Putting security on the corporate agenda

May 1, 2001 12:00 PM, By Frank J. Bernhard

Peering inside the culture of security for any given company, somewhere between the solace of a boardroom and the employee policy manual, there exists a peculiar sense of vagueness. Recent highly visible attacks on the domain of intellectual property (IP) can leave organizations scrambling to overcome vagueness by reaffirming new perspectives on protecting human and physical assets.

Think about the tragedy of workplace violence, or the covert abduction of a software developer's source code, and now consider the effect of prevailing policy that could have prevented these losses. The point of critical meltdown: corporate governance.

Today's digital economy produces intangible assets that have real dollar value. Dollars and gold of every nationality continue to be paid for information property in an ever-growing economy held together largely by digital glue. Whether it's the latest architecture of a revolutionary technology or the simple formula of a soft drink, information — in the context of innovation and profit motivation — remains a highly-sought-after treasure.

Corporate governance consists of management's policies and standards devised to structure a company's vision and provide oversight to core business activities. However, as the IP gold rush has given way to shaky internal protection processes, the faltering effect is neither blatant ignorance nor a sheer regard. Rather, the corporate viewpoint is clouded by a perception of economic stability.

The economic mandate is starkly clear

After a decade of automation and construction of information networks, the weakest link appears to be in the security surrounding these systems. One might expect security to be on the design checklist, but real world phenomena suggest the opposite. Several telecommunications service providers set out in 2000 to analyze the economics of risk behind security practices, given that more small and medium businesses have joined the online fray of businesses in recent years. From the smallest businesses through the largest Fortune 100 enterprises, the survey results identified several alarming trends that demonstrate a security policy void. A few of the highlighted statistics concluded:

• Economic leakage of IP losses averaged 5.5 percent of gross annual revenues per year.

• Approximately 63 percent of all organizations within the study could not identify a written corporate policy that defined intellectual property as a secured asset.

• Nearly 22.7 percent of all entities failed to cite a business unit or individual who had the primary charter for security within the organization.

• Tracked losses and respective claims of IP damages in the year 2000 were estimated in excess of $4.38 billion.

The evidence of such deficiency rings loud and clear, but is still a hidden mystery to many security administrators worldwide. A principal conclusion from the study cites that the reliance on automated security methods (via applications, networks and systems) is insufficient to stop any further damages that may arise from misuse or primary intrusion. However, even the popular icons of the business world admit to a reticence in strengthening policy alongside technology deployment projects. What seemed naturally impenetrable has been quickly reassessed in light of recent acts of hactivism and espionage.

More companies remain inclined to invest heavily this year in audit and tracking applications that monitor employee conformance to stated guidelines and procedures. Privacy and trust may continue to dominate the news columns, but governance of security measures will certainly test the mettle of many institutions.

Setting a flash course for the prevention of careless and intentional security breaches is seldom a simple solution. Designing and implementing a corporate governance policy for security procedures seems to be a daunting task. In reality, the following method is simple and effective in reducing the probability of employee tampering.

Step 1: State the value of each individual's contribution in maintaining a controlled environment.

Begin the introduction process of any policy indoctrination by linking the employee to the bigger picture of responsibility. By human nature, people seek to be part of a larger social sphere, and the context of a business is certainly no exception to this goal. Offer a diverse set of examples of how employees across all business units play a key role in maintaining a safe and secure environment. Of course, helping employees within your organization to view the Internet as a virtual business environment poses a considerable challenge. Leaving the front door open after hours poses an obvious risk, but very rarely do employees consider unwatched PCs as a gateway to crime.

Making society at large realize the pitfalls and traps of the electronic age has been an ongoing mission among security administrators everywhere. Tying people to the importance and prominence of corporate security helps the process along.

STEP 2: Define the significance of business assets to the longevity and profitability of the company.

Employees and management alike prefer to live in blissful ignorance until an emergency occurs — and only then is a plan implemented. Until recently, a large portion of the global economy viewed worthwhile business assets to be primarily in tangible form. Companies are now clearly seeking competitive advantage through intangible resources — namely those with an information basis. By demonstrating how a single loose thread in securing digital assets can topple an organization's ability to sustain itself, employees take notice of the sensitivity required to safeguard those structures within their locus of control. After all is said and done, longevity requires profitability to ensure continuous employment resources in the future.

STEP 3: Set the standard and tone for rewarding a positive diligence to security practices.

Lead by creating a written set of guidelines and policy that incorporates a reward structure for positive security behavior. We resort to punishment for negative actions, but we don't always reward people for following the rules.

Aside from setting a standard model and outline, security governance requires cooperation from management to encourage employees to abide by the policy. People abide by leadership examples — not merely written rules.

STEP 4: Challenge employees to become architects of the underlying policy itself.

If a well-founded policy is to flourish it must reflect the organization to which it belongs. The U.S. Constitution, even today, evolves to meet the needs of the country as policy becomes amended or new laws emerge. In the same manner, security policies should elicit the active participation of employees — allowing those closest to its purpose an opportunity to meld the culture to meet the guidance vision.

As the tell-tale statistics of organizational behavior research become clear, companies that begin their policy preamble with recognition of the individual have a better-than-average chance to succeed. And by helping to illustrate the tangible worth of seemingly illusive IP values, the climate of a policy-based system that acknowledges cooperation and support will surely experience a life unto its own.

Future organizational behavior implies new management styles

One of the most intriguing guru management philosophies in the 1990s involved reengineering corporations for a new breed of competition — in a turn-around method of brute leadership and recognizing customer relationships. Staring ahead into the new millennium, today's management also exalts a security introspection — one that transforms the ways and means of appreciating information assets. The challenge rests with each company's ability to recognize IP as a valued business by-product and proceed with a deliberate human resource strategy that commands the attention of every individual to handle entrusted knowledge carefully.

Tomorrow's employee must not only be vigilant in their regard for IP applications, but also have the knowledge to thwart competitors to keep closely held information secret. In short, a change of values — however subtle or pronounced — will steer the corporate culture toward a management style that rewards information stewardship.

But the saga of IP theft is far from over — and most likely will never end. It is a trend that will probably increase in frequency and magnitude. Countries and economies around the globe appear to agree that the battle against white-collar crime begins with the stature of corporate governance.

For the record

About the author

Frank J. Bernhard is a technology economist and partner with OMNI Consulting Group LLP, an economic advisory and assurance firm with offices located in Davis, Calif. He can be reached via email at fbernhard@ocg-us.com or by telephone at (530) 750-5199.
http://www.omniconsultinggroup.com

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue