Security also has to adapt to a mobile workforce, notes the report. It is now less about providing a physically secure location and more about “addressing risks when the company has little or no control over the location itself.” That means making employees aware, providing tools, and getting them to take some responsibility for assisting with the security mission.
Similarly, a company has to get its external business associates, partners, and providers along their supply chain to accept shared responsibility for the company’s security, because any weak link in this chain of dependencies can lead to catastrophic failure should a tsunami-like event occur. And yet, a 2010 IOFM survey found that fewer than half of large companies made sure suppliers had business continuity plans.
The report also notes that “technology and devices are making great leaps in capabilities but most security executives still evaluate them the same way.“ While that’s okay for some simple systems, like turnstiles, “security software should perhaps now be viewed in a more strategic fashion...[and] security strategy should now be examined in conjunction with the capabilities of technology,“ the report states.
Another issue addressed in the report is how to assess the real value of cutting-edge technologies, such as camera analytics and biometrics when they are found to be less impressive than the PR. Though they don’t live up to the initial hype, they can prove to be genuinely useful once soberly evaluated and realistically implemented, those interviewed for the report note. But, the report cautions that “organizations should not take the effectiveness of electronic security systems for granted,” Properly training staff and monitoring systems for performance is critical.
And then there is the issue of how to communicate security’s value. In many cases, security continues to be plagued by a view that it is a cost center or a necessary evil. That relates to two core challenges that security department heads face, according to the report: the need to better align security goals with business goals and the need to better document security performance. With regard to the latter, some progress has been made. For example, the report notes that use of quantitative security performance metrics, once rare, has grown more common, with one-third of companies reporting that they have extensive metrics programs. And those departments that have good measurement systems have been found in IOFM studies to be twice as likely to have their strategic value recognized. However, “the effort to forge performance metrics that reliably apply across the profession is still in its infancy,” states the report.