Measuring security’s performance is not the primary issue, however. The bigger question is what should security be doing in the first place, which gets to the first of the core challenges--aligning with business goals. To answer that question security department heads must be able to properly assess the company’s vulnerabilities in conjunction with other departments and in the context of macro business trends (such as offshoring), management’s goals, and the company’s appetite for risk, and then use that information to formulate and present security solutions with a clear return-on-investment plan. The report notes, for example, that there is a greater demand for proof of payback than three years ago.
But as important or more so, the report states, “the goal of more sophisticated security accounting should not be to ’sell’ senior management on the idea that all security spending is wise, but rather to more accurately describe the value of security spending versus the cost of residual risk.”
The ultimate goal is to make sure that corporate leaders are presented with the information they need to make an informed decision about which risks to counter and which to tolerate or insure against. Thus, notes the report, “a truly strategic look at a security issue...will occasionally yield a recommendation for doing nothing.”
Ultimately, chief security officers--like all species--must adapt or die. As the report notes, “if top security leaders fail to promote a more business-like, strategic risk management approach to security, then the strategic thinking will be handed to others.”
(To get the full report, contact ASIS Customer Service at 703/519-6200)