NEW YORK CITY -- Government needs to better understand the realities of running profitable businesses -- and quickly -- as it imposes security regulations that can affect the profitability of corporations battling in a competitive environment.Security absurdity: U.S. in sensitive information quagmire
"The government guys understand very little about the operational side of the private sector," Gary Lynch, global leader of international trade and supply chain risk for insurance broker and risk adviser Marsh, told attendees at the Security Standard conference Monday.
In his keynote address Lynch said businesses are reevaluating how they evaluate supply-chain risk and take steps to mitigate it. For example, the auto industry stands to save $1.6 billion using cloud-based collaboration to comply with filings it must make on imports, he says, but that introduces a new area of risk: sensitive data shared in the cloud.
IT security experts need to focus on the potential financial downside of that data being compromised and formulate a proportional response to it, he said.
In addition, businesses should look at their overall risk programs, which may be fragmented and have departments tripping over each other or performing the same tasks unnecessarily. A business might assess risk for products, its physical assets and its personnel, and all the security covering all of them needs to be orchestrated to drive out redundancy that pushes up costs, Lynch said.
He recommends spending time figuring out where risks lie and allocating security measures based on the strongest business priorities. For instance Coca-Cola recognizes two of its products -- Dasani water and Diet Coke -- as the two out of 450 brands they protect the most based on their profitability, Lynch said.
Businesses should acknowledge their priority products and focus risk management efforts on those.
Lynch said there are warning signs that security efforts might be made more efficient, the first being swelling security staff. That could indicate the business is taking on too much of the responsibility and might want to outsource.
Another sign is spending a lot of time rationalizing the security organization rather than deciding what is best for the organization and responding to it. That can be a sign of trying to impose a security organizational structure on a set of business circumstances for which a different structure might be better suited.
IT security practitioners who find themselves stagnating at their current jobs might want to look for work elsewhere in organizations that have embraced a culture of adjusting security needs to improve the corporate bottom line.
Lynch said he finds that generally businesses overseas are doing a better job of adopting this approach and are less susceptible to the internal political problems that often arise in the United States.
Read more about wide area network in Network World's Wide Area Network section.