In reading this book, if you are a committed seeker of value for your organisation, we hope you will discover fresh perspectives within the theme of “Value from Security”. If you are currently a security professional, or someone who has security within their portfolio of responsibilities, then we hope you will also find fresh things to look at and respond to. If you are a shareholder, you will find ways to discover whether security is providing all it can to protect and nurture your interests. The aim is for value to sit alongside protection as security's core contributions to enterprise.
"Value from Security” doesn't simply mean monetary value. Value applies equally to the ways in which security can contribute to corporate responsibility and reputation. This double delivery, which we can also term profitable security, should also manifest itself in ways that anyone in an organisation can access and understand. In the generally accepted view that organisations have different and identifiable cultures, one of the contributing parts to that overall culture is the role of the discrete yet integrated security function.
In fast moving modern businesses today there is increasingly a definable culture of security that touches all parts of the organisation, and is a fully integrated part of the business. Indeed, security's strategy, goals and processes are derived from the core of the operating business itself, and security is a critical success factor in the eyes of everyone from the CEO, through the organisation, and beyond, to partners and suppliers, clients and customers.
It is only recently (within a decade) that the idea of a pervasive security culture in non-military or national security organisations, where everyone feels a sense of ownership and accountability, has gained ground and supporting practitioners. As this idea has been fostered, the role of a Chief Security Officer has also evolved into one of embracing the role of `communications evangelist', not just keeper of the keys, who is increasingly recruited for, and assessed on, the ability to
embed security in a wider organisation culture. This will continue. Such generalist management skills will be required in addition to technical security competences, as value seekers make more demands of a previously bolted on security function. Security isn't just out there, it's a part of the total organisational universe.
In Fortune 500 firms a study showed that security leaders need to develop “composite security metrics that are simple to understand and clearly linked to the business” and that these have become primary imperatives. The Massachusetts Institute of Technology in another piece of research asked over 1200 people from six companies what their assessment of readiness to combat specific types of security risk was, and the perceived importance of that risk, utilising a Total Quality Management methodology approach. Critical in the study was the drive to understand better how `perceptions shape decisions'.
The study showed that today there are still significant gaps between the importance of security risks and the readiness, ability and awareness of the need to address those risks. The security risk areas included security culture and policy itself, accessibility, vulnerability, confidentiality, financial and IT resources, and business strategy.
Any senior manager with no link to any of these issues is surely a rare being, so the likelihood is that managers could do well from contributing to the closing of such gaps, and the generation and elevation of security as a quintessential element of corporate culture.
The real challenge is getting people to see this, and then act on it. It is not easy, and it takes time. We aim to make these steps more palatable to all parties, but accept that Schopenhauer's observation holds true not just for scientists -“All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident”.
Even in a positive world, the overestimation of how secure an organisation and its assets are is commonplace. No one is suggesting doom mongering as a viable style of raising awareness of security considerations. We aim to demonstrate how more active and conscious participation by stakeholders to improve security throughout an organisation can be achieved pragmatically.
Job one is to ensure that security's role as an asset protector is assured. Job two is to see how security can perform an additional undiluted role as an incremental source of profit and other profitable values.
This also means that whoever has the remit of providing security leadership can no longer behave simply as `a compliance tactician'. A pro-active security leader will best serve a company through two developments - his own improved operating skills, and a balance through direct links to a supportive CEO and across all key company functions.
What we are talking about has been put into successful practice by us. It is not theory or wishful thinking, but the empirical experience of people who have spent a long time building experiences and collecting scars that end up being categorised these days as best practice.
Since much of security is about perception and perspectives, we give a round view on what it is like to work with security from different positions within an organisation, and how your contribution to and support for security becoming a more profitable practice can be defined and enhanced. As far as we are concerned, you can get higher “Value from Security” wherever your starting point, and we offer here ways to treat the role of security as a virtuous circle - things may look different from where you are standing, but you're still connected to everyone and everything else.