Ronald Worman is the founder and managing director of The Sage Group.
Photo credit: (File photo)
Security practitioners often find themselves in a Catch-22 situation as they try to handle current threats while simultaneously trying to prepare for the future of the business and their department.
Photo credit: (Photo courtesy stock.xchng/igordeniro)
I recently had the opportunity to survey a number of security executives about their programs as well as the challenges they are facing over the next 12 to 24 months.
The challenges were the same ones we have been tracking over the last two years:
- Static or declining budgets
- Lack of program standardization due to lack of control
- No common operating picture due to lack of technology standards and budget
- Lack of strategic value articulation at the top levels of the organization
As you can see, they all reinforce each other. Without value articulation, budgets can be difficult. Without a common operating picture that captures information at its source and aggregates it so that analytics can be deployed over time, metrics are difficult. Without metrics, meaningful and comprehensive value cannot be quantified. Program standardization helps reinforce budget optimization and fiscal discipline, not to mention data capture and aggregation.
So, why are we not making progress? Over the years I have seen executives make progress in a fractured and political environment. But it usually occurs when a leader emerges that consciously proceeds through a deliberate change management process. That leader can come from inside or outside the organization. But they must follow the process to be successful.
Interestingly, my survey seemed to point at the need for an outsider (consultant or vendor) to play this role. However, there are not many consultants or vendors who have the trust and knowledge to cross the departmental aisles needed to create and sustain strategic change initiatives.
What level of trust and knowledge are needed?
Trust is earned through transparency and process. In this case, the consultant would have a methodology, would have enough trust equity with security to reinforce the need to speak privately with disparate functional interests, could easily articulate why the survey would advance the organizational goals not just the security goals, and, finally, would be savvy enough to be able to quantify and justify the return on investment (time, people, and money) it would take to assess, plan and perform sustained organizational change. And they would have to do this in the climate of the tyranny of whatever is urgent. Because most executives are stuck in the doing and have little time for anything resembling long term strategic planning.
I had one executive tell me he was hoping to shed that weight, but there was no one to give it to in the framework of his budget. So, it becomes a Catch-22. The keys to standardization, optimization, information management, and metrics are locked inside the proverbial organizational vehicle. They are all possible and affordable but lack a catalyst, internal or external, to the security organization.
We are beginning to see senior executives from operations and IT take an interest when the intersection of organizational goals and their functions intersect with some element of physical security.
But what intrigues me is how change happens successfully over time. I am interested in the "self-correcting" change culture and how to develop it so we very rarely lock our keys in the car, wasting the opportunity to save money, resources, and time-to-value that really makes an organization competitive.
I believe there is a process that can be applied by a trusted and knowledgeable agent, which I hope to share with you in next month’s column.