Proving the value of security to the C-Suite

When some of the top CSOs and CISOs in northern California’s Silicon Valley congregated this week past week at Yahoo corporate headquarters in Sunnyvale, it was business not technology that permeated the security and risk discussions amongst peers.

This gathering of top security, IT and risk executives at the Global Security Operations 2015 (GSO 2015) conference is a unique creation of security industry consultants Ray Bernard and James Connor, whose vision reaches beyond what to buy, instead to why it should be bought. The pair of veteran practitioners, along with other experts over the two-day event stressed that the job of security is giving management enough tools to understand the risks so they can make the right decisions. Management owns the risk – not security.

The conference kicked off with Yahoo’s director of corporate security and safety, Greg Jodry, who joined the team after stints at several large companies, including Microsoft where he worked directly with founder and CEO Bill Gates. Here at Yahoo he has built the corporate security and crisis management team from the ground up. It now serves more than 14,000 employees worldwide, with more than 70 brick and mortar locations in 35 countries.

For Jodry, it has been all about aligning his department with the corporate mission. He insisted that you can’t try to sell security or chase management buy in if the will to manage organizational risk isn’t present in the boardroom.

"You have to know your environment. We have a very fluid environment here at Yahoo. The company has gone through some big changes (four CEOs in the last five years) and that has presented its share of challenges," said Jodry. "When I first got here management didn’t have a clear security strategy. I was brought in more or less to take care of the physical assets and the guards. But our goal was to invigorate the program."

As late as 2007, Jodry had little staff and no real program. So he brought in an external group to assess Yahoo’s risks and spent time learning all he could about the business and where his department should apply its security posture.

"We needed to find out where the gaps were. We had plenty of opportunity to build our business cases and where we should map our strategic vision in 2009. We started with building a mission and value statement," Jodry said, pointing out that is key to be first to the table when articulating your department’s mission. "Pretty soon we got invited to the table so we could handle the blended risk and enterprise management issues we faced. The one fact we knew was we can’t do IT security well without a close interaction and team approach with the physical side."

The Yahoo security roadmap included a strong executive communications strategy, transitioning to in-house regional management positions and bringing responsibilities for risk/countermeasures dealing with executive protection and kidnapping issues under security’s purvey. It has taken Jodry’s team a little more than three years to build out the program to the levels he wanted. But now he is confident that with all the data points his department touches, security is bring value to the table and helping management visualize risk they didn’t consider previously.

Understanding how to work security into the alignment of the organization has been a key to the success of programs developed by Derrick Wright, the director of security and DEA & environmental for West-Ward Pharmaceuticals of New Jersey.

"I work locally, but always think globally – I’ve been a security practitioner for 20 years, but never really liked the way we as a security professional presented ourselves. No matter what business you’re in, it is how you bring value to the organization that ultimately seals your fate," said Wright. "You must add value from your customer’s perspective. If you don’t know the business you are in, then you are handicapped and bring little to the table. I now have three areas of responsibilities that I have no experience in - but I do know the business. My concept of adding value might not be what our customers are, so we began having discussions with all the stakeholders. If you are rolling out this and that and it fails to meet their needs or wants you have failed."

Wright insists that it is all about leadership. And if you are prepared and educated enough to know your company’s mission and departmental interactions, you can lead anywhere in the organization. He says you are leading when you are lightening your boss’s load. It is a matter of you completing, not competing their roles.

"You need to influence the influencers. If you add value and you demonstrate strong leadership, there is little selling needed. Develop a framework for a standardized, sustainable, continuously improving organization, with small continuing and incremental improvement each day. That will create a mindset for success," Wright added.