This is the first in a six-part Hillard Heintze series on the top trends in 2015 we expect to see driving best practices in investigations, security risk management and law enforcement program improvement in the U.S. and worldwide. We’re starting with the top security trends in 2015.
Security and managing a complex mix of risks, threats and vulnerabilities across worldwide operations continue to present challenges. This year, how are leaders and advisers to corporations, government agencies, law firms, nonprofits and family offices planning to address them? What emerging trends will mature this year? Here’s our perspective on the first six trends.
Trend #1: Preventing Cybercrime Has Been a Priority for a Long Time. Now It’s Urgent.
“Patch and pray” is out. The Sony hack has shaken many management teams across industries for three reasons. It was a dramatic example of a threat that has been well known for years. It had a major impact on Sony’s core business and the reputations of some of its top executives. And it represented an ominous expansion of cyber-related risk beyond data breaches and the theft of personally identifying information. Cyber risk is indeed a “severe and present danger,” as PricewaterhouseCoopers pointed out in its September 2014 report based on its perennial study, the world’s largest of global information security practices.
- Security planners this year have to come to terms with the likelihood that cyber terror incidents – both public and undisclosed – will increase in 2015, as hackers become empowered and countries with little appetite for military confrontation with a superpower find relative ease in attacking American symbols in cyberspace.
- Among other areas, there are key implications here related to acts of terror, nation-state attacks, extortion, bank-card breaches and threats to critical infrastructure.
In 2015, organizations will need to step up their efforts to combat cybercrime, especially in the areas of training, technology planning and continuity of operations. The business case for these preventative expenditures should be based on far higher costs and impacts of breach, losses and recovery.
Trend #2: Convergence Will Continue Transforming the Security Department.
Companies still managing cyber and physical domains independently are not adequately securing either. In fact, they may be increasing their vulnerability.
To recognize and mitigate these risks is important because the link between cyber and physical security is increasing as organizations become more dependent on networked systems. Today, the list of assets, resources, processes and operations that can be controlled over the Internet includes everything from cameras and secure gates to networked machinery, sensors and control systems. Just think: if the world’s largest manufacturer of vertical lifts (elevators) can quietly monitor and control the operation of their newest lifts from their headquarters, which other unauthorized entities might learn to do so as well? Accelerating convergence of physical and logical security is just as important for private sector Directors of Security and Chief Security Officers (CSOs) as well as CIOs and CISOs as it is for the defense and homeland security communities.
Trend #3: Board Member Interest in Security Remains Dangerously Tepid. Expect That to Change This Year.
For years, corporations have been challenged to think more strategically about security’s alignment within the business – from mission and resourcing models to organizational structure and reporting channels. One major obstacle has been the Board of Directors, and the extent to which board members understand, prioritize and, where necessary, champion a proactive approach to strategic, prevention-oriented security planning.
Improvements in this area have been fitful, driven principally by companies and agencies committed to best practices in managing security-related risks. Some evidence, however, suggests that the trend in 2014 was actually in the opposite direction. Two of the key findings that stand out in the PricewaterhouseCoopers report including (1) that fundamental security practices are in decline, and (2) that at most organizations, the Board of Directors do not participate in key information security activities. We expect this trend to change for the better in 2015.
Trend #4: Collaboration Among CSOs, Directors of Security, CIOs, CFOs and Other Executives Is Now Vital.
Take one step down the corporate ladder now – and consider the C-suite. Security leaders need to be more collaborative in 2015. Almost every major security issue organizations address in 2015 will require a cross-functional sharing of perspectives, planning and resources at the senior management level – often on a global basis.
Here are a few examples:
- Responsibility for cyber-attack prevention sits partly on the desks of both the CSO and legal counsel, given the latter’s obligation to comply with Sarbanes Oxley.
- The relationship between the CSO and the Chief Information Officer is one of the most important drivers of effectiveness in addressing convergence challenges. This conversation needs to include the Chief Financial Officer as shared physical and cyber security issues become more complex and costly to address. Also having a CFO with a solid understanding of security threats will make the mission of the CSO and Director of Security even more successful.
- Among many other areas, the CSO and tax counsel need to collaborate in addressing executive protection and the company’s security-related tax compliance strategies.
Trend #5: Workforce Protection is Gaining Funding – As Are Countermeasures Against the Active Shooter.
Recent international terror attacks such as the one in Paris last week and the Australian café attack in December are just the latest examples of the need to help employees understand how to defend themselves and survive an in-office attack, whether it represents terror or another form of targeted violence. More and more organizations from hospitals and healthcare centers to financial services giants and retail superstore chains are placing active shooter planning at the top of their “must do” list in 2015. Some developed Active Shooter Plans in 2014. Many others secured budgets last year and will be establishing them now in the months ahead. We see a growing focus this year on the following:
- Employment actions – and the need to have key managers in Security and HR share a common perspective on how to identify, assess and manage employees with the potential to act out violently against the company or the workforce.
- Judicial orders and the introduction of employee personal issues into the workplace – and how to address these before an incident unfolds while complying with privacy regulations.
- Tactical countermeasures – such as man-traps and safe rooms – as an insurance policy when access control mechanisms fail.
Trend #6: The Insider Threat Will Continue to Drive Risks of Fraud, Theft and Sabotage.
While protecting systems from outside intruders, many companies do not realize that the greatest threat most often comes from an employee who has access to the organization’s computer network every day. Protecting organizations from individuals on the inside – such as staff, former employees, vendors and business partners – will continue to represent a major priority this year. In addition to fraud, the risks include the theft of intellectual property or other confidential or economically valuable data and the destruction of the organization’s information, assets or relationships.
We expect to see many employers placing greater emphasis on best practices and insider threat countermeasures such as the following:
- Background investigations of job applicants, existing employees and staff whose responsibilities give them access to valuable information or assets
- New technologies and processes that protect intellectual property and trade secrets
- Controls over company-owned laptops and mobile devices
- Awareness training for supervisors and managers
Is your security team addressing these issues in your organization? Let us know your thoughts on these trends and what you believe will be leading security risk management issues this year.
Later this week, we’ll be posting the second set of security-related trends in 2015. And then, next week, we’ll publish our perspective on the top trends to watch this year in the investigative arena as well as in law enforcement program improvement.
We look forward to having you join us and becoming part of these important conversations. To receive the Front Line blog directly to your inbox, use the Subscribe button below to add your email.