CO - Finnovation

Boardroom commitment to security

Boardroom commitment to security

The subject of ‘Board commitment to security’ is a sensitive and often emotive one. The picture differs according to the Industry, there being no definitive model. Historically, the perception of security has been that of a costly and often ‘endured’ overhead which added little value to the business.  However, over recent years that perception has changed significantly. Management boards are focusing more on the security function; putting greater emphasis on the security of staff and, in some industries committing significant capital and revenue investment in security. In this article I will be discussing why I think there has been such a cultural change at Board Level, and how security can further develop Board support by providing the necessary assurances and levels of performance that modern business demands.

 

Security, like many other functions and projects, has in the past been guilty of operating in a ‘silo’; not focused by nature on the wider business issues and often constrained by cost and resource.  That ‘isolation’ has led in many instances, to companies not recognising the importance security could play not only in enhancing the business but also in determining an environment where staffs feel protected and content to work. As a result, security was not considered an essential business process and certainly not an enabler! However, that is not necessarily the case today.  The business community accepts security more widely and the security agenda has been elevated to Board level. But what has been the catalyst for this remarkable change in perception and what has been done to embrace the increased relevance of security as a business enabler?

 

The horrific events of 911 have had an obvious and significant impact as the world comes to terms with the reality of global terrorism in all its unpredictable and irrational forms.  The industrial world has realised that to maintain a viable business they must operate in a secure environment and accept the associated costs and sometimes operational restrictions. The political profile of security has increased even form the days of heightened Republican Terrorism; a profile which is unlikely to reduce in the foreseeable future.  Those events have manifest themselves in many ways through out the business community; significantly as business’ addresses and mitigates the risks they faces and make assurances to stakeholders under Corporate Governance.



 

But what is Corporate Governance?

 

Corporate Governance refers to the manner in which a corporation is directed.  The corporate governance structure specifies the relationships, responsibilities and accountabilities among primarily three groups of participants: the board of directors, managers, and shareholders. It spells out the rules and procedures for making decisions on corporate affairs; it also provides the structure through which the company objectives are set, as well as the means of achieving and monitoring the performance of those objectives. The fundamental concern of Corporate Governance is therefore, to ensure the conditions whereby a firm’s directors and managers act in the interests of the firm and its shareholders, and to ensure the means by which managers are held accountable.

 

“Corporate governance is about promoting corporate fairness, transparency and accountability" J. Wolfensohn, president of the Word bank, as quoted by an article in Financial Times, June 21, 1999.

 

In the early years of Corporate Governance, the emphasis was on financial control, growth and profit.  As the reality of the impact of Governance and the penalties of non-compliance has been absorbed, Boards have realised the extent of their corporate responsibility. Corporate Governance demands assurances from all aspects of a business; assurances which a Board must communicate to its shareholders.  Those assurances include security and a Board level accountability for the business to operate in a secure environment.

 

There are two key words that embrace Corporate Governance; Accountability and Assurance. Two words which can instil fear in the most robust of senior managers! However, two words on which an effective and resilient security regime must be built.  Lets look at those two words and analyse their impact on security.

 

Accountability.  Accountability is about taking ownership; ownership of the process, its delivery and performance.  Within any successful organisation, the extent of accountability will vary according to position and seniority; Security is no exception.  Accountability for security rests ultimately with the Board of Directors who is charged with providing the shareholders with an assurance that the business is secure and that all security risks have been addressed.  To deliver that undertaking, the board must ensure that an effective risk management process is in place and that accountability for security is suitably delegated to all managers within the business.  Many companies have appointed an Executive Security Committee (ESC) who oversee all aspects of security on behalf of the Board and who have executive powers to approve strategies, policy and funding for security.  The committee also monitors the performance of security across the business; the enabler for providing positive Assurance statements to the Board and Shareholders.  The role of the Security Function in all this is that of the ‘enabler’; providing a professional service, advice and management.  (Fig 1)

 

 

Assurance.  It is no longer acceptable to assume that the absence of security incidents means that an effective security posture exists and that no changes or improvements are required.  Historically, that position has often led to complacency and the implementation of ‘cost saving’ measures and a reduction in the security posture. Today, Shareholders/Stakeholders are looking for assurances that everything possible is being done to protect their investment and that all risks are being addressed.  Assurance is the key element of Corporate Governance and Assurances given by a Board of Directors must be supported by auditable evidence and robust process. An assurance statement must ‘tell it as it is’. There in lies the dilemma; how does a Board of Directors gain the confidence that ‘all is well in security’ and that statements made to them about the performance and effectiveness of security are true and not inflated to meet the Boards expectations?  The answer lies in ‘Top down & Bottom up Trust and Commitment’. The Board has to demonstrate its understanding and commitment to security before the business will trust and deliver an effective culture and regime. Beyond that it is about the continuous and effective Performance Management of all aspects of security against the perceived and actual threats.

 

Performance Management means many things to many people.  It is often interpreted as ‘endless and pointless performance indicators’, particularly by those who have to administer them!  But developed and delivered properly, performance management can support accurate assurance statements and give the Board the necessary confidence in the security regime.

