“We need to shift our focus from convergence and wholesale organisational redesign towards partnership through holistic security to reach security maturity."
CLARITY UP FRONT
- The risks managed by physical and cyber security teams increasingly sit at the intersection of both functions. An effective response requires partnership that integrates the knowledge, data, processes and resources of both teams.
- The imperative for partnership has been evident for two decades, but is increasingly critical as criminals, nation-states, and terrorists use the full range of methods to target digital and physical domains simultaneously.
- Convergence has been presented as ‘best practice’, but only 15% of organisations have integrated their physical and cyber security teams, and most say they have no intention of doing so. Convergence can be effective, but many see it as expensive and difficult to achieve in practice.
- A new approach to partnership is required that is agile, organisation-model agnostic, adaptable to organisational needs, and acknowledges the challenges of bringing together two distinct groups of professionals.
- The Clarity Factory has developed an alternative model for partnership between physical and cyber security teams: Holistic Security. It is an outcome, not an organisational model, a partnership of equals that delivers a comprehensive security service.
- Delivering Holistic Security is a change management challenge, and as such focuses our model focuses on behavioural change rather than modifications to the org chart. It is underpinned by culture, teams, habits and incentives that mitigate the human propensity to revert to established behaviours when situations are unclear or stressful. The Holistic Security Maturity Model is organised around eight success factors, outlined below.
- Organisations that achieve full maturity also enhance operational resilience by strengthening risk management and integrating the three critical processes of operational resilience: business continuity, crisis management, and disaster recovery.
- The Clarity Factory Holistic Security Maturity Model is a practical tool for business executives and security leaders to optimise the partnership between physical and cybersecurity to address the current holistic threat environment.
- Learn more about how The Clarity Factory can assist your organisation in achieving Holistic Security.
GLOBAL SECURITY RISKS DEMAND A UNIFIED APPROACH TO RISK MANAGEMENT
Multinational corporations face elevated and interconnected security risks. Criminal, terrorists, and nation-states target physical and digital domains simultaneously to acquire intellectual property and assets, perpetrate fraud, or disrupt critical national infrastructure. Security risks can no longer be managed in silos, with critical touch points including IT security, information security, access control, personnel security, insider risk, executive protection, and fraud prevention.
In the past two decades, ‘convergence’ has been put forward as the solution to the need for connectivity between physical and cyber security, whereby the teams are integrated into a single function. This model has merit; however, only 15% of multinationals have converged to date and a majority say they have no intention of doing so.
A new approach to partnership is necessary that is nimble, organisation-model agnostic, adaptable to organisational needs, and cognisant of the substantial challenges associated with collaboration between two distinct professional groups.
FROM CONVERGENCE TO HOLISTIC SECURITY
The Clarity Factory has developed an alternative model to achieve partnership between physical and cyber security: Holistic Security.
Holistic security is an outcome, not an organisational structure—a partnership between physical and cyber security that is engaged rather than transactional; a collaborative effort to provide a comprehensive security service through effective teamwork and the use of shared technology and resources.
Holistic security necessitates significant behavioural changes from physical and cyber security professionals, and our maturity model understands that successful change processes speak to our emotional needs first, and then build cultures, teams, habits and incentives that respond to our fear of uncertainty and failure, and the human instinct to default to old habits when things are stressful or unclear.
THE EIGHT SUCCESS FACTORS FOR HOLISTIC SECURITY
Our maturity model focuses on the eight success factors for holistic security:
- Identity and culture: Teams understand the rationale for partnership and see it as ‘something that people like us do’.
- Leadership: CSOs and CISOs consider themselves risk leaders first who model partnership.
- Incentives: Teams have incentives for collaboration and celebrate their partnership wins. They acknowledge the essential role of failure in achieving change and have behaviour goals as well as outcome goals.
- Clarity of roles: Teams have clear roles and responsibilities and have broken down new ways of working into bite-sized chunks.
- Professional development: Leaders encourage learning about one another’s respective areas of security to build empathy and confidence in partnership.
- Shared reporting lines: Where the CSO and CISO report into the same executive leader, they can work together, spot opportunities for partnership, and build joint initiatives that move the relationship beyond transactional.
- Operational: Teams establish structures that reinforce partnership and build new habits.
- Governance: Teams are part of common governance frameworks that promote partnership.
HOLISTIC SECURITY ENHANCES OPERATIONAL RESILIENCE
Organisations that achieve full maturity also boost operational resilience because holistic security improves risk management, establishes robust and enduring enterprise-wide partnerships across all risk functions, and integrates the three critical processes of operational resilience: business continuity, crisis management, and disaster recovery.
USING THE CLARITY FACTORY HOLISTIC SECURITY MATURITY MODEL
The Clarity Factory Holistic Security Maturity Model provides a step-by-step process to assess your organisation’s security maturity and achieve continuous improvement. Security leaders can use the model to start discussions with each other, or with business leaders, posing questions such as:
- What opportunities can holistic security provide for our organisation?
- How does our present model align with or diverge from holistic security?
- What is our current level of maturity on the holistic security maturity model?
- What is the appropriate level of maturity for our organisation?
- Which modifications will offer the most substantial return on investment?
The journey towards holistic security has commenced, but maturity levels in most multinational corporations are low, and cyber security professionals are less persuaded of the necessity for partnership. This offers a challenge and an opportunity for Chief Security Officers (CSOs) to lead from the front to bring transformational change and enhanced operational resilience for their corporations.
ABOUT THIS REPORT
This report is the result of a 12-month study supported by Barclays, BP, Johnson Matthey, and the Scentre Group, which involved dozens of interviews with CSOs, CISOs, industry experts and business leaders, as well as a survey of CSOs.