"If a security director comes out of government knowing how to operate through policies, procedures, rules and guidelines, he or she will usually try to do that same thing in a new company," Hayes says. "Well, what if the corporate culture is such that they don't run on policy and guidelines, they run on process and procedures? This security director is trying to sell a program to the company in the wrong format. His influence is hugely diminished because he doesn't have an understanding of the company."
If you try to talk to your business team - senior management, mid-level management, staff - without first building your own awareness of the company, they may not look at you like you are an idiot, but they probably will not listen to you any more than if you were one.
Target Your Message
Once you have ensured that the program for which you want to drive awareness is appropriately aligned with the business, you have to consider how to push your message to each level of the organization.
Dave Kent, vice president of Global Risk and Business Resources for Genzyme Corp., and a member of the Security Executive Council, believes targeted messaging is crucial to improving awareness at all levels. "You have to understand the business of the people you are talking to," he says. "If it is the CEO, you have to understand the business in his or her terms, what his or her level of interest is, and what level of abstraction around the issues he or she can tolerate. If it is a business unit leader or product line manager, you have to be able to understand their work almost at the level of a general manager, so you know what their markets are, what the products are, where they are on their prime maturity line, their profitability, and the finances, so you can use language that interests that person. That way, they can immediately translate the value in their own language."
Kent continues that the nature of your approach should also vary depending on the group you are reaching out to and its circumstances. "One business unit might have a higher tolerance or more resources for a certain program at a certain time, but that might not be uniformly distributed throughout an organization. You may have to push your message to that unit and throttle back on another one. Maybe one group is pushing the company into a high-risk arena and you've got to jump in there and make some demands. It's a very tailored approach - always premised on a good, solid understanding of the business," he says.
Had the security director in our laptop protection example followed this advice, he would have likely found more support. He would have communicated to the operations staff and laptop users separately what each of them needed to know and why the program would be important to them. He would have avoided spamming the majority of the business' population. He would have had a one-on-one meeting with senior managers - rather than copying them on a broad e-mail - to discuss the risks he saw and present mitigation options that were economically appropriate in the current business climate.
Tying It All Together
How you position yourself to gain influence across the company will depend on your corporate structure and the level of support and knowledge you already have. Sandy Sandquist, a member of the Security Executive Council, has had a great deal of success in the influence and awareness arena as director of Global Security for General Mills for the last 10-plus years.
"I have a small department, but we have more than 30,000 employees across the world - of which nearly 50 percent work outside the United States," he says. "You cannot (raise awareness in) a $15 billion company with that many employees with a small staff unless you are creative. And the way we become creative is by using many vehicles, not just one."
One way Sandquist maintains business alignment and influence is through what he calls the Security Board of Directors, an internal set of senior leaders that meets annually to discuss security successes and to direct strategy. "I ask them to consult with us on focusing our strategy on what the business is looking to achieve," he says. "This helps us to ensure that our program is going in the direction they need it to go, and that we are not just dictating what risks are there and what mitigating strategies may be available. It is reaching out to the various businesses and putting them in charge of what our strategy is."