Sam Walton, the founder of Wal-Mart, said that high expectations were the key to everything. It is hard to argue that aiming high and setting aggressive goals can lead to success. Yet building up unrealistic expectations can also get you fired.
Last summer we made our quasi-regular trek down to Disney World in Orlando with our teenaged daughter. The family loves everything Mickey - me, not so much. But I do have to give the Disney folks credit; they do know how to manage expectations. As you snake through the long lines for Splash Mountain or the Haunted Mansion, you are never far away from a clock posting the approximate waiting times.
Here's an insider trick I learned from my daughter's classmate who had the gig as Tigger at the park this year. The wait times posted on the clocks are never as long as they indicate. So they say 20 minutes and you arrive in the mansion foyer after only 13 minutes, you're ecstatic, "Hey, that wasn't such a bad wait after all!"
Disney World is just one of the many venues where expectations are managed. Corporate CEOs always couch expectations to the stockholders just before the annual reports are released. Those who fail to appease the expectations of analysts usually see their stock plummet. Politicians are notorious for manipulating the public's expectations in their election speeches with non-committal dribble and double-talk so once we vote them into office, there is little accountability. Even coaches have learned to manage the expectations of their respective fan-base. Promising a playoff drive that falls short is a sure ticket out of town for any coach. Coaches, CEOs and politicians have learned that satisfaction is frequently based on performance against expectations rather than any abstract notion of what they actually achieve.
As security evolves more as a service function in today's enterprise risk management environment, how you manage expectations has never been more important to your success as a business leader. Many security managers just don't know how to convey the value they bring to the organization. Why? Because in most cases, they still approach security function in the context of a fear-based model instead of it being a risk-based model.
Managing executive expectations are the most critical responsibilities of the security manager. Your roadmap must be well-defined and the goals your department wants to accomplish should be spelled out with directions on how to get there.
Demonstrating the value of security to the organization and proving that the safety of the people, assets and data is part of a structured program are no longer optional activities. Your longevity in the director or manager position is directly related to how well you sell your strategy, show progress, and manage to your budget.
George Campbell, STE's regular columnist on security metrics and a former Chief Security Officer at Fidelity Investments, says the fact that established metrics and measures for the full range of security programs are few and far between tells a story about the historical disconnection of these functions from the core businesses they serve: "The risk environment has changed significantly over the past 30 years with shocking wake-up calls to CEOs, Boards and shareholders," he says. "Attentive corporations have had to address the exposures uncovered in these times with more sophisticated and mainstream corporate security organizations. Metrics are a natural descendant of this process."
The bottom line is that in your superiors' mind, their satisfaction is based on how close you have come to their expectations, not how close you were to the 20-page document you left them at the last committee meeting. You must realize that expectations are set in motion by all kinds of events. It might be something you might have said or done, or even something someone else in the meeting might have said. But as a manager, it is crucial to realize that expectations - whether they be rational or irrational, valid or invalid - were not created in a vacuum.
There is an old management adage that says. "You can't manage what you don't measure." It is frightening when you consider that more than 65 percent of security managers don't provide or record any type of security metrics. It is impossible to manage expectations if you don't monitor them.
If you have any questions or comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at firstname.lastname@example.org.