For more than a decade security practitioners, risk managers and their professional associations have worked to elevate the importance of security. As a result, security risk is now a senior management and board level concern.
In addition to the efforts of security and risk management professionals, escalating levels of homeland security risk and cybersecurity risk have also worked to bring security into the spotlights of ownership and senior management.
This means that security practitioners no longer have to “sell” management on the importance of security.
This is a big change—a good change and a long-awaited one—from the corporate security picture of 15 and 20 years ago.
With this big of a change, why hasn’t advancing the cause of security gotten significantly easier? Due to information technology trends, there are basically two different answers to this question, depending upon your security practitioner role.
Corporate and Physical Security Leaders
For corporate and physical security leaders, many owners and managers think that stronger security simply means either “more of the same” or “doing a better job with what we have”. They are not fully aware of the security implications of today’s higher levels of business change and the resulting impact on the organization’s risk picture. The rate of change and the multiplicity of impacts require more flexible and more adaptive approaches to security, including the selection of an appropriate security framework that is a good fit for the business.
IT Security Leaders
For IT security leaders, the increasingly rapid pace of information technology advancement and the magnitude of the resulting business technology changes have significant impacts on security planning and execution. Technology changes tend to create a technology-focused perspective. Technology changes poke holes in security at all levels: in individual security controls, in layers of protection, and in the application of security frameworks. Additionally, great change messes with high-level security thinking. When IT is still struggling to align information systems, services and the underlying infrastructure with the business—it is a significant challenge to align IT security align with the business.
Rights and Responsibilities
Security practitioners still have the same or greater responsibilities, and management is keenly aware of them. But what about a security practitioner’s rights? This is not a new concept, but it is one that rarely gets any thought. And a key thought is this: Failing to exercise your security leadership rights means that you may not be fully enabled to fulfill your security responsibilities.
The flip side of that coin is, by exercising your rights you can assure that you will be fully enabled, and properly supported, to do your job.
The fact that ownership, senior management and the board are paying attention to security risks means that their thinking is consistent with the big picture for security, which is:
- Business assets are the property of the business owners, who have delegated the care and protection of those assets to the executive management team.
- Risks to business assets—and risk decisions, including decisions about security investments—are the responsibility of executive management.
- Because executive management must make the important risk decisions, security leaders must provide security risk information and make risk treatment recommendations (people, process and technology) to executive management so that they can make informed risk decisions to support and invest in appropriate risk treatment.
- The organization’s ownership, executive management, and security executives and managers are all stakeholders in business security, each with their own rights and responsibilities.
These rights and responsibilities are captured in these three Security Bill of Rights documents:
- Ownership’s Security Bill of Rights and Responsibilities
- Senior Management’s Security Bill of Rights and Responsibilities
- A Security Leader’s Bill of Rights and Responsibilities
Do you insist on your security leader’s rights?
Are you enabled to take full ownership of all your security responsibilities?
You should influence the other security stakeholders to do the same.