Symptoms: Security is clearly the one issue that keeps corporation executives up at night. For traditional businesses, security continues to be essentially what it has always been – a question of “locking the doors” and making sure that “inside jobs” don’t get outside. For business conducted on the internet, security is more a matter of constant vigilance and administrative labor – the doors can’t really be completely locked, so a watchman is assigned – often taking time and resources away from other “high value” activities

Fixes: The first step in effectively managing security is assessing and managing risks. A threat assessment at a strategic level is critical to moving security management from a passive and reactive mode to an active mode. Reactive security activities will always be more time and resource intensive than active methods because of the “collateral damage” that can be done, damage that is often unknown and must be uncovered and repaired prior to resumption of normal operations. The threat assessment must be followed by scenario planning that is credible and productive. Scenarios and threats must be assigned an index of probable occurrence and addressed according to clear security objectives and potential business impact. Additionally, business leadership must be exerted to persuade employees, customers and partners that good security practices are “best” for everyone (not the corollary, that “best” practices are good for everyone.)

Most Commonly Experienced by: All Executive Staff, Boards, and External Advisers

Relevant Services: IT Strategy, Process, Management: Interim CIO / vCIO