Unsurprisingly, companies most concerned with security are companies in critical infrastructure industries such as energy, chemicals, transportation etc, as well as large multinationals and publicly traded companies.
Within these companies, apart from security directors themselves, the executives most supportive of security matters are those in risk-oriented positions such as compliance officers or risk managers.
But the survey found a strong disconnect between the level of support for security initiatives and the level of influence over security policy. In other words, the most supportive executives were not the most influential and vice-versa.
"Security directors appear to be politically isolated within their companies," says Thomas Cavanagh, author of the study. "They face a challenging search for allies when they need to gain support from upper management for new security initiatives."
Companies also displayed varying degrees of alignment between their business objectives and security policy. On issues of operational risks, the correlation was strong, particularly on compliance, protecting confidential information and limiting financial risks.
But the alignment with long-term strategic objectives was less convincing. Only 44% of companies saw security as enhancing the value of their brand and 35% thought it might help identify new business opportunities.
Good metrics seem to be crucial for security managers to deliver important messages to senior management. "Unfortunately, the measures available for analysing the effectiveness of corporate security tend to be much less sophisticated than those that have been developed for other corporate functions such as finance, HR or IT," says Cavanagh.
The survey suggested however that amongst the most useful metrics were: the cost of business interruption (64%), vulnerability assessment (60%), and specific insurance related stats such as the value of facilities (44%), level of insurance premiums (39%) and the cost of previous security incidents.
Source: Navigating Risks: the business case for security
Report #1395-06-RR, The Conference Board
Review by Emilie Filou