Having the Spirit of a Chief
For one thing, it's not just the CSO who needs to be worried about the needs and the mission of the business. No one—CSO or not—can set security and risk priorities without understanding the business first. Radford Jones, academic specialist at the School of Criminal Justice at Michigan State University and previous manager of security and fire operations for Ford Motor Company, knows this well. He's consulted with states and organizations on security planning and management, and, he said, “When I sit down with people, one of the first things I ask is, ‘What is the mission and objective of your company? What is the business strategy?' Sometimes I get these fuzzy looks, and I ask, ‘Have you read the last stockholders report? How about going on the Web site and learning a little about what your company is about?'”
These aren't things only a central executive can do. In fact, Jones doesn't even believe in the necessity of a CSO position. “You've created another level, but because of what? You've created a referee out there?” Jones also remarked that if he were a security director at a company that appointed a new CSO, “I'd be looking in and saying, ‘Where have I failed? If they're bringing in a person to resolve these issues, maybe I've failed in creating strong partnerships with other stakeholders.'”
That brings us to another important factor in thinking like a CSO. A CSO has the advantage of authority over the entire security function, which means he or she always knows what's going on in both the information and physical security departments and recognizes opportunities and needs for collaboration. But a non-CSO also needs to keep tabs on the other side of security, physical or IT. It's imperative to know who the stakeholders are in the company and to know what they're up to, so security can react to new plans and find ways to collaborate to better the business.
Dan Lohrmann, CISO and director of the Office of Enterprise Security for the state of Michigan , works closely with his physical security counterpart in order to ensure that both are on the same page and are recognizing opportunities to enhance overall security. “We get together formally within our emergency management program, and we also get together for lunch and have a personal relationship, because, by the nature of our two departments and our roles, it's especially important that we work together.”
If you as a security director are not yet talking regularly with other stakeholders in your organization, now's the time to start. Jones recommends being flexible and open-minded during these meetings, and listening carefully to what your counterparts in other departments have to say. When you do this, “you start to learn what the common denominators are, what the differences are so that those differences can be worked out between you, so that the bottom line, which is the safety and security and protection of assets of the corporation, is accomplished,” said Jones.
Time to Get Started
If you don't feel business minded, a good way to start thinking like a CSO is to get some business and leadership training. Mattice himself has attended business schools and executive leadership programs, including programs with the Center for Creative Leadership, which is online at www.ccl.org. Many security professionals have been taking this route, going back to school for MBAs or single, specialized courses.
These aren't options for everyone, and for those unable to go this route, Jones has his own suggestion.
“There are a number of books written on effective meetings and all that, but I think one of the best ways to learn it is to just jump into it. Take time to list who your partners may be within and outside of the corporation and spend some time getting to know them and listening to where they are. The hardest part is picking up the phone.”