by Luis Ramos
Security measures are essential for protecting people, assets and information, and compliance makes sure those measures are effective. If you have designed adequate security controls and formally documented your procedures, shouldn’t that be enough? Maybe, but maybe not. A healthy compliance program will bolster your security measures and find weaknesses before they become problems.
Sometimes, an investment in compliance initiatives is just an effort to meet minimum regulatory requirements – all width and no depth – even when it comes to physical security matters. However, most of the time, “checkbox compliance” is not effective at reducing corporate risks beyond addressing a specific issue or deficiency. Unless you’re willing to take consistent, proactive measures to detect and then prevent the exploitation of vulnerabilities, your program will be tactical and your results will be short-lived at best.
We usually think of integrated governance, risk and compliance (GRC) as a set of strategic business processes, more in line with corporate ethics and compliance, but the measures and methods used here apply just as well to security controls. The objective is the same whether you’re the chief compliance officer or chief security officer: Protect your resources from threats, whether internal or external, natural or man-made.
Compliance is a corporate-level concern with roots that lead back to specific areas or functions of the business, including security. By integrating compliance data across the enterprise, corporate governance and risk management activities naturally mesh with corporate security protocols. This strengthens the organization’s overall security posture, while reducing the chances of unsafe activities, breaches in protective layers or instances of fraud which compromise that position.
A good place to start this integration is with policies, which typically include well-defined and well-documented guidelines devoted to physical security as well as standards of behavior (e.g., Code of Conduct). Likewise, you can apply the same principles to security measures in programs such as employee training, incident reporting, issue management and corrective action activities. Each of these areas works to support your security objectives and harden your security infrastructure.
Compliance practices should be aligned to security requirements – not the other way around. Let your security leaders tell you what needs to be protected and why, then design policies, training and compliance management activities to support those requirements. Inherently, compliance drives efficiency, which in turn can reduce costs and help to streamline the security process. In this way, the process follows a cyclical path of constant refinement and improvement.
Security teams rely on tools such as risk assessments, intrusion detection, and vulnerability and penetration testing to uncover trouble areas. Used proactively, these measures detect the chinks in the armor. Of course, no matter how many tests you run or locks you put in place, the old adage is that if someone really wants to break in, they will. That’s why we always put ethics and compliance together: the human factor. After all, your employees are the best security you have.
And employees do want to talk to you and make a positive difference. According to the December 2011 Ethics & Action Survey (Labaton Sucharow LLC), 78% of employees would report wrongdoing if they could remain anonymous and safe from retaliation. Employees have become increasingly unwilling to tolerate unsecured risk when they see it. Your people are now more likely to react when they see a door left propped open, a security badge given to a fellow employee or a damaged, unusable fire alarm – but only in an environment conducive to right action.
Aramark, the Philadelphia-based services corporation, is a prime example of a company that readily encourages collaboration between security and compliance. It’s an approach Aramark uses to tackle the issue of loss prevention, says Lou Reigel, vice president of global security at Aramark.
“Our operations involve the daily intake of significant cash, which raises concerns involving potential theft and accountability as well as cash handling and transport. To make our cash handling monitoring process better, Global Security collaborated with Compliance to develop a program specifically designed to discover vulnerabilities in Aramark’s cash handling procedures and identify weaknesses in the physical security of the cash rooms.”
Through the collaboration, key vulnerabilities in Aramark’s cash handling system were discovered and appropriate measures have been taken to prevent theft. “Several thefts have been discovered since the program was implemented and corrective action has been taken in each incident to prevent a reoccurrence,” Reigel added. “Cash room security is improved when weaknesses are discovered.”
This brings up another interesting point: criminal ignorance, theft, system hacking, break-ins, fraud, etc., are, unfortunately, more likely to be an inside job than not. A recent KPMG study, Who is the Typical Fraudster?, reported that 90% of perpetrators worked for the company being defrauded. In addition, that same study found that in 74% of fraud cases, weak internal controls, which might very well include inadequate security measures, are being bypassed or circumvented altogether.
Aramark has more than 225,000 employees in 11,000 worldwide locations, so the need to protect assets and prevent security lapses is critical. To fortify security and compliance controls, Aramark Global Security implemented an incident and case management system designed to monitor losses, provide trend analysis of losses, and to make the reporting of a security issue more effective and efficient for employees. According to Reigel, “The case management system allows Global Security to direct its resources to those areas which have been determined through analysis to be of concern.
So how do you leverage the components of your compliance program to improve your security protocols? Here are a few focus areas:
- Drive Awareness. Communicate the positive aspects of proper security measures and the value of compliance and an ethical culture so that your employees know what to look for, how to respond and have confidence in your reporting systems.
- Manage Policies and Apply Due Diligence. Document your security policies and have an adequate system in place to distribute and track those policies, then monitor that system to check for weaknesses.
- Collaborate and Align. Break down the silos between segments of your enterprise, so that the so-called “soft” security functions (compliance, risk management, regulatory auditing) interact with “hard” security (facility access, safety and health, environmental controls) and speak a common language.
- Be Proactive. Perform risk assessments and testing, but also conduct risk surveys and compliance studies that may uncover trouble areas. Implement best practice workflows in your investigation and incident management activities. When an incident does occur, learn from it and share your findings across related functions.
- Complete the Circle. Negligence and security lapses will not go away completely, and those who would undertake fraudulent activity are trying harder than ever to get away with it. Just as you work to continuously improve your methods of detection and surveillance, do the same for your policies, training, reporting and corrective action measures.
By being in compliance, your physical security objectives are met – or so it seems. But it’s not always that easy. Compliance isn’t an end game. It’s a long-term investment in the success of your business and its reputation. An alignment of security with compliance – attesting to a policy on password protocols, filing a report because building access rights are being abused, leveraging your incident management tools to see how a security breach in one branch might be prevented at another, etc. – is a symbiotic relationship. In the end, your compliance initiatives should be leveraged to strengthen your security posture and make your entire enterprise trust worthier.
Luis Ramos is the CEO of The Network, a leading provider of integrated governance, risk and compliance (GRC) solutions that help organizations mitigate risk, achieve compliance and ultimately, create better, more ethical workplaces. Luis has more than twenty years of experience in risk management and compliance, and his thought leadership has been featured in publications including National Underwriter, Risk Management, Loss Prevention, Security and Ethikos.