Q. My Board of Directors is asking what the security department is doing to mitigate security-related risks outlined in our 10-K report. How do I respond?
A. Even though you may not have an immediate answer, there’s good news in them asking the question. Boards have become more educated on and in tune with enterprise risk management. The 10-K form is an annual report required by the Securities and Exchange Commission for publically traded companies that provides a comprehensive summary of company performance well beyond the high gloss “tabletop” books that we associate with a company’s annual report. Within the 10-K report is a section on risk factors. It’s here that the company will lay out anything that could go wrong, likely external effects, possible future failures to meet obligations, and other risks disclosed to adequately warn investors and potential investors. A number of these risks are directly related to the Chief Security Officer’s (CSO) charter and responsibility. There’s nothing hidden here – your company’s 10-K report and risk factors can be found in the Investor’s Relations section on your corporate website. CSO’s and their staffs need to understand their company’s 10-K risks and, ideally, the CSO will align his or her personal and program goals against these risk factors, creating what I call the “10-K Security Quotient.” CSOs with lower 10-K quotients are typically more aligned with executive management’s view of risk and what is important. Higher quotients indicate misalignment and may raise questions on whether the CSO is addressing the appropriate risks. A CSO can establish an aligned approach and lower 10-K quotients through research and thoughtful planning.