How CSOs can effectively influence the C-suite

Senior security leaders from organizations across the country gathered this week in Seattle for the annual ASG Security Summit/The Great Conversation event to learn about the challenges facing their peers and to share industry best practices. The theme throughout the event centered on what security executives need to do to get a seat at the table with decision makers within their companies and how they can prove the value of their department to the C-suite.

Ron Worman, managing director of The Sage Group, who moderated a “State of the Industry” panel discussion that included former Starbucks vice president of partner and asset protection Francis D’Addario, OR3M CSO Jeffrey Slotnick, and William Plante, director of professional services for Aronson Security Group, said that security is in its third generation with technology and services being focused on information management. The first generation, he said, involved locks, guards and gates, while the second generation included bringing devices onto the corporate network. Industry analysis presented at last year’s event from Gartner showed that, for the most part, security budgets within organizations were expected to stay relatively flat, only increasing by a half of percent. According to Worman, this projection has held true this year and security executives are being asked to do more with less.

D’Addario stressed that security executives must have a strategic outlook and vision for their department. The focus, he said, should not strictly be on optimizing costs, but on optimizing results for the organization. “Things are always going to happen,” D’Addario said, “but we’re going to talk about them before they do.  It’s not about enterprise risk management; it’s about board-level risk.”  

Slotnick, who has been influential in helping develop industry standards around organizational resilience management, said that security has increasingly moved out of its silos within organizations and has started to work with all of a company’s stakeholders. He believes, however, that some security managers are still hampered within their organizations due to their inability to speak the “language of business.”

In addition to the panel discussion, there were also three keynote speeches at the event focused on three topics: Leadership, resilience, and metrics.

Leadership

Providing a perspective on how security should work hand-in-hand with the C-suite was Microsoft Chief Accounting Officer Frank Brod, who serves as the company’s corporate vice president of finance and administration. Brod, who plays a key role in every financial decision at Microsoft, said that he works closely with the company’s security department, which has the monumental task of keeping over 180,000 employees working in 200 countries around the world safe.

While many companies see security as a cost center, Brod said it’s a top priority for Microsoft, which has more than 700 facilities worldwide, In addition to the obvious access control concerns with a company the size of Microsoft, Brod said they also have to secure special events, ensure safe travel for employees and executives, conduct background checks, as well as secure information and cyber assets. The company also has a fraud investigations unit and even monitors social media sites to ascertain whether or not there could be a threat to one of their facilities, according to Brod. To accomplish these tasks, the company has three security operations centers located in the U.S., the UK and India that provide around-the-clock surveillance and security.

With a background in the chemical industry, Brod is intimately familiar with how vital the security arm of an organization is and he believes there are several steps security managers can take to become more influential in their organization. These include being able to articulate a clear strategy, acting as an ambassador for the company’s goals, and serving as a coach and mentor to others.

“These are just a few the things that will help you be a successful leader,” Brod explained. “It’s part of what you have to do. You can’t just wish it. There is a real path you have to take.”

Brod added that security leaders have to familiarize themselves with the business needs of the company, which will subsequently help them to become a trusted advisor within the organization.

Another element to becoming an effective security leader, according to Brod, is partnering with others across the organization to understand how you can help meet their needs.

“Are you a forward thinker? Are you willing to take risks,” Brod asked. “You have to realize the areas where you are strong and where you need to learn.”

Resilience

While many people think of organizational resilience as simply being how quickly an organization can recover from an incident, Microsoft Chief Security Officer Mike Howard views resilience as being multi-layered, measuring the preparedness of people and departments within a company.

In fact, Howard used the attack against a Microsoft office in Greece last year by an anarchist group as a barometer for organizational resilience in his company. Through the use of integrated technology solutions and communication protocols, Howard said Microsoft was quickly able to setup an incident command center to assess and respond to the attack. Shortly after the incident, Howard said the company had “boots on the ground” to examine why it happened and has since learned more about the group responsible. The company has subsequently further hardened facilities in areas where they are active.

“We were grateful that no one was hurt and it was gratifying to know our business partners were very complimentary of what security did in this case,” Howard said.

One of the keys to increasing organizational resilience, according to Howard, is having strategic relationships. Howard said having these relationships enables security leaders to “influence without authority.” He also emphasized the need to move away from operating security departments within a silo.

“We tend to want to just keep among ourselves. We do that to our own detriment,” he explained.

Howard also cautioned security executives in the audience not to be overconfident in their knowledge, saying that they have to keep learning and evolving.

“We don’t have all of the answers. We’re here because we want to learn from the best,” Howard said of the summit.

Metrics

With budgets being what they are, security executives are increasingly being asked to prove their value to the organization. Despite the blank check many corporate security departments received in the aftermath of 9/11, times have changed for the CSO that wants funding for the implementation of new system or service.

Of course, one of the ways security managers most often prove their worth to a company is through the use of metrics. However, this is easier said than done. Security metrics are different for every organization, according to David Komendat, CSO for aircraft manufacturer and defense contractor Boeing.

“What we went through and what you go through are different,” he told the audience.

Komendat is responsible for the safety and security of 176,000 employees who work in all 50 states, as well as 70 different countries around the world. Boeing is the largest U.S. exporter and the country’s second largest defense contractor.

As he began to delve into security metrics, Komendat said he realized that he wasn’t being a good “marketer” for his department and that he had to think differently about how he did things.

“We were a necessary evil,” Komendat said of his security department. “They knew they needed us, but didn’t know why.”

Essentially, Komendat said he had to tailor the metrics he created around  four primary risks his senior managers were interested in, which include financial, operational, compliance and strategic.

The more he talked with his colleagues, Komendat said he realized that he was wrong in being hesitant to tell his story to the C-suite and that he needed to communicate how the company was spending a quarter of billion dollars annually on the department.

Most of the metrics Komendat started with centered around several key areas in his department including threat management, government security, uniformed security and a uniformed fire division. One of the questions Komendat said he often receives is why does the company have a fire department.

One metric Komendat developed to show the importance of having an in-house fire department centered on response time to incidents of cardiac arrests. The average Boeing response time to a reported heart attack was three minutes, while the average response time of the local municipality was between six and nine minutes. In addition, the Boeing cardiac arrest save rate was found to be 89 percent, while the average King County, Wash. save rate was 46 percent.

While saving lives in and of itself is important, Komendat said that this also saves the company’s investment in an employee who it has taken the time to train. He said it’s also important for the morale of co-workers.

“The only way I’ve been successful in having a dialogue with senior leadership in our company is through metrics,” he said. “If you’re not telling your story, you’re not being an effective leader.”

 

 

Loading