An Open Letter to My CEO

Every CEO faces the challenge of managing risk and opportunity. They are two sides of the same coin. You cannot have one without the other.

When you sit down with your management team, you expect them to provide you the right information at the right time with the context of the opportunities they are pursuing. Besides vetting each opportunity on its merits, you must also vet the risk to shareholders. You expect your executives to have done their homework; that is, they have provided you a thorough assessment as well as analyzed the risk factors before presenting action plans.

Then you must make a decision. If you decide to pursue the opportunity (investment) you expect persistent measures to be put in place that provide you confidence the value will be returned.

You also recognize that every one of your executives must understand the impact of their actions. Every singular investment and subsequent action impacts the whole.

In my role as your CSO, I owe you the same rigor. At the end of the day, my role is to ensure you have a resilient, adaptable and valuable company.

There are four main assets that span all your executives: people, the processes they live within, and the physical and logical (information) assets they use to perform their jobs. My role is to provide you a common operating picture of how these assets are secured as well as how we can best respond if they are compromised. At my best, I create competitive advantage by providing you a proactive protocol in the event of a social, political, or environmental incident that ensures our stakeholders and clients are protected. This is true resilience.

To be able to optimize our efforts and ensure I do not invest in anything that does not return value, I must provide you four essential steps.

Assessment and a Strategic Plan
To be able to ascertain what the risks to the business are, my team must conduct an independent, cross-functional enterprise risk, threat and vulnerability assessment. The independence is necessary to provide an objective review. This should be done in context of the operation and the opportunities each executive is pursuing. This creates the context of a plan and a roadmap for investment.

As you know, without an adequate assessment that defines the opportunity, the risk, and how it will impact our company; the executive can miss the mark, possibly damaging the company. On a positive note, when the assessment is thoroughly conducted with a proper methodology and discipline, then our plan will clearly delineate the expectations, definition of success, and the steps to realize that success for our organization.

Operational Execution
As your CSO, I recognize that any plan can be compromised without proper attention to how people perform in a process using technology to optimize their actions. As a result, the master security plan must have a proper execution strategy that will provide you the measures you and I need to understand how our value is being realized.

This will require an information management platform to aggregate data, organize it within a common operating picture and provide you incisive perspective based on how our company is managing risk as well as the performance of my program.

Therefore metrics will be identified and socialized with my team and yours, so we collectively can own the success of the program.

Design
To do this, my team will be composed of recognized [BB1] security master planners, who work with IT and external consultants to develop “use” cases and scenarios that we will use to design our platform. Under this framework, any tools we acquire will not become silos, providing you predictive and persistent return on the investment we make.

Benchmarking
Once this preliminary design has been formed, we will conduct a review of technologies that will fit our plan and our platform.  The results are then integrated into the final system design.

Implementation
We will also contract with implementers who have experience with these tools, managing them to a program and testing the implementation practices before, during, and after the tools have been delivered.

Operations and Performance Management
After Implementation, we will begin the rigorous and persistent process of measuring our program performance which, once again, includes the risk and opportunity metrics that we all agreed to as well as how my people, processes and the technology deployed are performing.

By managing in this way, we refine the details of success as well as what needs improvement over time.

Summary
Based on this overview, I am asking for funds that will initiate this process, starting with an enterprise risk assessment. At the same time, we will initiate the same process in micro form for those facilities that need immediate attention.

Attached is a summary of investment for the next 3 months and the measures by which we will manage that investment. Within 100 days you should have a draft roadmap for the next 12-18 months for your review which operates within a 3-5 year context.