April 16, 2002

The Vigilant Enterprise, Part 2

The CSO's job just got a lot harder

By Yobie Benjamin

As we forge ahead into a new century, it's become perfectly clear that most ideas about business continuity — and what constitutes a reasonable security strategy — have become obsolete.

This cataclysmic shift isn't just a byproduct of the recent terrorist attacks on the United States. The rise of wireless technology, globalization, networked enterprises, and countless other market forces now expose the majority of businesses (and legislative bodies) to risk levels that far exceed the protections currently built into their operating frameworks.

What the Sept. 11th attacks brought home is that the strategies and guidelines put in place to protect people and physical assets can no longer operate independently of those used to protect highly valued intangibles: systems data, intellectual property, brand, corporate reputation, and the like.

What does this new reality mean for a chief security officer (CSO)? For one thing, today's CSOs must have as deep an understanding of a company's operations as they have of its digital infrastructure. At a manufacturing business, for example, a CSO would need good working knowledge of the company's distribution and supply pipelines, vendor or dealer networks, production standards, financial operations and banking relationships, and HR policies and procedures.

And that's not all. In large-scale attacks — or, just as important, in natural disasters — most companies are surprised to learn the degree to which they're on their own when it comes to implementing fail-safe systems and contingency plans to address recovery situations on a fast-response basis. The CSO must similarly factor such events into the business's overall security policies and procedures.

In other words, contingency planning isn't just about backing up systems information or creating standby data centers in ancillary locations. For CSOs to provide the right level of protection they must understand everything about a business, from how money flows through the organization to what it takes to keep people, products, and information safe.

Even forward-looking companies may be caught off-guard. A recent Ernst & Young study found:

• Three-fourths of companies polled said they have business continuity plans in place, but only one-third of that number has tested them. This significantly increases the likelihood that critical business systems will not be available when needed.
• Even without physical threats, only one-third of companies polled said they were very confident that they could detect a hacking attack.

(Such challenges are widespread: Even without the presence of wholesale emergencies, the survey found that nearly 75 percent of U.K. companies reported critical business systems failure over the past 12 months.)

Rewrite the CSO's Job Description

Given the magnitude of the challenge, it may well be time to abandon the "CSO" nomenclature altogether, even as a vast number of companies struggle to carve out the position for the first time. In fact, what most companies really need is a Chief of Command and Control Operations (CCCO).

This executive would sit at the CEO's right hand, report to the Board, and take responsibility for a comprehensive portfolio of risk and control issues that would:

• Assure the lives and security of the company's employees
• Protect the company's physical and digital assets
• Create controls that ensure the integrity of all business operations, including those that would shield the business from unauthorized access by agents — be they biochemical or human — seeking to disrupt them
• Establish and monitor procedures to maintain the smooth flow of goods and services into the marketplace
• Interact with civil authorities and public safety officials to maintain the operating integrity of the business and the communities in which it operates.

In this integrated security world, the CCCO will be ready to address the new century's ever more complex questions that I pointed out in "The Vigilant Enterprise":

• Would the business survive if multiple sites were to be attacked simultaneously? Pre-Sept. 11th risk-management models tended to look at single-location disruptions.
• Do mailroom practices, call-center policies, reception protocols, or other back-office and administrative processes leave — or create — gaps in security efforts?
• Are adequate safety measures being taken to protect personnel and other assets in high-risk areas outside the United States? Will reliance on local civil authorities enhance or decrease risk exposure?
• Will corporate efforts be closely aligned or at odds with local and regional community interests if emergency procedures must be invoked?
• Are vulnerability assessments limited to cyber attacks?
• Are risks adequately categorized, tracked, rated, ranked — and responded to?
• Is information about policies, procedures, configuration standards, vulnerabilities, and viruses frequently and systematically communicated to people across the organization?

Rate This Article Rating: 1 (best) 2 3 4 5 (worst) Comments: Optional e-mail address:

But before the CCCO can answer these and other questions, organizations must be ready to replace static security postures with initiatives that let them continuously gather intelligence, reassess their risks, and adjust security measures accordingly.

Yobie Benjamin, a partner and chief technology officer of Ernst & Young's Security and Technology Solutions organization, has been involved in the security space since the 1980s. He is a frequent author and commentator on technology issues and has been profiled by ABC Television's 20/20 and the Discovery Channel.

• Privacy
• Your California Privacy Rights
• Copyright © 2008 United Business Media LLC