On the Radar If you think the rank and file doesn't watch to see how the stars get treated when they trip and fall, you're fooling yourself. And the whole process of integrity administration is up for question. It's great that security folks are learning new things and passing that information along. But at the end of the day, the CSO needs to translate into a clearly articulated set of expectations the view from the top. And that needs to be reinforced by equally consistent applications.
The CSO should manage a formal takeaway process from every internal misconduct or criminal incident. If you have no plans for doing post-incident analysis and sharing lessons learned, your organisation is destined to repeat its mistakes.
What would you think about a business unit that had either multiple or a broadly based misconduct experience that combined little or no risk analysis? What if it failed to pay attention to security recommendations on background or due diligence findings? What if it didn't participate in post-incident learning efforts or failed to hold managers accountable for problems on their watch?
That's why it's important to have a governance team. That's where it's important to connect the dots.
Security and other inputs from colleagues on the governance team provide a vibrant picture of health and hygiene in the company. A quarterly interchange between human resources, security and internal audit on issues within specific risk-ranked business units can yield a synergy - you know, that 1+1+1=4 thing - on assessing the adequacy of applicable controls and influencing the audit plan. When presented as a collaborative give-and-take exercise with no surprises, the result can be very positive in terms of the relationship as well as in the measurable improvement of issues of concern.
And where proactive doesn't work, maybe the courts can help get attention.
So, where does this bring us?
First, it argues for creating a role for the chief security officer that encompasses a 360-degree view of the operational risk environment. It means letting the CSO serve as a peer with the other members of the senior corporate governance team. The CSO's ability to connect the dots within his scope resulting in a perspective unique to the management team is an asset that cannot be missed in these risky times. Second, it argues mightily for a CSO with clear strategic and operational accountability for the full scope of security functions.
OK, so there is no Baldrige Award for Corporate Integrity. But there is a booby prize: If companies don't pay attention to ethical behaviour, they'll reap their rewards with a lack of shareholder confidence and customer defection.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.