As I noted in a post last Friday, the Conference Board released a report last week entitled “Navigating Risk: The Business Case for Security,” by Tom Cavanagh, who has written extensively on the topic of the private sector’s role in homeland security over the past few years. The full report is only available if you shell out $495 (or $125 for Conference Board members), but many of its key findings are summarized in this press release and these charts.
There are a number of interesting findings in the report, but the most notable is the “disconnect” that Cavanagh identifies in the way that security is treated in the corporate boardroom:
But there is a strong disconnect between the level of support for security initiatives and the level of influence over security policy within the companies surveyed. In general, the most supportive executives were not the most influential, and the most influential executives (senior C-suite managers) were not the most supportive. In addition, most senior executives surveyed reported that they have little direct responsibility for most aspects of security. Security is an area with a lot of dotted-line relationships, so senior executives are often heavily involved in specific security decisions even though they are not directly accountable for them.
The Demos report that I wrote about last week offers a number of suggestions that address this fundamental dilemma, such as finding security executives with stronger business backgrounds and developing better security metrics and rationales. Taken together, the two reports provides a compelling case that companies need to revisit their existing approaches to security, and ensure that they are appropriately aligned for the many types of disruptions that could pose a significant threat to their businesses.