Security: The Boardroom agenda

The subject of Board-level commitment to security is a sensitive and often emotive one. The picture will tend to differ according to the industry, there being no definitive model. Historically, of course, the perception of security has been that of a costly and often ‘endured’ overhead which adds little value to the business. Thankfully, in recent times this perception has changed quite markedly.

Boards of Directors are slowly beginning to focus on the security function, in turn placing a far greater emphasis on the security of their staff. In many industries, this has necessarily meant a commitment of significant capital investment. Why, then, is such a cultural change arising, and how might security practitioners develop further Board support?

Like many other functions and business projects, in past times it’s fair to say that security has been somewhat guilty of operating in a ‘silo’ – a point endorsed by Michael Jasper, head of risk at The British Library, at last October’s SMT Forum (‘The SMT Forum’, November 2004, pp18-21). By its very nature, security has not been focused on the wider business issues, and has often been constrained by cost and resources.

In many instances, this isolation has led to companies not recognising the genuine importance of security, not only in terms of enhancing the business but also in determining an environment where members of staff feel protected and content.

As a direct result, security wasn’t considered an essential business process, and certainly not an enabler! That’s not necessarily the case today, though. The business community has come to accept security more widely. The horrific events of 9/11 had an obvious and significant impact as the world came to terms with the realities of global terrorism in all of its unpredictable and irrational forms.

The industrial and commercial worlds have realised that, to maintain a viable business community, they must operate in a secure environment and accept the associated costs (and, on occasion, the operational restrictions).

The political profile of security has increased even from the days of heightened Republican terrorism – a profile which is unlikely to decrease in the foreseeable future. In many ways, those events have manifested themselves throughout the business community – for the most part, as businesses begin to address the risks they face, and make assurances to stakeholders under corporate governance.

Direction from the top

“Corporate governance is concerned with promoting corporate fairness, transparency and accountability”… A quote from James Wolfensohn, who ends his presidency of the World Bank this month after two years in office.

Corporate governance refers to the manner in which an organisation is directed. The corporate governance structure of any company specifies the relationships, responsibilities and accountabilities among three groups of participants: the Board of Directors, managers and shareholders. It spells out the rules and procedures for making decisions on corporate affairs, and also provides the structure through which the company’s objectives will be set (as well as the means of achieving and monitoring the performance of those objectives).

Therefore, the fundamental concern of corporate governance is to ensure the conditions whereby a firm’s directors and managers act in the best interests of the company and its shareholders, and ensure the means by which managers are ultimately held accountable.

In the early years of corporate governance, the emphasis was on financial control, growth and profit. As the reality of the impact of governance and the penalties of non-compliance have been absorbed, so Boards of Directors have realised the extent of their corporate responsibility.

Many companies have decided to appoint an Executive Security Committee to oversee all aspects of security on behalf of the Board. That Committee will be granted executive powers to approve strategies, policy and funding for security

Corporate governance demands assurances from all aspects of a business – assurances which a Board must communicate to its shareholders. Those assurances include security and a Board level accountability for the business to operate in a secure environment.

There are two key words, then, that embrace corporate governance – accountability and assurance. Two words which can instil fear in the heart of even the most robust security manager! Nonetheless, it is upon these words that an effective and resilient security regime must be built. Let’s look at those terms, and analyse their impact on security.

Ownership of the function

Accountability is about taking ownership. Ownership of the process, its delivery and performance. Within any successful organisation, the extent of accountability will vary according to position and seniority. Security is no exception. Ultimately, accountability for security rests with the Board of Directors, which is charged with providing the shareholders with an assurance that the business is secure, and that all security risks have been addressed. To deliver that undertaking, the Board must ensure that an effective risk management process is in place, and that accountability for security is suitably delegated to all managers within the business.

Many companies have decided to appoint an Executive Security Committee to oversee all aspects of security on behalf of the Board. That Committee will be granted executive powers to approve strategies, policy and funding for security. The Committee also monitors the performance of security across the business – it is very much the enabler for providing positive assurance statements to the Board and shareholders. The role of the security function in all of this is that of the ‘enabler’. In other words, providing a professional service, advice and management (figure 1).

It is no longer acceptable to assume that the absence of any security incidents means that an effective security ‘position’ exists, and that no changes and/or improvements will be required. Historically, such a position has often led to complacency, the implementation of cost saving measures and a reduction in security provision. Today, shareholders and/or stakeholders are looking for assurances that everything is being done to protect their investment, and that all risks are addressed.

Assurance is really the key element of corporate governance, and assurances given by a Board of Directors must be supported by auditable evidence and robust processes. An assurance statement must ‘tell it as it is’. Therein lies the dilemma…

How does a Board of Directors gain the confidence that ‘all is well in security’, and that statements made to them about the performance and effectiveness of security are true and not inflated in order to meet the Board’s expectations?

The answer lies in top down and bottom up trust and commitment. The Board has to demonstrate its understanding of – and commitment to – security before the business will trust and deliver an effective culture and regime. Beyond that, it is all about the continuous and effective performance management of all aspects of security against the perceived and actual threats.

Building a framework

Performance management means many things to many people. It is often interpreted as ‘endless and pointless performance indicators’, particularly by those who have to administer them! However, if they are developed and delivered properly, performance management targets can support accurate assurance statements, and give the Board the necessary levels of confidence in the incumbent security regime.

Building the framework for a realistic performance management system is concerned with mapping security threats and risks against the current security set-up and identifying the effectiveness of current countermeasures

Building the framework for a realistic performance management system is concerned with mapping security threats and risks against the current security set-up, identifying the effectiveness of current countermeasures, conducting a vulnerability gap analysis and implementing actions to bridge any gaps. Only when those actions are complete is it possible to manage the performance of security.

Real-time information is crucial

Performance management is about having ‘real-time’ information on how security is performing. Information upon which improvement programmes can be based and successfully measured.

Information that answers ‘killer questions’ such as: “Are we effectively controlling access to our sensitive material?” and “Do we have a robust maintenance process in place for our detection systems?” Each of the killer questions will generate a response which indicates a level of vulnerability on which management is then able to base decisions.

How that information is gathered and communicated is dependent on the style and structure of the business. That said, ‘the simpler the better’ is a good maxim to work by. It is vitally important not to turn this necessary process into a chore.

It’s fair to say that the more those who administer the process believe and understand it, the more accurate the output will be.

Be prepared to change

My previous employer, British Nuclear Fuels plc – a world leader in the civil nuclear industry – has embraced a security model very similar to this, and now enjoys something of a unique position by having an effective security regime and culture which enjoys the full support and confidence of the Board and its stakeholders. That has to be the overriding objective.

The ways in which corporate responsibilities have changed over the years have had a positive impact on how security is perceived and supported. However, security must change to maintain that support and has to deliver – by way of the management chain – auditable assurances based on effective (yet simple) performance management.

Ultimately, if this situation is achieved then the relationship between the Board and the Security Department will be enhanced and cannot fail to continue to grow.