Security Technology Executive

MAY-JUN 2017

Issue link:

Contents of this Issue


Page 22 of 87

www. • May/June 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 23 » The question of who sets security policy is political and boils down to one characteristic: savvy. « alarm panels, door controls, fencing, lighting, cameras and miles of coaxial cable. Clearly, in 1997, Corporate Security reigned supreme. Yet, 10 years earlier, a seed of change had been planted. IT was growing in influence. The IT security hobbyists working on mainframe computers had made enough noise about viruses and hackers that business managers finally authorized a budget for data security. "Here's some money to keep bad things from happening – as long as you don't tell me what you are doing! I don't want to know about security," they would say. The years went on, with IT security geeks dreaming up every bad thing that could possibly happen, then devis- ing ways to mitigate them – all the while complaining that the executives don't pay enough attention to IT security. In 2000, the economy tightened up and for the first time corporate and IT security managers were brought out of the shadows and into the light – but it wasn't the limelight of the stage. It was the interrogator 's lamp. For the first time, security experts were asked to describe protection efforts in terms of return on investment (ROI), and cost- benefit analysis. 2000 and 2001 saw the highest number of fir- ings of security managers in recent years as access control and guard professionals failed to articulate the value of security in terms that executives could appreciate. It got worse after 9-11 when hundreds of CEOs called in the heads of IT security and corporate security for a briefing, only to discover that the two chaps had never met one another. Security received lots of attention after September 2001 when hundreds of millions of dollars were spent on security-related stocks and knee- jerk corporate defenses. Then another shoe dropped; see Enron, WorldCom, Sarbanes-Oxley, Basel II Capital Accords, and EU data protection directives. Suddenly, risk management was the main topic within the executive suite. Security plays a role – to be sure – in corporate risk management, but it is a role subservient to investment risk, brand risk, credit risk, and the myriad other forms of risk management. Chief Security Officers – sometimes hired, sometimes self-proclaimed – attempted to rise to the risk man- agement challenge, but failed to gain more influence than a certain previously unknown influencer in the executive suite: the chief information officer. The CIO had, for the previous 10 years, steadily grown in status and influence across all sectors of the cor- poration. It is the information technology professional that did the best job of translating the importance of technology to business value. Physical security professionals have still not learned that language. Now, in 2017, the role of CIO is well established, as is the importance of communicating the value of technol- ogy in business terms. Any manager, who demonstrates consistent cleverness and understanding of the business, will generally grow in rank and influence. There are varieties of ways to show this savvy. Some security professionals are adept at While corporate silos have begun to crumble, many enterprise organizations are still in a tug of war regarding who calls the shots for security and risk – the CSO or the CISO? Image Courtesy of

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2017