As the recognition of board-level risk continues to grow across the enterprise, so too does the need for highly trained business executives with security expertise. Today’s all-hazards corporate risk environment will tolerate nothing less than security executives that are as smart, prepared, vigilant and progressive as the ever-present risk they will attempt to mitigate.
Security executives must be versed in enterprise risk mitigation and ensure that their perceived organizational risks outlined in their 10K statements are aligned with a unified risk mitigation program. As so many parts of a business are impacted by these modern requirements, corporate security is no longer purely a threat detection and mitigation problem, but it becomes a systemic, corporate culture issue that needs to be implemented, staffed and managed accordingly.
But is the industry doing all it can to ensure we are creating business people that know security? An honest assessment reveals that while the industry has done a lot to prepare “the boots on the ground” to manage and mitigate the security risks for the individual lines of business, the convergence and elevation of corporate security to board-level risk has created the need for a new type of security business executive. At the same time, it has created a gap in the information and resources available to properly train and prepare this new breed of business executive in the complexities of business-based corporate security.
How Corporate Security Executives have Evolved
The evolution of corporate security to its place as a board-level consideration has had a somewhat segmented and utilitarian trajectory over the past 60 years, with each decade being marked by an emphasis on a different aspect or approach.
• 1960s: The security industry’s nascent period in the years following WWII through the 1960s was heavily defined by the influx of GIs returning from overseas. These ranks proved a plentiful and capable workforce for prevention, detection and response.
• 1970s: The security industry in the 1970s was heavily influenced by the cultural shifts that were taking place in the country. Societal problems were being brought into organizations, which created a need for more internal investigations and prosecution.
• 80s and 90s: By the late 80s and early 90s, organizations became very interested in corporate culture and were eager to appear on lists of the numerous “100 Best Places” lists that were coming into vogue. Organizations began vying for the best security talent to bring into a company and were no longer interested in simply hiring “police officers” to run their security programs. Senior management began looking for professionals that embodied and could promote the corporate culture.
• 90s and 2000s: By the late 90s and 2000s, technology started to become integrated and integral to all parts of the business, and the security focus began to shift to things like network penetration, application security and platform security.
As the security industry passed through each phase, senior management looked at security in a singular manner, often defined by the most recent security situation they had to deal with. If an organization had a loss of life on an international business trip, it became the focus; if there was a recent fraud or internal theft, it became the new focus.
As the internal security focus would shift based on one of these incidents, senior management felt they must go outside the organization to acquire talent with this new required skill set, instead of realizing they had it internally. As a consequence, security professionals also began to view their profession through silos, and as one set of requirements gave way to another set, they found themselves defending their skill set, as opposed to acquiring new ones.
• Today: This chronological shift in the profile of corporate security and the required skill set of security practitioners coincides with an exponential increase in the sophistication of doing business in a modern global economy, which has resulted in senior management now looking at corporate risk in a more sophisticated way. That sophistication demands the ability to understand and respond to very specific (often divergent) types of threats, while at the same time being able to develop, implement and manage unified risk programs that are seamless across all business units and consistent with organizational culture.
Security practitioners that happen to have business-side experience will find themselves better prepared to thrive in this demanding environment, and those that do not possess a business background will need to bridge the gap in several core areas if they hope to be successful.
Dealing with Upper Management
Security has really never been viewed or taught from the P-side of a P&L. It is critical that security leaders not only understand what the organization’s security needs are, but also be able to articulate the value of these security services and programs to an organization’s bottom line, or prove that their programs are cost-neutral. Developing this set of specialized information, resources and expertise is an imperative that has the potential to be game-changing.
For security and business to be a truly unified discipline, there needs to be a common and shared language for defining risk and mitigation, and articulating the success (or failure) points for any given initiative. Thus, it is crucial to create a common risk language between security professionals, and between security executives and senior management. This common language needs to be accessible and inclusive to all units with an organization, including executives, HR, Legal, Finance and Security.
Additionally, today’s security executive needs to be committed to communicating their plans as part of SEC 10K statements and then actively work to achieve that alignment. Private companies that do not need to file 10K statements should also be committed to communicating their perceived risk to their board and implement a unified mitigation strategy. This requirement has all parts of the business ramping up their security efforts. The message here is if you are a security executive who has approached senior management — perhaps unsuccessfully — in the past about a unified approach to enterprise risk management, go back and try again, because the C-Suite is more likely to listen at this point.
