A good friend of mine who had years with a major international pharmaceutical company, recently contacted me looking for some help. With an advanced degree in environmental engineering and years of experience as an operations and project manager, he was about to be handed a new challenge he didn't think he was quite prepared to meet.
"Steve, you're the security maven. So help me out here. I've just been asked to become the corporate director of security and safety," said my buddy, who was not as much intimidated with the safety aspect since he had been dealing with OSHA and environmental compliance issues in his past position, but security was another animal. "How do I position myself so I don't look like an idiot"?
As I talked him off the ledge, I assured him that the new world of corporate security was not akin to his preconceived notions of gun-toting, key-chain carrying, slick-talking ex-law enforcement veterans or steely-eyed former federal agents. This generation of security directors is more businessman than lawman. They are big-picture professionals who understand all aspects of the business process - from budgets and personnel to technology and risk analysis.
So, in my quest to help my amigo better understand what issues should be front-of-mind as he enters this new chapter of his professional life, I asked several leading security professionals what are some of the most important points any fledgling security director should know?
George Campbell, the former CSO at Fidelity Investments and current emeritus faculty member for the Security Executive Council, and a regular columnist with our publication, was all about the business drivers. He stressed that a newbie must thoroughly understand the risks management has placed on your watch. That risk, and management's acknowledgement of it, is why you have a job.
"First, you must understand the business processes and internal controls that are home to vulnerability and risk and management's appetite for risk," Campbell says. "Understand what could occur given these vulnerabilities and who the responsible parties for prevention and response are. A great opener question when you meet with any senior executive is 'what keeps you awake at night around risk?"
Another key point Campbell addressed is how security will be perceived in the enterprise landscape. He asks that you consider how the culture and business strategy of your company influences your mission and how your department should deliver its products and services.
"This is about being appropriately aligned with how things are done and how your customers will see you as a partner in their objectives," he says. "Finally, you want to understand what and how to measure the performance of your programs and the ability of the enterprise to detect, prevent, inform and respond to the inventory of risks that are within its scope of operations. You enjoy a unique perch to view risk. Use your metrics to probe and identify the gaps in protection and then inform to eliminate plausible denial. Report up and out in ways that engage action and then provide the tools and limited resources you have to influence an improved state of enterprise security."
As Clint Eastwood once said as Dirty Harry, "A man has got to know his limitations." Apparently Severin Sorensen, CPP, also thinks that is not a bad quality for a security director. "Rule one: know thyself. Understand your own personality, strengths and limitations, and be open to asking questions and building relationships within the organization.
"Immediately upon placement into a new position, conduct a security risk assessment and determine the risks, threats and vulnerabilities of your new position," Sorensen stresses. "Assess your people, organization, structure and resources. Know everything about your limitations and constraints in this new roll. Map out a 30-, 60-, 90-day plan for gaining this information about yourself in this new role. Include in your preparations a training plan for improvement of your own role, your direct-reports and your organization."