Wanted: A New Type of Security Leader

As new blood continues to pour into our industry, would-be CSOs should have the business acumen to propel organizations to the next level of risk management


• Today: This chronological shift in the profile of corporate security and the required skill set of security practitioners coincides with an exponential increase in the sophistication of doing business in a modern global economy, which has resulted in senior management now looking at corporate risk in a more sophisticated way. That sophistication demands the ability to understand and respond to very specific (often divergent) types of threats, while at the same time being able to develop, implement and manage unified risk programs that are seamless across all business units and consistent with organizational culture.

Security practitioners that happen to have business-side experience will find themselves better prepared to thrive in this demanding environment, and those that do not possess a business background will need to bridge the gap in several core areas if they hope to be successful.

 

Dealing with Upper Management

Security has really never been viewed or taught from the P-side of a P&L. It is critical that security leaders not only understand what the organization’s security needs are, but also be able to articulate the value of these security services and programs to an organization’s bottom line, or prove that their programs are cost-neutral. Developing this set of specialized information, resources and expertise is an imperative that has the potential to be game-changing.

For security and business to be a truly unified discipline, there needs to be a common and shared language for defining risk and mitigation, and articulating the success (or failure) points for any given initiative. Thus, it is crucial to create a common risk language between security professionals, and between security executives and senior management. This common language needs to be accessible and inclusive to all units with an organization, including executives, HR, Legal, Finance and Security.

Additionally, today’s security executive needs to be committed to communicating their plans as part of SEC 10K statements and then actively work to achieve that alignment. Private companies that do not need to file 10K statements should also be committed to communicating their perceived risk to their board and implement a unified mitigation strategy. This requirement has all parts of the business ramping up their security efforts. The message here is if you are a security executive who has approached senior management — perhaps unsuccessfully — in the past about a unified approach to enterprise risk management, go back and try again, because the C-Suite is more likely to listen at this point.

 

Matching Security with Company Culture

Today’s security leaders need to attend to their organization’s “state of readiness” for their proposed programs. That is, does senior management view security the same way as the security practitioner? If not, there will likely be misunderstandings that prevent the most successful partnership involving security programs.

The programs need to be attuned with corporate culture as well. The Security Executive Council has done research in this area and has found different categories of corporate cultures that will have an impact on how programs need to be built and communicated. The most popular corporate cultures include:

  • All about the people;
  • Analytical and logical;
  • Utilitarian and focused on getting the work done;
  • Reserved/guarded;
  • Innovative; and
  • Parental in nature.

 

New Blood and Heightened Awareness

With the first group of baby-boomers having reached retirement age in 2011, we stand at the next defining chapter for our industry. While the workforce will contract, the risks to be mitigated will continue to escalate. With escalation comes awareness, which is evident by the fact that the business trade magazines are writing about it, there are full industry events around it, and laws have been passed. However, while there is much coverage of risk in business, it is usually from the views of specific business functions without a focus on how to make a unified, organizational vision of risk management happen.

This heightened state of awareness and attention to board-level risk can certainly lead to positive things, assuming the right people are in place leading the effort. We as industry practitioners must take an active part in providing current and emerging business leaders with tested and validated security knowledge best-practices presented in a business management context. We must also seek to partner with other entities and industries, including higher education, to develop highly specialized and comprehensive security/business curriculum.