Bribery and Corruption: What’s the best approach?

On Feb. 17, Samsung empire’s heir Lee Jae-yong was arrested on corruption and bribery charges connected to a nationwide political scandal in South Korea. While this is unlikely to directly impact the global tech behemoth in day-to-day matters, it is important to investigate how firms and governments can work together more successfully to combat white collar crime and corruption.

An international affair
The fight against bribery and corruption has historically been led by the United States, the first country to implement tough legislation with the Foreign Corrupt Practices Act of 1977. The federal law was enacted to address accounting transparency requirements and to make bribery of foreign government officials illegal.

Europe is not far behind with a range of legislation designed to prosecute and punish corporate crime. Other emerging market governments are finally cracking down as well, holding both domestic and foreign businesses and their senior management, to account.

Tackling bribery and corruption requires prosecutors and regulators that are properly equipped to investigate and deal with complex factual and legal issues. It also requires a judiciary that is impartial and can operate without political interference.

The United Kingdom’s Bribery Act of 2010 is a good example of tough new legislation that regulators and prosecutors can rely upon when investigating such crimes. It has extra-territorial reach both for U.K. companies operating abroad and for overseas companies with a presence in the U.K. It also introduced a new strict liability offence for companies and partnerships of failing to prevent bribery.

The law is not enough
Unfortunately however, even the best legal framework in the world is insufficient on its own.

Companies need to understand exactly how to go about preventing unlawful behavior, particularly in new and distant markets that their headquarters may not clearly understand. Ultimately, the real responsibility and accountability remains with the business to ensure compliance.

Countries with robust criminal and anti-corruption laws might be able to prosecute those individuals or businesses that commit offences within or outside the jurisdiction but the problem will continue until international businesses rigorously apply universal global standards to tackle corruption across emerging markets.

It’s Still about the culture
In short, this issue is about corporate culture. The following are fundamental steps for fine-tuning your organization’s approach to corruption:

• Develop a culture through education, where turning a blind eye to unlawful activity is not an option. Staff should feel comfortable with speaking out if they see anything potentially suspicious. Anti-bribery and corruption training needs to be repeated and made relevant to the day-to-day scenarios employees at different levels might face.

• The tone must be set at the top. For instance it can be useful to educate your firm’s directors with formal governance training, such as from the Institute of Directors (IoD) in London. This level of top-level attention to corporate compliance programs, including training, should be the norm.

• Proper dialogue needs to be established with regulators—not just a one-way stream of new laws and compliance requirements. A regulator should seek the views of those it is regulating. This two-way approach really does work.

Eliminating Language Barriers Between Information Security and the C-Suite

Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.

In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?

Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.

What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.

A Two-Way Street

Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:

  • Does every member of the security team understand what is it that you sell/produce/provide?
  • What are the things your security teams need to watch out for to protect revenue?
  • Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
  • If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
  • Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?

These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.

Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.

There is no “right way” to communicate. Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”

For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.

Can ORSA Work For All Businesses?

In addition to impacting the way countless organizations conduct business, the 2008 financial crisis was an awakening for regulators charged with reviewing and setting the rules that shape the way organizations assume risk. Insurance, perhaps the riskiest business of them all, did not go unscathed.

Not only are insurers responsible for managing their own internal risks, but careful calculations and guidelines are built into their business models to ensure that the risks fall within set parameters. Regulators will argue, however, that this wasn’t always the case.

Own Risk Solvency Assessment (ORSA) was adopted and now serves as an internal process for insurers to assess their risk management processes and make sure that, under severe scenarios, they remains solvent.

U.S. insurers required to perform an ORSA must file a confidential summary report with their lead state’s department of insurance.  The assessment aims to demonstrate and document the insurer’s ability to:

  • Withstand financial and economic stress with a quantitative and qualitative assessment of exposures
  • Effectively apply enterprise risk management (ERM) to support decisions
  • Provide insights and assurance to external stakeholders

While ORSA is requirement for insurers, a new study by RIMS and the Property Casualty Insurers Association, Communicating the Value of Enterprise Risk Management: The Benefits of Developing an Own Risk and Solvency Assessment Report, maintains that ORSA can be used for all organizations looking to strengthen their ERM function.

According to the report:

Whether or not required by regulation or standard-setting bodies, documenting the following internal practices is a worthwhile endeavor for any company in any sector to utilize in their goal to preserve and create value:

  • Enterprise risk management capabilities

  • A solid understanding of the risks that can occur at catastrophic levels related to the chosen strategy

  • Validation that the entity has adequately considered such risks and has plans in place to address those risks and remain viable.

The connection between the ORSA regulation imposed on insurers and the development of an ERM program within an organization outside of the insurance industry is apparent.

ORSA and ERM both require the organization to strengthen communication between business functions. Breaking down those silos are key to uncovering business risk, but perhaps more importantly, is the interconnectedness of those risks.

Secondly, similar to ERM in non-insurance companies, ORSA requires risk management to document its findings, processes and strategies. Such documentation allows for the process of managing risks to be effectively communicated to operations, senior leadership, regulators and stakeholders. Additionally, documentation enhances monitoring efforts, the ability to make changes to the program and is a benefit that allows ERM to reach a “repeatable” maturity level as defined by the RIMS Risk Maturity Model.

Developing an ERM program has become a priority for many organizations as senior leaders recognize the value of having their entire organization thinking, talking and incorporating risk management into their work. Examining and implementing ORSA strategies can be an effective way for risk professionals to get their ERM program off the ground and operational.

Organizational Complexity Poses Critical Cyberrisk

According to a recent survey on IT security infrastructure, 83% of businesses around the world believe they are most at risk because of organizational complexity.

“Employees are not following corporate security requirements because they are too difficult to be productive, plus policies hinder their ability to work in their preferred manner,” noted the Ponemon Institute’s “The Need for a New IT Security Architecture: Global Study,” sponsored by Citrix. “It is no surprise that shadow IT is on the rise because employees want easier ways to get their work done.”

Shadow IT, the information technology systems built and used by an organization without explicit approval, has largely cropped up because employees feel official tools are too complex or otherwise difficult and inefficient. As a result, company data is being put on personal devices and official business is conducted on platforms that enterprise security teams can not monitor or secure.

Nearly three-quarters of respondents said their business needs a new IT security infrastructure to reduce risk. With increasing amounts of sensitive data stored, new technology like the internet of things adopted, and new cyberrisk threats constantly emerging, addressing individual security challenges may be impossible, Citrix Chief Security Officer Stan Black told eWEEK. Rather, companies should focus on larger issues like controlling complexity, developing and maintaining strong incident response plans, and rigorously vetting vendors with access to systems or responsibility for storing data.

Check out more of the report’s findings in the infographic below:

organizational complexity cyberrisk