Matching Security with Company Culture
Today’s security leaders need to attend to their organization’s “state of readiness” for their proposed programs. That is, does senior management view security the same way as the security practitioner? If not, there will likely be misunderstandings that prevent the most successful partnership involving security programs.
The programs need to be attuned with corporate culture as well. The Security Executive Council has done research in this area and has found different categories of corporate cultures that will have an impact on how programs need to be built and communicated. The most popular corporate cultures include:
- All about the people;
- Analytical and logical;
- Utilitarian and focused on getting the work done;
- Innovative; and
- Parental in nature.
New Blood and Heightened Awareness
With the first group of baby-boomers having reached retirement age in 2011, we stand at the next defining chapter for our industry. While the workforce will contract, the risks to be mitigated will continue to escalate. With escalation comes awareness, which is evident by the fact that the business trade magazines are writing about it, there are full industry events around it, and laws have been passed. However, while there is much coverage of risk in business, it is usually from the views of specific business functions without a focus on how to make a unified, organizational vision of risk management happen.
This heightened state of awareness and attention to board-level risk can certainly lead to positive things, assuming the right people are in place leading the effort. We as industry practitioners must take an active part in providing current and emerging business leaders with tested and validated security knowledge best-practices presented in a business management context. We must also seek to partner with other entities and industries, including higher education, to develop highly specialized and comprehensive security/business curriculum.
Six Best Practices of Today’s Security Leader
Our research shows the most successful education is rooted in risk theory and business processes, focused on application and value contribution, to arm security managers and other risk mitigation managers with the business leadership acumen necessary to propel them and their organizations to the next level of strategic performance. These best practices fall into six core areas:
1. Align board-level risk and mitigation strategies: Managing brand reputation requires cross-functional risk mitigation oversight for people, assets and critical processes, including board-level risk and unified protection business-unit considerations for relevant assessment and mitigation strategies.
2. Communicate all-hazards risk, mitigation and performance metrics: Boards, management teams and stakeholders increasingly make critical decisions based on a host of divergent data, spreadsheets, graphs and analysis. Effective, actionable risk management requires discipline. Understanding data to identify risks and tell a compelling story of injury, loss, damage and cost avoidance is the objective.
3. Run security as a business: Practitioners must remember they are “selling” their services and programs. They need to know the marketplace, the customers, program capacity and value. Our research shows there is no single common type or even universal “best” security model — you have to do the business research to make the best decisions.
4. Influence community preparedness and resilience: Catastrophic, man-made and natural risks have made incident, crisis and continuity management increasingly important. Practitioners need to be aware of the latest global requirements for preparedness compliance, as well as the means to protect the brand with alliances.
5. Add incremental value with mission assurance and P&L performance: Board-level risk mitigation is no longer just consequence protection. Business acumen quantitatively and qualitatively enables a path to value. Practitioners should be versed on connecting revenue influencing and cost avoidance for return-on-investment and operating results.
6. Manage information protection, breaches and situational intelligence: Brand stakeholders require confidence. Information ranging from intellectual property assets to personal identifiers must be protected from persistent physical and cyber threats. Practitioners need to road-map protection architecture and manage information crises.
Additional areas identified include managing extreme risks; evolving operational excellence; assessing next generation executive(s) and service organization(s); achieving all-hazard preparedness for resilience; compounding value beyond mission; and managing uncertainty for confidence.
Embracing and building corporate security programs around these core areas is not only critical for security executives working today, but also to the emerging leaders of tomorrow. Providing this type of security business education to tomorrow’s leaders before they hit the workforce has huge implications for our industry’s ability to continue to respond and remain current with corporate risk.
And it will be up to the next generation of security leaders to seize upon the opportunities facing them, the industry and the organizations they work for. Unified risk oversight is no longer just a practitioner concern or a senior management concern, it is an enterprise-wide concept impacting all levels and units within an organization. There is no longer a single point of failure — there are lots of players and moving parts.
Who will lead the effort? It will take a new type of security leader.
Bob Hayes is Managing Director of the Security Executive Council (SEC); Kathleeen Kotwica, PhD, is EVP and Chief Knowledge Strategist; and Francis D’Addario is the former CSO of Starbucks Coffee and Emeritus Faculty. The SEC (www.securityexecutivecouncil.com) is a problem-solving research and services organization focused on helping businesses build value while improving their ability to effectively manage and mitigate risk.