The CSO’s voice is requested and heard by other senior leaders and the Board because of his experience and focus on business integrity and value; but his function does not falter in his absence. Superior performance, excellent insight into risks on the horizon, and refusal to exploit fear, uncertainty and doubt have restored the confidence of management and other stakeholders. Security focuses on mentorship of inter-generational talent and leadership development to ensure that the function’s opportunity to influence is not lost when the CSO cannot make the call.
Determined leadership and the evolution of the security function have resulted in contributions to the bottom line, a strong organizational emphasis on the value of security, higher stakeholder engagement, and measurable improvements in negative security events and business resilience.
While the example above is not company-specific, it is not hypothetical. Each of the elements that contribute to success in the illustration is in place today at one of several organizations with which we have worked.
Elements of 2020 Security
There are five important elements a security leader should aim to incorporate into his or her program if it is to approach the level of effectiveness and efficiency of the case in our example.
1. A focus on Board-Level Risk. We have identified nine categories of risk that are commonly of interest to Boards: Financial, Business Continuity and Resiliency, Reputation and Ethics, Human Capital, Information, Legal, Regulation/Compliance and Liability, New and Emerging Markets for Business, Physical/Premises, and Product. Your Board’s concerns may differ from these, but this is a good place to start.
Get to know and understand what risks your Board is most concerned about to determine which ones have security components. Determine whether you can line up your existing security programs with one or more of those concerns. Once you have categorized your existing programs, look at the categories in which security has little or no impact and think about what you can do to provide value in those areas. Update your strategy to focus on programs that deal with these risks, and then communicate your work clearly to senior management.
2. Unified Risk Oversight. Security does not “own” unwanted risks. Resilient organizations understand this and set up cross-functional groups to share information and oversight on risk issues. There should be many groups involved in risk oversight, including Business Conduct and Ethics, Compliance, Legal, Privacy, Audit and Security. (To view a graphic representation of Unified Risk Oversight, visit https://www.securityexecutivecouncil.com/spotlight/?sid=26462.) Each of them owns or monitors some function that can provide detection or prevention of risk.
3. All-hazards risk mitigation. Recognize that risk to the organization comes in myriad forms, many of which are not traditionally owned by corporate security functions. Risk mitigation need not confine itself to traditional corporate security risks; in fact, in many organizations, “risk” has been removed from corporate security’s purview because of their traditionally narrow view. Risk must be viewed at an organizational level — high ground from which one can see and anticipate hazards of all types
4. Innovative integration. Programs exist that connect integrators, technology/service providers, and security practitioners for the purpose of testing and proving cutting-edge integrated solutions to provide a total security format with proven Return on Investment (ROI). This requires providers to focus on the needs of the 2020 organization rather than on product sales organizations to open up the kimono and share metrics of product success; and integrators to step out of the comfort zone of a single product line and begin to think more creatively about integration options that could add value for their customers. If these three stakeholder groups in our industry collaborate in testing for improved interoperability, all will benefit.
5. Inter-generational training. Our research shows there is a wide gap in the transfer of valuable knowledge to new and advancing security leaders. This means the next generation of security leaders is finding that, in many respects, they must begin anew when their predecessors retire or leave the organization, rather than building on what their predecessors accomplished. Without training and mentoring in place, the security program will eventually take two steps back for every two steps forward.