The Conference Board (New York) recently released a study that illustrated companies most attuned to security issues are those with the most exposure to a broad range of security risks—including organizations in critical infrastructure industries, large corporations, multinationals with global operations and publicly-traded companies.
The survey, "Navigating Risk: The Business Case for Security," was sponsored by the Department of Homeland Security and was designed to gauge the role and influence of security managers among general senior executives. What it found was that the most supportive executives were not necessarily the most influential, and the most influential managers were not necessarily the most supportive.
The Conference Board surveyed 213 senior corporate executives in a variety of industries, 30 of whom were from financial services, one of the largest sample groups represented. "Financial services is generally seen as one of the pace-setter industries in security," comments Thomas Cavanaugh, senior research associate in global corporate citizenship at The Conference Board and author of the report.
Half of the participants were C-level executives. Cavanaugh purposely excluded security directors and risk officers in an effort to more fully determine the support of such initiatives among those executives whose primary functions do not include security.
The study showed that not only is there a significant disconnect between security directors and senior executives, but there is also a disparity between the types of risk mitigation these top decision-makers support. The senior executives gave more weight to security concerns on issues of operational risk, such as compliance and certification. Much less weight was given to security on strategic issues, like competitive advantage, brand management and growing new lines of business. The executives most supportive of security matters tended to be those in risk-oriented positions, such as CIOs, risk managers and compliance officers.
"Clearly this is something you'd like to remedy," says Cavanaugh. "It's a major source of frustration for security managers. Part of their job description is to be the chief security lobbyist in their organization. They need to present a case showing why security will be good for business." He says they need to do this in terms that catch the attention of senior management—such as the contribution of better security to the brand, to operational excellence and to competitive advantage.
"Security directors appear to be politically isolated within their companies," says Cavanaugh. "They face a challenging search for allies when they need to gain support from upper management for new security initiatives."