How CSOs can effectively influence the C-suite

Security executives discuss keys to successful leadership at The Great Conversation


“These are just a few the things that will help you be a successful leader,” Brod explained. “It’s part of what you have to do. You can’t just wish it. There is a real path you have to take.”

Brod added that security leaders have to familiarize themselves with the business needs of the company, which will subsequently help them to become a trusted advisor within the organization.

Another element to becoming an effective security leader, according to Brod, is partnering with others across the organization to understand how you can help meet their needs.

“Are you a forward thinker? Are you willing to take risks,” Brod asked. “You have to realize the areas where you are strong and where you need to learn.”

Resilience

While many people think of organizational resilience as simply being how quickly an organization can recover from an incident, Microsoft Chief Security Officer Mike Howard views resilience as being multi-layered, measuring the preparedness of people and departments within a company.

In fact, Howard used the attack against a Microsoft office in Greece last year by an anarchist group as a barometer for organizational resilience in his company. Through the use of integrated technology solutions and communication protocols, Howard said Microsoft was quickly able to setup an incident command center to assess and respond to the attack. Shortly after the incident, Howard said the company had “boots on the ground” to examine why it happened and has since learned more about the group responsible. The company has subsequently further hardened facilities in areas where they are active.

“We were grateful that no one was hurt and it was gratifying to know our business partners were very complimentary of what security did in this case,” Howard said.

One of the keys to increasing organizational resilience, according to Howard, is having strategic relationships. Howard said having these relationships enables security leaders to “influence without authority.” He also emphasized the need to move away from operating security departments within a silo.

“We tend to want to just keep among ourselves. We do that to our own detriment,” he explained.

Howard also cautioned security executives in the audience not to be overconfident in their knowledge, saying that they have to keep learning and evolving.

“We don’t have all of the answers. We’re here because we want to learn from the best,” Howard said of the summit.

Metrics

With budgets being what they are, security executives are increasingly being asked to prove their value to the organization. Despite the blank check many corporate security departments received in the aftermath of 9/11, times have changed for the CSO that wants funding for the implementation of new system or service.

Of course, one of the ways security managers most often prove their worth to a company is through the use of metrics. However, this is easier said than done. Security metrics are different for every organization, according to David Komendat, CSO for aircraft manufacturer and defense contractor Boeing.

“What we went through and what you go through are different,” he told the audience.

Komendat is responsible for the safety and security of 176,000 employees who work in all 50 states, as well as 70 different countries around the world. Boeing is the largest U.S. exporter and the country’s second largest defense contractor.

As he began to delve into security metrics, Komendat said he realized that he wasn’t being a good “marketer” for his department and that he had to think differently about how he did things.

“We were a necessary evil,” Komendat said of his security department. “They knew they needed us, but didn’t know why.”

Essentially, Komendat said he had to tailor the metrics he created around  four primary risks his senior managers were interested in, which include financial, operational, compliance and strategic.

The more he talked with his colleagues, Komendat said he realized that he was wrong in being hesitant to tell his story to the C-suite and that he needed to communicate how the company was spending a quarter of billion dollars annually on the department.