by Luis Ramos in Security Magazine, March 27, 2012
It’s a scary world out there. Hackers stalk your networks just waiting to access your data. Identity thieves are busily scheming how to take over your assets. Fraudsters look for ways to take advantage of your good graces for personal gain. Maybe you have total confidence in your information security efforts because your IT team is well-versed at protecting networks and data assets. But what about the business processes themselves, or the people responsible for the day-to-day operations of those processes?
Corporate security is an essential part of any organization, but all too often the role of security has remained overly focused in information technology. In essence, it’s been about creating a sturdier door with a more pickproof lock. But that’s changing. Today, security leaders are being called upon to not only manage protection and mitigate the consequences of risk, but also to proactively identify potential risks and to become better aligned with the organization’s values and ethics-based objectives.
Security policies are not at fault, nor do data protection protocols lack in scope. All things considered, security measures are more efficient than ever before. But the malfeasants have also become savvier in their efforts. A recent KPMG study, “Who is the Typical Fraudster?,” found that for more than one in ten fraud events, fraud was committed by individuals who colluded to circumvent otherwise good anti-fraud control measures – almost double the number reported just five years ago.
Corporate initiatives that are integrated enterprise-wide at the various touch-points along the compliance lifecycle serve to connect risk management activities with security’s role as the corporate guardian. Such an approach serves to strengthen an organization’s collective security posture and enables it to minimize the potential for fraudulent or unsafe activities, thus guarding against risk. This integrated approach to governance, risk and compliance (GRC) works in conjunction with existing data protection and security measures to align policies and standards of behavior (e.g., code of conduct) with the ability to monitor and track components such as training, policy violations, issue management and corrective action activities.
Traditionally, risk management has been more aligned with the finance and audit functions and separated from compliance activities. As a result, resources are often duplicated and compliance data is siloed according to the particular segment of the business. This creates an environment where risk is more difficult to detect and correct. Risk management that is more business-driven and values-based requires that the security and compliance functions seek common ground in a collaborative effort to both reduce and manage risk.
While the chief security officer (CSO) is responsible for digital security and the safety of employees, facilities and assets, the chief compliance officer (CCO) is responsible for implementing policies and procedures that are in sync with the organization’s values and risk tolerances. It is the CCO’s responsibility to ensure the company is compliant with all necessary laws and regulations and kept aware of any regulatory changes.
When changes do occur, the CSO and CCO must:
- Adjust corporate policies and procedures accordingly and communicate those changes to every employee
- See eye to eye and work to understand each other’s priorities and capabilities
- Come to rely on one another to maintain a secure and compliant organizational structure
Teamwork in this department is entirely necessary for survival. Just as technology has led to improved security measures, Web-based technologies are evolving to drive business process improvements for compliance. These technologies automate the process of detecting security threats posed by people and the processes they use rather than by networks and data assets. When combined with traditional security tools, these new compliance technologies provide an additional layer of protection and greater actionability. By getting ahead of baseline, required compliance, CSOs and CCOs can create compliance processes uniquely tailored to their environment and help to secure business against opportunistic, creative thieves.
Security and compliance leaders face a common foe – risk – and everyone can agree that managing risk in an organization is essential for sustained growth. By giving credence to compliance initiatives, organizations provide their employees a better sense of confidence in the security tools being used and the rationale behind them. Leveraging an integrated GRC initiative better positions the enterprise to minimize fraudulent behavior and protect assets and reputations as they guard against risk.
Drive Down Risk by Leveraging Compliance, Security Magazine, March 27, 2012