Nearly two years after 9/11, corporate security focus still lacking

Computerworld - After the terrorist attacks of Sept. 11, 2001, many CEOs were surprised to learn just how decentralized their security management structures were. But that surprise hasn't yet yielded much change, according to a new survey.
The survey results, released this week by Alexandria, Va.-based American Society for Industrial Security International Inc., show that most companies have steered away from centralized management and strategic oversight of security, while spending more money on insurance as a protection.
"High-level reporting and accountability are still the exception rather than the rule in corporate security management," according to the survey, which polled more than 300 security and risk managers. "While one-quarter of companies have a chief security officer, most of the remainder do not appear to have much interest in creating the position."
In addition, while security spending since Sept. 11 has increased on average by only 4%, corporate spending for insurance premiums has jumped by 33%. One-fifth of the companies surveyed reported a doubling of insurance spending since Sept. 11.
Mary Ann Davidson, chief security officer at Oracle Corp., said insurance without a solid organizational structure is fruitless.
"Purchasing expensive insurance for security without improving your operational security is like buying new drapes for a dirty house," said Davidson. "Organizations need to clean house first through better operational security and then use insurance to mitigate the remaining risk."
But therein lies another problem, said MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlboro, Mass.
"Companies have not yet fully grasped how to embrace enterprise risk," said Ulsch. And while companies are earmarking additional funds for security, he said, "bigger budgets don't translate seamlessly into better security." The real question that needs to be answered, according to Ulsch, is how the 4% increase was spent.
"Did the right programs get funded?" he said. "Were companies thinking of risk from a holistic viewpoint, or did they invest in expensive point solutions guaranteed to prevent a meltdown?"
The CIO of a global auction company who spoke on condition of anonymity said that despite the increasing risks most companies face, profit margins are simply too narrow to justify many new security programs.
With respect to the organizational and oversight challenges, having a chief security officer -- a single person responsible for security -- is critical, the CIO said. Companies "that do not have a CSO lack a focal point for the true accumulation and measurement of risk, and as a result do not make business decisions based on the total risk picture," he said. "As CIOs,we have to make up for that gap."