As the risks faced by businesses grow ever more complex and threats proliferate, the job of those responsible for managing the security of the organization have got much harder. The whole concept of security has also expanded way beyond the traditional remit and into areas such as protecting brand and intellectual property, preventing losses, anti-counterfeiting, cyber-terrorism, parallel trading and on-line fraud.
Many security departments are so busy fighting day-to-day fires that they risk missing less obvious but equally important threats as well as failing to address the wider issue of “converged’ risk. As traditional risks converge with new ones, they can seriously jeopardize the organization’s long term profitability, damage its brand or even threaten its very existence.
According to the 2008 BERR information security breaches survey most major UK businesses are devoting 5-7% of their IT operating budgets to security. That’s a huge proportion of money, but is it enough? It’s all too easy to spend and focus on the wrong things. Most large organizations have well established strategies in place to deal with easily definable security issues like fraud, IT security protection or physical security, where there are clear lines of responsibility that in some cases go right up to Board level.
It is surprising to find that a large proportion of companies don’t even know how many security breaches they have. According to the latest PwC Global State of Information Security survey, 35% of the 7,000+ respondents weren’t aware how many incidents had occurred in their businesses in the last year, and 44% didn’t know what type these incidents were. And while companies are more dependent on their systems than ever before, 28% of respondents did not have any sort of IT disaster recovery plan, and of those that did, 48% had not carried out a test in the last year.
The convergence of risk and the ever-changing threat landscape most organizations face are now so wide-ranging, that many different departments as diverse as governance, audit, legal, and HR all have a role to play. For this reason it helps to look at a security profile in terms of actual and potential converged security threats, rather than specific threats to a single asset, department or business application.
A good example would be the new product or service development process. In the weeks and months before launching a new product or service, the risk profile changes, ranging from physical risks, supply chain risks, IT security risks, to intellectual property theft risks. Some of these are obvious, some less so, but they can all pose substantial security challenges if not addressed in a holistic strategic or tactical risk perspective.
PwC benchmarking survey
PwC’s security specialists recently conducted an in-depth survey of the corporate security practices of 10 leading UK-based multi-nationals, the first time that corporate security (as distinct from information security) has been benchmarked in detail. The subjects covered included governance, people management, physical and equipment security, incident investigation and crisis management, anti-counterfeiting and supply chain, and monitoring.
These areas were measured according to three criteria: strategic alignment; risk management and control; and efficiency. The survey found there were considerable differences between the highest and the average scores in each of the three areas. This means there were clear opportunities for all the companies to improve at least one aspect of their corporate security.
Among the key conclusions were:
- far greater collaboration with external parties and a deeper understanding of the risks these partnerships represent are needed
- people security and media security are areas of particular weakness
- investigation and intelligence gathering needs to be improved, given the convergence of a wide variety of risks
- most companies could do more to prepare for potential crises, especially when it comes to disaster recovery
- there is scope for better co-operation with Internal Audit, as well as improved monitoring
- effective measurement is still an issue: senior executives want more and better information about the value corporate security is contributing
- challenging economic times are likely to lead to higher levels of crime.