce or eliminate security risks and residual risk.
The foundational elements of a corporate security program are listed and defined in Adding Business Value Through Managing Security Risk (also known as The Manager’s Handbook for Business Security). This publication was created at the urging of the Federal Government to provide a resource to help businesses combat the types of losses or damages discussed previously. The 15 elements developed and agreed upon by numerous Fortune 500 CSOs are:
• Risk Assessment and Mitigation
• Strategic Security Planning
• Marketing the Security Program to the Business
• Organizational Models for the Security Department
• Regulations, Guidelines, and Standards
• Physical Security and First Response
• Security Training and Education
• Communication and Awareness Programs
• Safe and Secure Workplaces
• Business Conduct and Ethics
• Business Resiliency
• Securing the Supply Chain
• Measures and Metrics
• Continuous Learning: Addressing Risk with After-Action Reviews
Additional research has identified 5 key elements in corporate security success that need to be taken into consideration and managed when implementing or upgrading a program.
• Corporate level/organizational readiness for Security – the company’s view of what security means to them and its purpose in light of business goals.
• Security leadership capability – the right fit for current expectations but also has a vision of what could be.
• Security department maturity status - knowing where security program are currently helps to develop a roadmap to a desired end state.
• Corporate culture – understand the corporate culture and tailor strategies and tactics within that framework.
• Regulatory requirements – what is required for a particular company or industry.
Once a corporate security function is in place, the real work begins in identifying vendors and service providers, managing the various information based on risks and recruiting experienced and talented people. Finally, the best security departments work with executive management to add more value to the business; enable the business to operate where and how they need to; and provide employees a resource for their safety and security concerns.
A .PDF file off this article is available below.
Contact us here: firstname.lastname@example.org.
Copyright Security Executive Council. Last Updated: March 15, 2017.