Making Preparedness Pay 

 
Download Article Article in Digital Form

I recently read an interesting survey of business executives: Preparedness in the Private Sector—2011.1 It is published by The Conference Board and was part of a project The Conference Board performed with the US Department of Homeland Security. The Conference Board describes itself as “a global, independent business membership and research association working in the public interest, [providing] the world’s leading organizations with the practical knowledge they need to improve their performance and better serve society.”2 The 263 survey participants were largely security, information technology and business continuity executives from a broad mix of companies, ranging from below US $100 million to more than US $10 billion.3

The Conference Board study addresses the resilience of companies “to bounce back from a disruption” caused by security events, which are defined rather loosely as environmental disasters, terrorism and cyberattacks.4 The objective of the report was to find common themes illustrating companies’ preparedness for such events. There were two findings that I found particularly interesting, in large measure, I am sure, because they reinforce my own beliefs. I would like to explore them a bit here.

Culture Is Key

The report states, “To become resilient, a company must develop and perpetuate a culture that values quick response and flexibility and provides authority to local managers to respond to rapidly changing circumstances without the need for approval from corporate or division headquarters.”5 This idea is very much in keeping with the definition of a security culture presented in ISACA’s Business Model for Information Security (BMIS).

[A] pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things. It is emergent and learned, and it creates a sense of comfort. Culture evolves as a type of shared history as a group goes through a set of common experiences. Those similar experiences cause certain responses, which become a set of expected and shared behaviors. These behaviors become unwritten rules, which become norms that are shared by all people who have that common history. It is important to understand the culture of the enterprise because it profoundly influences what information is considered, how it is interpreted and what will be done with it. 6

Hierarchies break down in a crisis.7 For that reason, security preparedness needs to be spread widely across an organization to overcome dependency on higher levels of authority when the lines of communication upward and down are cut. ISACA has addressed this point at length in its recent publication Creating a Culture of Security.8 Preparedness does not grow from the culture; rather, a receptive culture is the soil in which security can be fostered and can grow. Absent a supportive culture, the most advanced techniques, dedicated security professionals and the finest technology lead to a middling level of security, at best.9

The Conference Board report adds another dimension: time. Many factors, not least the Internet, have accelerated the pace of change within organizations. Thus, “there is simply no time to follow a top-down, hierarchical management structure. By the time a proposed action has been reviewed and approved by higher levels in the organization, it will likely no longer be relevant since the situation will have already changed.”10 The onset of many disruptive events, certainly including malicious physical and logical attacks, is so rapid that the only way an organization can be in any way prepared to face them is to embed preparedness in its corporate culture.

Potential Benefits to the Bottom Line

To my way of thinking, the most gratifying section of The Conference Board’s report deals with short- and long-term financial benefits of security. Only 9 percent of the participants replied that preparedness efforts had hurt their organizations’ bottom lines by increasing the cost of operations.11 That small percentage might be surprising to some, but it ought not be. Perhaps I am too Pollyanna-ish,12 but I cannot see insecurity as an organizational option. Reasonable people may differ on how much security is required, but not on the need for its existence. Thus, the cost of security should at least be neutral, with neither a positive nor a negative impact on an organization’s overall financial position.

What does surprise me is that more than a third of the survey participants see the efforts to develop security as beneficial to their organizations’ finances. I am not shocked that it makes a company more competitive and its operations more efficient; I am delightedly astonished to learn that many executive realize it.

The fact that preparedness often requires redundancy does not necessarily equate to doubled costs. As the report points out, resilience “does not necessarily require redundant facilities, but instead that capabilities be redundant across the organization.”13 Resilience can be achieved through standardization, interoperability, overlapping supply chains and broad-based expertise across an organization. These enable organizations to be nimble and flexible in the midst of constant change, as well as in times of disruption. Organizations can easily shift production or other operations to new locations to adapt to changes in consumer demand or to take advantage of lower costs, all of which bolster their finances, rather than undermine them.

Personally, I would go further. I have stated elsewhere that a secure organization—one that is as secure as it needs to be—is a better organization.14 Beyond cost avoidance, reliability, integrity, confidentiality and privacy help organizations meet all their goals: profit to be sure, but also service, quality, reliability and the other attributes for which they strive.

The value of The Conference Board survey comes not so much from its findings, as meaningful as they are, but from the understanding of the mentality of relevant executives in security-related fields. What might make it more valuable is to learn about the perceptions of those in management who are not professionally attuned to security and preparedness. I suspect that the culture of security in many organizations is not yet so widespread as to be able to generalize on the statements in this report. It shows us not so much where we are as where we might be heading.

Endnotes

1 Bayer, Daniel Sandy; Preparedness in the Private Sector—2011, The Conference Board, www.conference-board.org/publications/publicationdetail.cfm?publicationid=2026
2 The Conference Board, www.conference-board.org/about/index.cfm?id=1980
3 The report does not identify the participants in the survey by nationality, but it seems in context that they were Americans. However, reference is made to multinational companies, so there is much relevance to the report beyond US shores.
4 Op cit, Bayer, p. 4-5
5 Op cit, Bayer, p. 9
6 ISACA, An Introduction to the Business Model for Information Security, USA, 2009
7 See Watts, Duncan; Six Degrees: The Science of a Connected Age, Norton, USA, 2003, p. 285.
8 Ross, Steven J.; Creating a Culture of Security, ISACA, USA, 2010. Written by me. Shameless self-promotion.
9 Op cit, Bayer, p. 39
10 Op cit, Bayer, p. 9
11 Op cit, Bayer, p. 14
12 A reference to the Pollyanna character from the classic American movie of the same name
13 Op cit, Bayer, p. 14
14 Op cit, Ross, p. 40

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at [email protected].


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.