Why many vulnerability management functions are handled by finance or corporate, and not security
We work extensively with the world of finance, and recently had an interesting conversation with a finance guy about security departments. The finance guy noted that people in finance had some clear idea of their goals (to make yet more money), and a sure knowledge that the field of finance is a complex field, composed of many, many areas of specialization. Because of this, people in finance tended to call in experts and consultants at the drop of the hat. If you are issuing commercial paper of some sort you have investment banks and outside consulting firms. You bring in outside tax people to deal with tax issues. You bring in specialized attorneys to answer tricky questions. You sub-contract some of your money management. You hire outside risk managers to assess your progress. He had brought us in.
In security, he noted, this approach is rarely followed. Security people, he said, always insist they know everything, from the intricacies of international financial due diligence to the ins and outs of biometrics, to networks, and are unwilling to risk their turf by bringing in outsiders to either assess what they are doing or to help improve what they are doing, or to do what they don’t know how to do. This seems very suspicious to those in finance: From our guy’s point of view, those in security either are sufficiently unsure of their limits that they are afraid to bring in outside help, or they have so little knowledge of the area that they should be confined to guarding doors.
The end result of this was, in his experience, quite predictable: Security functions were not given to security, but, rather, were given to functional managers. While due diligence should be conducted under the auspices of security, in reality that task was given to finance or M&A to farm out. While audits should be under the auspices of security, in reality it was given to accounting to farm out. While network security should be conducted under the auspices of security, in reality they were given to DP to farm out. While protective services should be conducted under the auspices of security, in reality they were given to a separate group in the chairman’s office to farm out. Running guards and managing access control, however, was left with the security department.
He noted that this obviously did not hold true for all companies, but he felt that, in general, most security people were too insular, and had boxed themselves into a corner by refusing to look to the outside world. This is of course a vicious circle, as lack of executive support produces an environment in which less can be offered, which in turn produces less support.
On careful reflection, we realized that, while we would like to think that what he said was not true, our experience, sadly, matches his in more cases than not. Forgetting security’s issues, this is not good for corporations, because security’s inability to articulate their department’s positive contribution to productivity and the bottom line often means that the corporation is deprived of security’s ability to contribute to the corporation’s productivity and bottom line. We have at least seen a temporary increased interest in access control and mail screening, both of which could act as a springboard for ways to demonstrate that security increases productivity and the bottom line, rather than merely being a cost. It will be interesting to see if the flash of concern that we saw after the criminal activities of September 11th will actually move security from the guard shack into the boardroom, and if security will be able to take advantage of this window of opportunity.