As the recognition of board-level risk continues to grow across the enterprise, so too does the need for highly trained business executives with security expertise. Today’s all-hazards corporate risk environment will tolerate nothing less than security executives that are as smart, prepared, vigilant and progressive as the ever-present risk they will attempt to mitigate.
Security executives must be versed in enterprise risk mitigation and ensure that their perceived organizational risks outlined in their 10K statements are aligned with a unified risk mitigation program. As so many parts of a business are impacted by these modern requirements, corporate security is no longer purely a threat detection and mitigation problem, but it becomes a systemic, corporate culture issue that needs to be implemented, staffed and managed accordingly.
But is the industry doing all it can to ensure we are creating business people that know security? An honest assessment reveals that while the industry has done a lot to prepare “the boots on the ground” to manage and mitigate the security risks for the individual lines of business, the convergence and elevation of corporate security to board-level risk has created the need for a new type of security business executive. At the same time, it has created a gap in the information and resources available to properly train and prepare this new breed of business executive in the complexities of business-based corporate security.
How Corporate Security Executives have Evolved
The evolution of corporate security to its place as a board-level consideration has had a somewhat segmented and utilitarian trajectory over the past 60 years, with each decade being marked by an emphasis on a different aspect or approach.
• 1960s: The security industry’s nascent period in the years following WWII through the 1960s was heavily defined by the influx of GIs returning from overseas. These ranks proved a plentiful and capable workforce for prevention, detection and response.
• 1970s: The security industry in the 1970s was heavily influenced by the cultural shifts that were taking place in the country. Societal problems were being brought into organizations, which created a need for more internal investigations and prosecution.
• 80s and 90s: By the late 80s and early 90s, organizations became very interested in corporate culture and were eager to appear on lists of the numerous “100 Best Places” lists that were coming into vogue. Organizations began vying for the best security talent to bring into a company and were no longer interested in simply hiring “police officers” to run their security programs. Senior management began looking for professionals that embodied and could promote the corporate culture.
• 90s and 2000s: By the late 90s and 2000s, technology started to become integrated and integral to all parts of the business, and the security focus began to shift to things like network penetration, application security and platform security.
As the security industry passed through each phase, senior management looked at security in a singular manner, often defined by the most recent security situation they had to deal with. If an organization had a loss of life on an international business trip, it became the focus; if there was a recent fraud or internal theft, it became the new focus.
As the internal security focus would shift based on one of these incidents, senior management felt they must go outside the organization to acquire talent with this new required skill set, instead of realizing they had it internally. As a consequence, security professionals also began to view their profession through silos, and as one set of requirements gave way to another set, they found themselves defending their skill set, as opposed to acquiring new ones.