Jeffrey Slotnick is president of security consulting firm Setracon.
Photo credit: (Photo courtesy The Sage Group)
David Nicastro is a principal with Secure Source International.
Photo credit: (Photo courtesy The Sage Group)
Consultants can influence security changes in organizations
Consultants can help effect change in an an organization by educating senior executives and other employees about issues that impact their security posture.
Photo credit: (Photo courtesy stock.xchng/nickobec)
In our conversations with the risk and resilience consulting community one of their expressed challenges is in helping organizations understand how risk intersects with their client's organizational value. They also point to the master planning process. This can be a hinge point that can leverage a thorough assessment. That assessment’s value relies on the organization's ability to lead and navigate change.
If we pause for a moment and understand the forces at work that the consulting community must be aware of, we can appreciate the work they perform.
From the highest levels of most organizations today, public or private, there is the imperative of securing the core. This means optimizing the organization's management of human resources (people), how they are deployed, how they are measured (processes), and, finally, the tools they use to perform their tasks (technology). The budget this represents is not the "innovation" budget. It is the "keeping the lights on budget." And shaving small percentages from this budget could represent a significant amount of money.
The language we use to describe this effort change is critical. Cutting a budget is different than improving the quality of how our products or services are designed, managed and delivered. In the latter, we are truly defining roles and value exchanges between roles so that we eliminate non-value added tasks. The end-goal is to drive velocity (time to value) and the value that aligns with the organizational goal and business model.
The consulting community has the opportunity to help the organization pinpoint those areas that will do this. They can also help educate and articulate change in such a way that the organization's executives and employees can understand.
There are consultants who make the "change" issue part of their training and consulting practice. We were able to have a series of conversations with them. One is David Nicastro, principal with Secure Source International. Nicastro is usually in the middle of sweeping changes that are occurring in how executives view risk around the world. A large part of his services revolve around executive protection that allows him access to the core of the organization's leadership. Many times organizations turn to him to launch optimization or innovation projects in security, eventually leading a team of disparate resources around the world to a common operating picture.
According to Nicastro the best way to lead change is to understand how the organization conducts business through the perspective of its leaders.
"We are able to earn the trust of senior executives by spending a great deal of time understanding how they drive organizational value," said Nicastro. "This step is crucial before understanding what risks would endanger the delivery of that value. What we are finding is that most organizations do not have the ability to capture information, analyze or communicate information effectively. This leads to the inability to leverage that information and tactically apply it to the risk case. Leveraging the data could be in the delivery of a coordinated response during an incident, or it could be analyzing it for predictive and/or proactive planning for a future response. But the real leverage comes from measuring the data over time so that we can optimize and improve the delivery of valuable services to the organization."
Jeffrey Slotnick, CPP, PSP who has delivered risk and resilience consulting and training for years through his firm Setracon, agrees.
"We are change agents for our executive clients. We must collect the right information during our assessments so that we can paint a compelling picture that resonates with a diverse audience; executives, security operations and line of business managers," Slotnick said. "The way we, as consultants, gather that data, organize it, and report on it, will make or break the change effort and in the worst case, leave behind vulnerabilities and risks that could have been mitigated."
According to Nicastro and Slotnick, their ability to create a sense of urgency, build consensus and leadership within their client’s organization, and collaborate on a roadmap that guides their strategy and execution is the ultimate service they can provide.
To Slotnick, who provides pro bono services to the industry through his executive role with ASIS, he and his peers are redefining the roles of security leaders.
"They are no longer only practitioners. This is important from a competency aspect. But now the market is asking them to be a steward of their organization by a comprehensive management systems approach for prevention, protection, preparedness, response, mitigation, continuity, and recovery. That is a lot to ask of them. But for those who grasp the opportunity, it is also very exciting," Slotnick said.
Nicastro also see this. "There is an emerging understanding of how technology will help us gather and disseminate mission sensitive information. Think about the devices, software, people and processes generating data. This is critical to our understanding of how the organization and the security organization intersect. We have a tremendous opportunity as a consulting community, to help them lay the groundwork for a new, optimized way of delivering services," Nicastro said. "Why? Because we are the first point of change. We see the risk and the value first, before IT and Physical Security products and guarding services are introduced. We know vulnerabilities as well as the business value at risk because of those vulnerabilities."
To drive it home, Slotnick helped me understand how he defines resilience. "Resilience is an organization's ability to quickly, efficiently, and effectively adapt to change, such as disruptive events (natural, intentional, or unintentional), by implementing adaptive, proactive and reactive strategies. You can see why this is really about leading change and why we, in the consulting community, are continually advancing our craft to meet this challenge," Slotnick explained.
Nicastro agrees. "We are becoming information architects as well as change agents. We must construct and take the lead now as we take practical steps introducing these value-added processes. And we need a different view of what integrated systems look like and how they are implemented. As well, we need to integrate up and down the service provider value stream," Nicastro said. "We in the consulting community need to create leveraged, trusted relationships between each other as well as other product and service organizations. A new emerging definition of integration takes into account silos within our client's organization (the change effort), the silos within the product and service community, and finally an information technology model based on truly open, commercial off-the-shelf products. This last one is critical to availability, sustainability and reliability."