Francis D'Addario, Bob Hayes and Kathleen Kotwica look at what the future holds for security in the October issue of STE.
By the year 2020, what should “security” look like? Organizations are now more complex than ever before, and there is no evidence that the next eight years will reverse this trend. Companies have adapted to succeed in a global and decentralized market economy, increasing reliance on vendors, suppliers and contract staff for previously in-house operations. They have changed their internal structure to better compete in changing markets and a down economy, and they have learned to leverage new technologies to increase the speed of both communication and business.
This complexity has brought new risks that pose an ongoing security challenge, at a time when security is already arguably at a disadvantage. Many institutions still have not regained confidence following the decade of security shortfalls that began in 2001. Global markets and governments face continued uncertainty, leading many businesses to stop investing in new infrastructure and programs and to instead cut costs and staff in an effort to weather a storm that may or may not be coming. Yet, if organizations do not develop or maintain a robust risk strategy, they could suffer stunted growth and loss of revenue.
How should Security evolve to excel in this environment? Some organizations have accepted the challenge to push security toward value enhancement and stronger, more consistent protection through the rest of this decade. They are already giving the industry a glimpse of what security could — and, perhaps, should — look like in the next decade.
What Security 2020 Could Be
The CSO begins the day briefing the rest of the C-suite on mitigation opportunities that the company’s unified risk oversight team is tracking. He helped provide the momentum to convene the first risk council that, over the years, has morphed into a diverse, cross-functional collaboration — gathering crucial and timely insights from across the company to both identify and address hazards earlier and better than previous siloed efforts.
The CSO is a business partner who is actively engaged in responding to key operational needs. His team pro-actively seeks alignment with the business’ goals through regularly scheduled meetings with business unit leaders.
Once relied on for heroic efforts to protect personnel and assets, the security function’s strategies have evolved to incorporate relevant performance metrics, including compliance certainty and contribution to plan. Security owns or plays a pivotal role in a wide range of organizational priorities, such as sales and supply chain exception reporting. Conventional fraud detection and response are augmented with cost avoidance planning, brand reputation protection, and corporate social responsibility, including community disaster preparedness. Security consistently applies its unique perspective to help build process and value improvements into these other functions.
The function is also advancing integration capabilities for the entire organization and the industry by participating in technology test beds. Partnering with solution providers, selected locations model, test and prove the effectiveness of integrated security technology elements. Data is shared with operators and vendor and integrator partners to influence product and process improvement. In some cases, security is using technology manufactured by its own company to influence both risk mitigation and revenue.
Collaboration is a hallmark of the unified risk mitigation security strategy. Security maintains multiple internal and external information-sharing partnerships with public and private organizations, and it also works to forge a strong link with the community through social responsibility and philanthropic efforts.
The CSO’s voice is requested and heard by other senior leaders and the Board because of his experience and focus on business integrity and value; but his function does not falter in his absence. Superior performance, excellent insight into risks on the horizon, and refusal to exploit fear, uncertainty and doubt have restored the confidence of management and other stakeholders. Security focuses on mentorship of inter-generational talent and leadership development to ensure that the function’s opportunity to influence is not lost when the CSO cannot make the call.
Determined leadership and the evolution of the security function have resulted in contributions to the bottom line, a strong organizational emphasis on the value of security, higher stakeholder engagement, and measurable improvements in negative security events and business resilience.
While the example above is not company-specific, it is not hypothetical. Each of the elements that contribute to success in the illustration is in place today at one of several organizations with which we have worked.
Elements of 2020 Security
There are five important elements a security leader should aim to incorporate into his or her program if it is to approach the level of effectiveness and efficiency of the case in our example.
1. A focus on Board-Level Risk. We have identified nine categories of risk that are commonly of interest to Boards: Financial, Business Continuity and Resiliency, Reputation and Ethics, Human Capital, Information, Legal, Regulation/Compliance and Liability, New and Emerging Markets for Business, Physical/Premises, and Product. Your Board’s concerns may differ from these, but this is a good place to start.
Get to know and understand what risks your Board is most concerned about to determine which ones have security components. Determine whether you can line up your existing security programs with one or more of those concerns. Once you have categorized your existing programs, look at the categories in which security has little or no impact and think about what you can do to provide value in those areas. Update your strategy to focus on programs that deal with these risks, and then communicate your work clearly to senior management.
2. Unified Risk Oversight. Security does not “own” unwanted risks. Resilient organizations understand this and set up cross-functional groups to share information and oversight on risk issues. There should be many groups involved in risk oversight, including Business Conduct and Ethics, Compliance, Legal, Privacy, Audit and Security. (To view a graphic representation of Unified Risk Oversight, visit https://www.securityexecutivecouncil.com/spotlight/?sid=26462.) Each of them owns or monitors some function that can provide detection or prevention of risk.
3. All-hazards risk mitigation. Recognize that risk to the organization comes in myriad forms, many of which are not traditionally owned by corporate security functions. Risk mitigation need not confine itself to traditional corporate security risks; in fact, in many organizations, “risk” has been removed from corporate security’s purview because of their traditionally narrow view. Risk must be viewed at an organizational level — high ground from which one can see and anticipate hazards of all types
4. Innovative integration. Programs exist that connect integrators, technology/service providers, and security practitioners for the purpose of testing and proving cutting-edge integrated solutions to provide a total security format with proven Return on Investment (ROI). This requires providers to focus on the needs of the 2020 organization rather than on product sales organizations to open up the kimono and share metrics of product success; and integrators to step out of the comfort zone of a single product line and begin to think more creatively about integration options that could add value for their customers. If these three stakeholder groups in our industry collaborate in testing for improved interoperability, all will benefit.
5. Inter-generational training. Our research shows there is a wide gap in the transfer of valuable knowledge to new and advancing security leaders. This means the next generation of security leaders is finding that, in many respects, they must begin anew when their predecessors retire or leave the organization, rather than building on what their predecessors accomplished. Without training and mentoring in place, the security program will eventually take two steps back for every two steps forward.
Are you and your organization evolving toward the Security 2020 ideal? We would like to hear from you. The Security Executive Council has been building solutions and working with its approved Solution Innovation Partners to make Security 2020 a reality. Watch for updates by signing up for our newsletters, join our working groups and LinkedIn group to contribute, or become one of the Tier 1 Security Leaders driving the change. To share your stories or to find out more, drop us a line at firstname.lastname@example.org.
Francis J. D’Addario is Emeritus Faculty member for Strategic Influence and Innovation for the Security Executive Council (www.securityexecutivecouncil.com). He served as the vice president of Partner and Asset Protection for Starbucks Coffee (1997-2009). His most recent publication is: Not a Moment to Lose: Influencing Global Security One Community at a Time.
Bob Hayes is Managing Director of the Security Executive Council. He has more than 25 years of experience in security, including eight years as the CSO at Georgia Pacific and nine years as security operations manager at 3M.
Kathleen Kotwica, PhD, is EVP and Chief Knowledge Strategist for the Security Executive Council. She develops strategies and processes to identify, store, understand, build upon, and disseminate the Council’s Collective Knowledge and insights.
The Council is a leading problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk. Our research, services, and tools work to help security leaders initiate, enhance or innovate security programs; build their leadership skills; and bring quantifiable value to their organizations.