Building a Corporate Culture of Security
eBook - ePub

Building a Corporate Culture of Security

Strategies for Strengthening Organizational Resiliency

  1. 298 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Building a Corporate Culture of Security

Strategies for Strengthening Organizational Resiliency

Book details
Book preview
Table of contents
Citations

About This Book

Building a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency provides readers with the proven strategies, methods, and techniques they need to present ideas and a sound business case for improving or enhancing security resilience to senior management. Presented from the viewpoint of a leading expert in the field, the book offers proven and integrated strategies that convert threats, hazards, risks, and vulnerabilities into actionable security solutions, thus enhancing organizational resiliency in ways that executive management will accept.

The book delivers a much-needed look into why some corporate security practices programs work and others don't. Offering the tools necessary for anyone in the organization charged with security operations, Building a Corporate Culture of Security provides practical and useful guidance on handling security issues corporate executives hesitate to address until it's too late.

  • Provides a comprehensive understanding of the root causes of the most common security vulnerabilities that impact organizations and strategies for their early detection and prevention
  • Offers techniques for security managers on how to establish and maintain effective communications with executives, especially when bringing security weakness--and solutions--to them
  • Outlines a strategy for determining the value and contribution of protocols to the organization, how to detect gaps, duplications and omissions from those protocols, and how to improve their purpose and usefulness
  • Explores strategies for building professional competencies; managing security operations, and assessing risks, threats, vulnerabilities, and consequences
  • Shows how to establish a solid foundation for the layering of security and building a resilient protection-in-depth capability that benefits the entire organization
  • Offers appendices with proven risk management and risk-based metric frameworks and architecture platforms

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Building a Corporate Culture of Security by John Sullivant in PDF and/or ePUB format, as well as other popular books in Business & Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Butterworth-Heinemann
Year
2016
ISBN
9780128020586
Topic
Business
Subtopic
Management
Index
Business
1

Introduction

Abstract

This chapter encompasses a comprehensive, thought-provoking discussion focusing on the phenomena of strategic deficiencies, programmatic weaknesses, and performance inadequacies that consistently reoccur in security programs and security operations throughout the private, not-for-profit, nongovernmental, and public sector environments, despite the hard work hundreds of thousands of security professionals are doing to roll back this malignant growth. The chapter focuses on causative factors that dramatically influence security resiliency, such as the degrading capability and ability of a security organization to function, and the importance for decision makers to acknowledge and recognize the consequence of loss that these phenomena may bring to their enterprises. An earnest discussion to support the advancement of security resilience is presented.

Keywords

Capitulation; Consequence; Deficiency; Inadequacy; Ineffectiveness; Inefficiency; Resilience; Risk exposure; Vulnerability creep-in; Weakness
When the goals of prevention, deterrence, protection, detection, assessment, response and recovery are not adequately addressed, or technology solutions sweep protocols, processes and people aside, the security organization will lack the capability to adequately perform its critical mission. When this occurs, the security organization has come face-to-face with the affects of vulnerability creep-in and must deal with the consequences: falling short of meeting performance expectations; a no confidence vote from business units that the security organization can support its business interests; and workforce physical and emotional stress.
John Sullivant
Top Takeaways
• Recognize some obstacles security professionals face when building security resilience and developing relationships
• Define the real meaning of “ability” and “capability” within the realm of security operations
• Identify some stumbling blocks that confront security professionals
• Describe the origin and theory of vulnerability creep-in
• Explain how vulnerability creep-in festers within an organization
• Identify factors causing vulnerability creep-in

Overview

Throughout the pages of this book, I tell my story of research and experience over fifty years of insightful advice to influence decision makers and their choices. There are two dimensions to my story. The first dimension has to do with business and professional values: integrity, honesty, and trust as an individual and competency as a professional. The second dimension has to deal with management and leadership: positive attitude, team building, empowerment, coaching and training others, and influencing decision makers to embrace new standards of achievement and social behavior that lead to appropriate security and organizational resilience.

Building Security Resilience and Developing Relationships

This book is packed with my personal experiences and research results that describe the frailty of security activity in both the private and public sectors, and the decision-making process that has shaped and continues to shape our security destiny. It focuses attention on our ability to achieve many security goals and objectives, our ability and capability to perform to expectations and standards, our craving to communicate effectively with chief executives and others, and our personal desire to improve our proficiency, competency, and productivity.

But What Do Ability, Capability, and Preparedness Really Mean?

