Setting the Bar for Strong Governance in Security Management
Today’s corporations have responsibilities far beyond maximizing profits and margins. This was codified when, on 19 August 2019, The Business Roundtable (BRT), a group of 181 CEOs of U.S. corporations, signed a commitment to deliver value to their customers, invest in employees, deal fairly and ethically with suppliers, support local communities, and generate long-term value for shareholders. The BRT’s Statement on the Purpose of a Corporation has since expanded to include the signatures of 267 CEOs. The CEO of my organization was an original signatory.
Good timing, because the penalties for poor governance have never been greater. The following three cases are among several recent high-profile examples:
- On 17 December 2019 California public utility Pacific Gas and Electric was ordered to pay $24.5 billion in two settlements related to the Camp Fire wildfires in northern California.
- On 18 November 2022, Elizabeth Holmes, founder of biotech company Theranos, was sentenced to more than 11 years in prison and ordered to pay $500,000 over her role in the blood testing firm that collapsed after its technology was revealed to be fraudulent.
- As of this writing, federal agents are investigating crypto currency exchange FTX and its founder Sam Bankman-Fried over allegations of fraud many believe may be similar in scale to the Enron and Madoff scandals at the turn of the 21st century.
But sound corporate governance is not the sole responsibility of boards of directors and senior leadership. In what’s now seen as a much broader stakeholder commitment, every member of an organization shares in this responsibility, and many believe employees now have the most skin in the game. Institutional investors are largely diversified, so if corporations go bankrupt, losses are minimal. Workers, on the other hand, may lose their jobs and possibly their investments in the forms of 401ks, IRAs, and other investment products.
So, what does sound governance look like for today’s corporate security departments? What are the foundational security governance products used to guide our organizations in the furtherance of healthy, prudent leadership? If nothing exists, where should one start?
There are numerous benefits to creating foundational elements to build and manage a corporate security governance program. In highly regulated industries, economies, and countries, this may simply be a regulatory requirement. Standardization can provide a clearer vision of the future and pathway to reach it, increase employee morale, maximize resources, limit ambiguity, and create competitive advantages. It may also lead to greater economies of scale, enabling an organization to better negotiate for global pricing on products and services and—when aligned with internationally accepted standards like ANSI, ISO, NIST, and ASIS—departmental standards provide credibility and lower risk of liability.
“Standards are part of the foundation of any security program,” says Lisa DuBrock, managing partner and owner of Radian Compliance, a certified Woman Business Enterprise and Woman Owned Small Business consultancy which supports clients with legal, regulatory, and contractual compliance requirements. “Whether a company is a global enterprise or a small business, standards are designed to be impartial to the business size and type. It is the adoption of standards that allows any organization to then design the controls and processes needed to support a robust security program.”
A common excuse for not creating governance products is something akin to, “The field doesn’t want to hear from corporate how they should do their jobs,” or, “We’re too big. It’s unrealistic for us to issue guidance for so many (business units, countries, facilities, etc.).” When one takes a collaborative, practical approach, I have found the opposite to be true. Our teams want to do the right thing and appreciate our guidance in doing so.
While the framework for a global governance program is important, the flexibility within this framework must be commensurate with the organization’s size and scale. For example, a prescriptive procedure for visitor management in a country rated high for terrorism and crime is unlikely to be applicable across the globe.
One approach is to develop baseline enterprise-level expectations in the forms of standards and/or procedures. For a large multinational corporation, there must be enough specificity at the enterprise level to be applicable, yet broad enough to allow for area, regional, and/or business unit differences. These entities should be encouraged to develop more prescriptive governance aligned with their respective regulations, processes, culture, and risk, yet dissuaded from enacting more lenient measures issued from corporate center.
“Global entities always struggle to develop policies that can be adopted internationally,” DuBrock adds. “Policy, by nature of the concept, is typically developed to support the lowest common elements within the organization. Key to adopting these policies at a local level is a thorough understanding of the risk environment and culture as local processes and controls can then be implemented to better define the ‘how.’”
This is the first in a multi-part series on creating a sound fundamental security risk management governance program. In upcoming articles, we will focus upon the following three foundational products I have found to be most useful in implementing and managing a corporate security governance program, as well as the process for measuring success in a crawl-walk-run evolutionary continuum.
Department Standards
Also known as the “why” document, this strategic product seeks to answer the question, “Why do we need a security program at our organization?” As fundamental as this sounds, I’ve been surprised by how few of us have ever bothered to answer this question when prompted by colleagues and clients. This document codifies our program and its position within our organization, and it defines our mission, structure, terminology, responsibilities, and methods for measuring success.
Operational Procedures
This is the “how” document. Now that we know why we need a security organization, we’ll seek to answer the question, “How should we perform our tasks?” After identifying the most common tasks our personnel are asked to perform, we will provide basic global guidance at the tactical level on how to perform these tasks. Arranged in an A-to-Z format and supported by our department standards, this document will likely be referenced more than any other governance product and serve as a dog-eared how-to manual for everyone within our department.
Technical Standards
A combination “why” and “how” document, this tactical and operational product answers the questions “Why do we need technical security countermeasures?” and “How do we implement them?” Supported by our department standards and operational procedures, we’ll cover the selection and implementation of highly complex systems such as video management, access control, and intrusion detection, as well as the less complex, including doors, locks, keys, lighting, glazing, signage, gates, bollards, and other common controls.
The Evolution of a Security Governance Program
Standards and procedures are nice, but they are nothing more than good ideas unless we’re prepared to enforce them. The successful rollout of a governance program requires advance planning and realistic timeframes.
We will borrow the crawl-walk-run evolutionary continuum model to propose a reasonable timeline to create governance products and socialize them (crawl), and then implement a multi-level audit program, leveraging internal and external resources (walk) to ensure compliance. Based upon the data collected during our audits, we can then move to the next level—maturity modeling (run)—to define and showcase our success, better prioritize our assets, and create additional supporting products in furtherance of a well-regulated and prudently-managed security department.
Erik Antons, CPP, PSP, is the chief security officer of Whirlpool Corporation, where he leads the physical security risk and crisis management programs for the $22.3 billion enterprise of more than 77,000 employees across 170 countries. Previously, he was vice president and CSO of Hyatt Hotels Corporation and the manager of international security and executive services with Sempra Energy. Antons began his security management career as a special agent with the Diplomatic Security Service with the U.S. Department of State, where he safeguarded the people, property, and information of Americans overseas, often in critical-threat environments.
The comments and views expressed in this article are the author’s alone and may not reflect those of his employer.