With a series of events hitting corporate Canada over the past 12 months, from SARS and the massive blackout to attacks from the SoBig and Blaster worms, companies are intensifying their disaster preparedness but finding that a siege mentality often exists between departments.
At a Conference Board of Canada corporate security conference held in Toronto last month, Robert Gerden, director, corporate security with Nortel Networks Ltd., spoke of the need for corporate silos to be broken down if companies want to successfully address security and business continuity shortcomings.
But Gerden admitted the task is not an easy one. “It is difficult to break down the barriers, there is not a lot of communication between them,” he said. People are often “protecting political turf.” The silos vary from IT and physical security to emergency management and business continuity departments. “You have all these departments that may not be working together,” he said.
Rex Pattison, director, business continuity management with the Bank of Nova Scotia, agreed the silo factor is a hindrance to successful security implementations but that silo existence is often the result of the way companies were traditionally designed.
The key to solving the silo mentality is creating an enterprise risk council comprised of representatives from each department. Later, if a companies chooses to do so, they can take the process a step further and create what Gerden calls the four pillars of security: asset security, business continuity, compliance and financial protection. These four pillars in turn report to an enterprise risk officer, who in turn reports to the top of the corporate structure.
Gerden said both the risk council and risk officer solutions have their pros and cons. The risk council solution disrupts the existing organization less (there are no additional management levels created in a company), but because of the very nature of a council there are accountability issues since no one person is responsible for all security issues.
The risk officer solution, which is where Gerden sees corporate security going in the future, has to get past the political agendas which may exist within a company in order to succeed, and can lack full risk co-ordination between departments if it is not managed properly, he said. On the upside, there is greater security alignment and accountability, and a simpler organization and reporting structure since there is one person at the top, Gerden added.
Telus Corp., the Burnaby B.C.-based telco, is going through similar security growing pains. Over the past several months it has created a “partnership in governance”, said Gene McLean, vice-president and chief security officer at Telus. The partnership is between the company’s CIO, CSO and chief information security officer.
“It is working very well,” he said, “but it wasn’t an easy (stage) to get to.” The difficulty was getting everyone “thinking on the same page.” McLean agreed with Gerden that job protectionism and turf wars are common. For most companies the alternative, where security is fractured and risk in dramatically increased, is not acceptable. “A strong governance partnership is crucial to avoiding conflicts in security philosophy,” McLean said.
Also key to an integrated corporate security is good communication between departments, something that is often lacking.
“We do it incredibly badly very often,” Pattison said, referring to internal communications.
Another hurdle is getting all participants to look at security from the company’s perspective not their own department’s. McLean said the ultimate goal of any security practice is protecting the corporate brand.
Gerden added that one often overlooked department is IT. “We need to have a better understanding of what IT security is all about.” He also said top IT security people with global experience are both critical to success and scarce in their availability.
And if disaster strikes, not jumping to conclusions too quickly is paramount to success, Pattison said.
“The guy on the street expects you to have all the answers in five minutes,” Pattison added. But reacting too quickly leads to over simplification which leads to bad decision making. He said for things to run smoothly in disaster situations a company needs a good team in place, solid planning and continual testing.