Two prominent sources answer this question: Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience,” and Homeland Security Presidential Directive (HSPD) 8, National Preparedness Guidelines.
PPD 21 describes resilience as the ability of an organization to resist, engage in, recover from, or successfully adapt to adversity or to a change in conditions. This includes preparing for, adapting to, withstanding, and recovering rapidly from disruptions, deliberate attacks, industrial mishaps and hazards, and weather-related calamities, and the return to an acceptable level of performance in an acceptable time after being affected by an event or incident.1 Resilience is a concept that applies to individual assets, systems or networks of assets, and security activities and programs. Resiliency allows the asset, network, or system to fail gracefully rather than abruptly, or in such a way as to allow the consequences of failure to be minimized. Self-healing components, systems, and networks enhance resiliency.
HSPD-8 describes resilience as the capability of an organization to maintain its functions and structure in the face of internal and external change, and to degrade gracefully when it must. Under HSPD-8 guidance, “capability” means to accomplish the mission by performing one or more critical competencies under specified conditions and to a targeted level of performance standard or expectation. For security organizations, critical competencies include the ability and capability to deter, delay, prevent, protect, detect, assess, respond to, and recover from a security or security-related event. Chapter Establishing and Maintaining Inseparable Security Competencies relates to these capabilities. HSPD-8 further explains that capability may be delivered through any combination of properly planned, organized, equipped, and trained resources that can achieve the desired outcome. Capability also refers to features, operations, or policies that serve to benefit a protective environment and that may eliminate or reduce the need for particular protective measures without jeopardizing mission goals and objectives or performance outcome.2
I often come across chief executive officers (CEOs) and security professionals who have no clue what “ability” and “capability” really mean. Sometimes it seems that no matter how often we plead our case, or what actions we take, many strong-minded executives just do not get the message. I talk more about this topic in Chapter How to Communicate with Executives and Governing Bodies. For now, it is important to know that this lack of basic knowledge is strikingly reflected in corporate security and emergency preparedness planning, in the development of policies and protocols, in training programs, and in demonstrated performance outcomes that we have observed throughout our visits to all industry sectors. There is more on these topics in Chapters Preparing for Emergencies, A User-Friendly Protocol Development Model, and A Proven Organization and Management Assessment Model.

How Do We Relate Security Goals to Business?

As a security professional, you must have a clear understanding of the organization’s culture and management’s knowledge base if you are to fully embrace the company’s strategic vision for pursuing business goals and objectives. This understanding is essential if you expect to establish, implement, maintain, and effectively monitor the effects of building security resilience (Sullivant, 2007, pp. 111).
Let us briefly examine the three categories of this strategy: an understanding of the characterization of security requirements; the nurturing of business relationships both internally between upper management and organizational divisions, and externally among stockholders and governing bodies; and community entities that have an invested interest in the success of the company, its services, and security performance expectations.
Key to characterization is the ability to clearly define:
• business services and security operations,
• business continuity and emergency operations,
• the rank order of assets that are critically important to the enterprise’s mission, and
• the degree of service interruption the enterprise and the security organization can sustain should an event occur before an entity can collapse.
It is essential for those individuals who have a responsibility to meet the challenges of achieving business and security goals and objectives to buy into this characterization, and to have the unconditional support of C-suite executives.3 I talk about these topics in Chapters Strategies That Create Your Life Line, The Evolving Threat Environment, The Cyber Threat Landscape, and Developing a Realistic and Useful Threat Estimate Profile.

Can We Speak Intelligently About the Threat Environment?

Concurrent with characterizing business services and security operations, you need to begin developing strategies for building security resilience. The key to this characterization is defining the possible threats, hazards, risks, and vulnerabilities that a corporation will face, including perceived and postulated threats and hazards, adversary modes of attack, threat capabilities, the likelihood of threats occurring, the potential consequences of losing assets, and solutions to these problems in terms that are meaningful and useful to executive management (Sullivant, 2007, pp. 133). Key to a comprehensive threat analysis is to determine the security organization’s ability and capability to perform its critical operational mission: deter, delay (or deny), prevent, protect, detect, assess, respond to, and recover from acknowledged threats. No other mission is more important for a security organization—it could determine the survivability of the corporation. I discuss these capabilities in Chapters Strategies That Create Your Life Line, The Evolving Threat Environment, The Cyber Threat Landscape, Establishing a Security Risk Management Program Is Crucial, Useful Metrics Give the Security Organization Standing, A User-Friendly Security Assessment Model, Developing a Realistic and Useful Threat Estimate Profile, and Establishing and Maintaining Inseparable Security Competencies.

Watch Out for Stumbling Blocks

Let me briefly examine some significant conditions, circumstances, and situations that repeatedly plague the ability and capability of security organizations to perform as mandated or expected. First, if you are to gain acceptance and trust from executive management as a professional security expert, you must always—in all circumstances—demonstrate leadership value to the corporation. Second, you must not only understand the business and threat environments; you must also be able to achieve workable and practical solutions to security problems that mirror the corporate image, brand, and reputation that are acceptable to executive management. Last, to survive in today’s business culture it takes resolve and strategic vision, which are really works in progress.

Experience and Knowledge Base of Senior Decision-Makers Can Cause Us to Trip

Wherever I go, chief executives proudly proclaim their security organizations are doing a good job protecting the company. These CEOs and those around them are alw...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. About the Author
  7. Foreword
  8. Preface
  9. Acknowledgments
  10. 1. Introduction
  11. 2. Strategies That Create Your Life Line
  12. 3. The Many Faces of Vulnerability Creep-in
  13. 4. The Evolving Threat Environment
  14. 5. The Cyber Threat Landscape
  15. 6. Establishing a Security Risk Management Program Is Crucial
  16. 7. Useful Metrics Give the Security Organization Standing
  17. 8. A User-Friendly Security Assessment Model
  18. 9. Developing a Realistic and Useful Threat Estimate Profile
  19. 10. Establishing and Maintaining Inseparable Security Competencies
  20. 11. A User-Friendly Security Technology Model
  21. 12. Preparing for Emergencies
  22. 13. A User-Friendly Protocol Development Model
  23. 14. A Proven Organization and Management Assessment Model
  24. 15. Building Competencies That Count: A Training Model
  25. 16. How to Communicate with Executives and Governing Bodies
  26. 17. A Brighter Tomorrow: My Thoughts
  27. References
  28. Index