 

Building the framework for a realistic Performance management system, is about mapping security threats and risks against the current security posture; identifying the effectiveness of current counter measures; conducting a vulnerability gap analysis and implementing actions to bridge the gaps.  Only when those actions are complete, is it possible to manage the performance of security.

 

Performance management is about having ‘real time’ information on how security is performing; information which portrays an accurate picture of the good, the bad and the indifferent; information upon which improvement programmes can be based and measured.  Information which answers ‘killer questions’ such as “Are we effectively controlling access to our sensitive material?; “Do we have a robust maintenance process for our detection systems”. Each of the killer questions will generate a response which indicates a level of vulnerability on which management can base decisions.   

 

How that information is gathered and communicated is dependent on the style and structure of the business, however, ‘the simpler the better’.  It is important not to turn this necessary process into a ‘chore’; the more those who administer the process believe and understand it, the more accurate the out-put will be.

 

Magnox, a world leader in the Civil Nuclear Industry, has embraced a model similar to this and now enjoys a unique position by having an effective security regime and culture which has the full support and confidence of the Board and its stakeholders.

 

In summary, the way in which corporate responsibilities have changed over the years has had a positive impact on how security is perceived and supported.  However, security has to change to maintain that support and has to deliver, through the management chain, auditable assurances based on effective, yet simple, performance management.  If this is achieved, the relationship between the board and security will be enhanced and will continue to grow.

  • John
    John
    Senior Security Director

    An experienced and well-respected Senior Security Director with over 40 years experience in the Security Industry covering Defence, Nuclear (Civil and Military) and the Critical National Infrastructure. He is the former National Chairman of the Defence Industry Security Association (DISA) and a former member of the UK Govt Cabinet Office Steering Group on the review of UK Security Vetting. John is a visiting lecturer on Nuclear Security and Safeguards at the University of Central Lancashire (UCLAN).

You May Also Like

Business failure by overtrading
Business failure by overtrading

Remarkable sales figures and improved short-term profits do not necessarily indicate ongoing success...

Challenging The FinTech Funding Gap In Asean To keep The Growth Engine Running
Challenging The FinTech Funding Gap In Asean To keep The Growth Engine Running

What is the preferred method for FinTechs to raise money? How much capital do FinTechs hope to rais...

Building a personal set of values - the 6 I's
Building a personal set of values - the 6 I's

Becoming a successful CFO requires persistence, hard work, technical skills, and people and manageme...

Fixed Cost Management
Fixed Cost Management

From the financial perspective, there are two types of cost that management has to deal with –...

The Future of Forex: How to Navigate the Asian Landscape for Maximum Profit
The Future of Forex: How to Navigate the Asian Landscape for Maximum Profit

To get a grasp of the evolving nature of Forex in Asia, it is pertinent that we look through the his...

Entrepreneurship: The Struggles No One Talks About
Entrepreneurship: The Struggles No One Talks About

Success is all about the money, fame, and glory. That’s the constant message we see on social ...

Blockchain for Claim Management in Insurance Industry
Blockchain for Claim Management in Insurance Industry

Insurance industry has a vast potential for blockchain-driven innovations solving multiple pain poin...

Fraud Detection : Challenges in Real Time Payments
Fraud Detection : Challenges in Real Time Payments

“The financial industry is shifting towards real-time data analysis, deploying technologies su...

Bench to Market
Bench to Market

BENCH TO MARKET Some thoughts from an (interested) observer: #1    having the innovator/...

Risk Management Concepts
Risk Management Concepts

Risk Management Concepts - a practical approach. History, the Persians and risk management, an ex...

Start Up
Start Up

Millennials are now the largest segment of the U.S. labor market according to >Pew Research, an...

Granting Credit & KYC
Granting Credit & KYC

Money cost money. Credit is money. Hence, credit cost money!   Credit also carries an element o...

Money in the bank was never more important than it is today
Money in the bank was never more important than it is today

With the current spread of COVID-19 pandemic, the world has got locked down. It is an unfolding even...

Risk Based Capital- Issues, Challanges and Opportunities
Risk Based Capital- Issues, Challanges and Opportunities

Introduction A Stable insurance sector is encouraging various insurance regulators around the world...

COVID-19: the changing fortunes of industries and how businesses can thrive
COVID-19: the changing fortunes of industries and how businesses can thrive

With no end to the COVID-19 pandemic in sight, how can businesses build resilience and pivot for fut...

The death of Entrepreneur & Entrepreneurship
The death of Entrepreneur & Entrepreneurship

What amazed me was that why a person with a Net worth of 25,000 crores (nearly US 3.6 billion) could...

Risk Management 2.0
Risk Management 2.0

In today’s VUCA world, Risk Management has been on the CFO’s radar since the global fina...

Managing Conduct Risk in ASEAN and Malaysia - Addressing Drivers, Restoring Trust
Managing Conduct Risk in ASEAN and Malaysia - Addressing Drivers, Restoring Trust

There has been no shortage of well-publicized and highly damaging misconduct scandals within the glo...

Defining business problems clearly
Defining business problems clearly

I have observed in my years of project delivery, stakeholders are generally quick to jump into solut...

Fraudsters capitalise on COVID19 crisis...
Fraudsters capitalise on COVID19 crisis...

Shiny hunters, a hacking group, allegedly stole personal data, including email, phone numbers, hashe...

Stay Connected With Us