The first and last line of organizational defense (page 1 of 3)

To deal with these challenges, organizations are embracing a 'business assurance' construct: integrated risk-management strategies combining physical, information, and IT security controls to effectively manage access to vital information resources, and ensure business continuity and increased resilience, according to a new report by Booz & Company.

Cascading risks

Systemic shocks like earthquakes, blackouts or terrorist attacks have increased recently, and other technology incidents threaten the operations or livelihoods of companies, governments, and individuals.

Growing digitalization, societal interconnectedness, and lean operations cause such events to cascade throughout business operations and society. This is further complicated by 'complexity risks,' which affect all traditional domains, such as the protection of critical infrastructures, cyber security, food and water security, and energy security.

"Public- and private-sector mandates for greater efficiency in protecting organizations, although critical to the growth of productivity, add layers of risk. Operations optimization, process automation, and digitalization all expose organizations to significant vulnerabilities,"

explained Ramez Shehadi, the Booz & Company partner leading the Technology Practice in the region.

Technologies that increase the effectiveness of organizations and drive societal interconnectedness also create new risks and may cause greater damage. An estimated $1bn has been stolen from financial institutions and corporations in the Middle East by organized cyber criminals, according to a report published in the ISSA Journal, June 2008 . In addition, an article published in Computer Weekly in December 2007 , reported that in 2007, a Dubai-based gang stole roughly $60m by accessing consumers' online credit card information, even from government-services Web sites. These details were then used to make cash withdrawals and to buy gold and diamonds online.

"Potential solutions to such challenges need to include both the technological and the management layers of organizations in 'living' system that allows for the adaptability and flexibility necessary to match today's high-risk environment," stated Alessandro Gazzini, principal at Booz & Company. The right solutions also all call for the interaction of multiple stakeholders, including public-private partnerships and international collaboration.

The status quo is inadequate

Traditional security programs are not capable of coping with the new and emerging vulnerabilities of today, despite general progress in advancing security, continuity, and crisis management capabilities. Gains are often limited because they have fostered the development of 'stovepipes' - when functional capabilities are developed to address specific types of risks or vulnerabilities in isolation from each other. They don't allow for an integrated and consistent view of risks and lead to unnecessary duplication of activities and potential investments.

"This traditional approach often leads to a decrease in efficiency and potency, critical gaps are created, and an unacceptable level of risk is reached," commented Shehadi.

The 'stove pipe' reality clashes strongly with the way adversaries operate and with the reality of any natural hazard which impact the company across all functions and departments.

The tendency to spend so much time and attention on establishing physical security controls means organizations ignore critical proprietary information or assets made vulnerable by digitalization.