Question: What can I do to strengthen management's confidence in security?
David Burrill, former CSO, British American Tobacco; emeritus faculty, Security Executive Council: It is important to understand what "turns on" the C-suite and others. It is not enough for the CSO to be perceived as a "specialist skillset." The CSO's ambition should be to demonstrate that he or she and his or her managers understand the business as a whole - every bit as much as any other manager in the company - and that they think, act and deliver in a multi-functional context. Success will be defined by others, outside of the security function, who recognize security as a pervasive, fully integrated, value-added, business-aligned activity in which they have an unarguable stake and responsibility. This won't happen by chance. A strategy should be formulated to embrace both vision and mission, entirely aligned with and reflective of the overall company strategy. Objectives should cover how to improve talent, organization and service; illustrate added value; engage/converge with other functions; demonstrate leadership beyond the function; and, crucially, market security as a brand.
Derek Benz, CISO, Honeywell International; member, Security Executive Council: Executive confidence is directly related to past performance - the more recent, the more relevant to leadership. Hitting targets (specifically speed, cost, and quality) has been increasingly difficult since 2008, but a prudent security organization that spends wisely and helps other groups to achieve their targets will foster significant political capital. Security must be recognized as a team player and as an organization that can make things happen. It must be reliable, resilient and ready to move with the company (e.g., opportunities in high-risk regions, cloud computing, or higher risk/reward acquisitions). Regardless of confidence level, if the security organization is buried under a thick layer of non-security management, security may find it challenging to affect significant and lasting change. But when that confidence is linked to highly placed security leadership, things get done. If true change is required, it is critical to have the security organization as high up on the organization ladder as possible.
Karl Perman, Manager of Corporate Security, Exelon Corp.; member, Security Executive Council: I suggest frequent interaction with key management stakeholders to discuss their business objectives and their expectations of the security organization. Planning at the end of the year for the year ahead can be helpful, but keep in mind that business and security objectives are fluid and can change rapidly. In addition to annual planning, there should be regular (monthly or quarterly) follow-up reports to summarize progress, accompanied by one-on-one meetings with stakeholders as needed to ask for feedback and to fine-tune objectives. Alignment between security objectives and business goals is important to show the value of the security organization. It is also important to use business terms in these conversations, not security or law enforcement terms. The more I interact with stakeholders, the better understanding I have of their satisfaction level and expectations. I believe that frequent, honest and candid communications with key management stakeholders strengthens management's confidence in the security organization.