Question: What can I do to strengthen management's confidence in security?
David Burrill, former CSO, British American Tobacco; emeritus faculty, Security Executive Council: It is important to understand what "turns on" the C-suite and others. It is not enough for the CSO to be perceived as a "specialist skillset." The CSO's ambition should be to demonstrate that he or she and his or her managers understand the business as a whole - every bit as much as any other manager in the company - and that they think, act and deliver in a multi-functional context. Success will be defined by others, outside of the security function, who recognize security as a pervasive, fully integrated, value-added, business-aligned activity in which they have an unarguable stake and responsibility. This won't happen by chance. A strategy should be formulated to embrace both vision and mission, entirely aligned with and reflective of the overall company strategy. Objectives should cover how to improve talent, organization and service; illustrate added value; engage/converge with other functions; demonstrate leadership beyond the function; and, crucially, market security as a brand.
Derek Benz, CISO, Honeywell International; member, Security Executive Council: Executive confidence is directly related to past performance - the more recent, the more relevant to leadership. Hitting targets (specifically speed, cost, and quality) has been increasingly difficult since 2008, but a prudent security organization that spends wisely and helps other groups to achieve their targets will foster significant political capital. Security must be recognized as a team player and as an organization that can make things happen. It must be reliable, resilient and ready to move with the company (e.g., opportunities in high-risk regions, cloud computing, or higher risk/reward acquisitions). Regardless of confidence level, if the security organization is buried under a thick layer of non-security management, security may find it challenging to affect significant and lasting change. But when that confidence is linked to highly placed security leadership, things get done. If true change is required, it is critical to have the security organization as high up on the organization ladder as possible.
Karl Perman, Manager of Corporate Security, Exelon Corp.; member, Security Executive Council: I suggest frequent interaction with key management stakeholders to discuss their business objectives and their expectations of the security organization. Planning at the end of the year for the year ahead can be helpful, but keep in mind that business and security objectives are fluid and can change rapidly. In addition to annual planning, there should be regular (monthly or quarterly) follow-up reports to summarize progress, accompanied by one-on-one meetings with stakeholders as needed to ask for feedback and to fine-tune objectives. Alignment between security objectives and business goals is important to show the value of the security organization. It is also important to use business terms in these conversations, not security or law enforcement terms. The more I interact with stakeholders, the better understanding I have of their satisfaction level and expectations. I believe that frequent, honest and candid communications with key management stakeholders strengthens management's confidence in the security organization.
Russ Cancilla, VP and CSO, Baker Hughes; member, Security Executive Council: Two important ingredients are necessary in strengthening management's confidence in security: building alliances with management and the workforce at all levels, and keeping management informed of security successes. By building alliances, security professionals can create a demand for their services. As we demonstrate the value security brings by describing risks and explaining mitigation factors, we provide a perspective to business leaders that helps them make better decisions, which often results in more successful projects and greater alliances. Keeping management informed of the successes of security programs can also increase management confidence in our teams and programs. We may assume that management is aware of security's contributions, but often they are not. The proverbial "if we aren't telling them what we are doing, they probably don't know we are doing it" applies more to security than most other functions. Of course, it is important to be selective and subtle in what successes we communicate, and how.thoughtfully - even entertainingly, if you have to - to address the misinformation, and do it on an attitude level consistent with each channel's users. By documenting these actions, you can help make the business case justification for budget funding and resource requests. Then you can confidently present your funding requests knowing that senior leadership has the ability to rationally support your request and has the understanding to accept a specific risk or threshold of risk to the company.
Next month's question: Which security metrics have provided you the greatest benefits?
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.