Wanted: A New Type of Security Leader

As new blood continues to pour into our industry, would-be CSOs should have the business acumen to propel organizations to the next level of risk management


Six Best Practices of Today’s Security Leader

Our research shows the most successful education is rooted in risk theory and business processes, focused on application and value contribution, to arm security managers and other risk mitigation managers with the business leadership acumen necessary to propel them and their organizations to the next level of strategic performance. These best practices fall into six core areas:

1. Align board-level risk and mitigation strategies: Managing brand reputation requires cross-functional risk mitigation oversight for people, assets and critical processes, including board-level risk and unified protection business-unit considerations for relevant assessment and mitigation strategies.

2. Communicate all-hazards risk, mitigation and performance metrics: Boards, management teams and stakeholders increasingly make critical decisions based on a host of divergent data, spreadsheets, graphs and analysis. Effective, actionable risk management requires discipline. Understanding data to identify risks and tell a compelling story of injury, loss, damage and cost avoidance is the objective.

3. Run security as a business: Practitioners must remember they are “selling” their services and programs. They need to know the marketplace, the customers, program capacity and value. Our research shows there is no single common type or even universal “best” security model — you have to do the business research to make the best decisions.

4. Influence community preparedness and resilience: Catastrophic, man-made and natural risks have made incident, crisis and continuity management increasingly important. Practitioners need to be aware of the latest global requirements for preparedness compliance, as well as the means to protect the brand with alliances.

5. Add incremental value with mission assurance and P&L performance: Board-level risk mitigation is no longer just consequence protection. Business acumen quantitatively and qualitatively enables a path to value. Practitioners should be versed on connecting revenue influencing and cost avoidance for return-on-investment and operating results.

6. Manage information protection, breaches and situational intelligence: Brand stakeholders require confidence. Information ranging from intellectual property assets to personal identifiers must be protected from persistent physical and cyber threats. Practitioners need to road-map protection architecture and manage information crises.

Additional areas identified include managing extreme risks; evolving operational excellence; assessing next generation executive(s) and service organization(s); achieving all-hazard preparedness for resilience; compounding value beyond mission; and managing uncertainty for confidence.

Embracing and building corporate security programs around these core areas is not only critical for security executives working today, but also to the emerging leaders of tomorrow. Providing this type of security business education to tomorrow’s leaders before they hit the workforce has huge implications for our industry’s ability to continue to respond and remain current with corporate risk.

And it will be up to the next generation of security leaders to seize upon the opportunities facing them, the industry and the organizations they work for. Unified risk oversight is no longer just a practitioner concern or a senior management concern, it is an enterprise-wide concept impacting all levels and units within an organization. There is no longer a single point of failure — there are lots of players and moving parts.

Who will lead the effort? It will take a new type of security leader.


Bob Hayes is Managing Director of the Security Executive Council (SEC); Kathleeen Kotwica, PhD, is EVP and Chief Knowledge Strategist; and Francis D’Addario is the former CSO of Starbucks Coffee and Emeritus Faculty. The SEC (www.securityexecutivecouncil.com) is a problem-solving research and services organization focused on helping businesses build value while improving their ability to effectively manage and mitigate risk.