Security is vital component of corporate governance. recent study by the Unisys-sponsored Security Leadership Institute found that while most CEOs understood the consequences of bad security practices, they couldn’t articulate the value proposition of good security.
In the study, conducted in late 2004, 25 CEOs in the US were asked questions that focused on results or consequences that result from maintaining secure environment. Their responses revealed they could see the value of secure environment as way to protect brand and reputation. In their minds, superior IT and physical security practices are necessary to achieve organisational trustworthiness in the eyes of customers, employees, shareholders and regulators, and that this was critical business imperative.
According to the study, organisations that attain high-trust status achieve real advantages – improved employee productivity, better customer loyalty, more product or service innovation, fewer failures and decreased compliance risks.
Any organisation seeking to achieve the “trusted enterprise” ideal must make risk management an integral part of business strategy and create secure environments that promote collaboration. For these companies, investment in security is an absolute necessity. According to industry analyst firm Gartner, organisations spend 0.4 percent of their company’s revenue on security, and Gartner has predicted that spending will increase tenfold, to four percent of revenue, by 2011.
The “trusted enterprise” is an organisation embracing set of corporate values and behaviour that guide all business practices. It is highly ethical and treats its customers, employees, partners and shareholders with respect. In addition, the CEO and board are deeply engaged in managing the organisation’s operating risk in way that delivers maximum value in safe and secure environment.
As organisations increasingly include external parties in their business networks, the likelihood grows that these organisations’ IT infrastructures and associated business information may be compromised. This makes being trusted enterprise vital goal if the business is to grow and prosper.
To help companies achieve this, systems should be introduced that allow them to segregate information and introduce robust business processes so that transactions can be audited and responsibility can be assigned to individuals. For system to do this it must provide visibility throughout an organisation, so that business management systems, processes and technology infrastructure meet the needs of the overall business strategy and remain aligned with the governance standards as these are defined.
A company’s ability to demonstrate that it has the culture and systems that protect not only its own security but also that of partner organisations will become key competitive advantage.
So what does it take to become trusted enterprise? First, trusted enterprise manages its security responsibilities in more holistic way than less trusted ones. For example, trusted organisations are more likely to integrate security into core business processes and to monitor both oversight and governance through cross-functional teams that span the entire organisation. Second, it is important to have highly secure environment to protect brand and image in the marketplace.
According to CEOs, the trusted enterprise achieves harmony between security and business goals by pursuing four basic operating principles. First, proactive management of operational risks, such as security and internal controls, by paying close attention to early indicators of problems that might diminish the entity’s brand or reputation in the marketplace. Next, transparency in core operating practices, especially those concerning the ethical use and sharing of sensitive or confidential business information. Then, strong understanding by both CEO and board of the organisation’s risk profile, providing executive-level support and necessary resources to achieve security goals. Finally, compliance-savvy culture, with clear accountabilities for security and control promoted and vigorously monitored throughout the enterprise.
Security remains prevalent priority to any business, but rather than only being of concern to technologists, security must be adopted as key boardroom item. Corporate governance should be treated as an integral component of any business strategy, in creating secure environment and one that provides visibility throughout an organisation of business management systems, processes and technology infrastructure. An organisation should recognise the value of implementing effective security systems in order to protect its business both in terms of assets and reputation.
Brett Hodgson is southern regional manager New Zealand for Unisys.