The CSO role as many imagined it five years ago would pull all corporate security functions—including safety, asset protection, physical security, information security, business continuity and risk management—together under the purview of a single corporate security executive whose office would be one door down from the CEO's.
For some organizations, that is exactly what the role became. For many, other executive-level positions evolved, ones housed in the IT or facilities departments, with C-level authority and a one-off reporting structure. And for many more, the security director is still the security director, and the organization feels no real need to change that. Converged systems at one level or another have become much more prevalent, but truly converged houses are still hard to find outside the Fortune 500.
It would be folly to suggest that all companies without CSOs are missing the mark. After all, if there was only one way to effectively secure any facility, your professional lives would be much less complicated and I would be out of a job. But convergence in technology and management—whether it's accomplished under a CSO, a CISO and security director, a CSO and CIO, or some other structure—can advance security and improve the business. The secret is to think like a CSO, even if the CSO title and structure aren't in your organization's plans.
What Is the CSO Mindset?
When it comes down to it, a CSO is a business executive. All a CSO's decisions are made with the interests and needs of the business in mind. L.E. Mattice, one of our Top 10 Movers & Shakers in security this year (see page 20), is vice president and CSO of Boston Scientific, a global manufacturer and marketer of medical devices. He has learned the importance of a clear view of business needs from years of experience in both public and private security.
“We focus on what's important to the business,” Mattice said of security at Boston Scientific. “This is the fourth corporation I've been head of security in, and one of the advantages I have, having worked in the electronics industry, the defense intelligence business, and the consumer products business before I got here is that I understand that companies are different, their needs are different based on the kinds of businesses they're in and where they are around the world, and that's given me the ability to focus on a program that understands what the business needs are and that's driven by the need of the business and the risk that the business faces. And then (the program) mitigates things based on a sliding scale relative to where things fall in the continuum of criticality to the business itself.”
A CSO has to know the business to set reasonable protection priorities, just as he or she has to know and understand the concepts of strategic planning, total quality management, and root cause analysis, Mattice continued. “You can't mitigate everything. You have to be able to take a certain amount of risk based on probability analysis and the criticality of what you're dealing with for the company.
“I told them when I came here as a consultant (prior to being hired as CSO), ‘I could give you a 100% guarantee of a security program that you never have to worry about and that will counter every risk that you may ever face, but I'll put you out of business doing it.' So you have to build a program that is affordable, that is based on dealing with risk in a sensible manner.”
Being in centralized control of the entire security function helps this mindset of sensible risk management and business focus play itself out in policy and function. A CSO who has boardroom and CEO access is more likely to be clear on evolving business needs than a security director who isn't in executive-level meetings. A CSO also has more control over how the converged security function is executed because all parties must report to him or her. However, there is a lot a non-CSO can do to behave like a CSO, even with these perceived structural handicaps.
Having the Spirit of a Chief
For one thing, it's not just the CSO who needs to be worried about the needs and the mission of the business. No one—CSO or not—can set security and risk priorities without understanding the business first. Radford Jones, academic specialist at the School of Criminal Justice at Michigan State University and previous manager of security and fire operations for Ford Motor Company, knows this well. He's consulted with states and organizations on security planning and management, and, he said, “When I sit down with people, one of the first things I ask is, ‘What is the mission and objective of your company? What is the business strategy?' Sometimes I get these fuzzy looks, and I ask, ‘Have you read the last stockholders report? How about going on the Web site and learning a little about what your company is about?'”
These aren't things only a central executive can do. In fact, Jones doesn't even believe in the necessity of a CSO position. “You've created another level, but because of what? You've created a referee out there?” Jones also remarked that if he were a security director at a company that appointed a new CSO, “I'd be looking in and saying, ‘Where have I failed? If they're bringing in a person to resolve these issues, maybe I've failed in creating strong partnerships with other stakeholders.'”
That brings us to another important factor in thinking like a CSO. A CSO has the advantage of authority over the entire security function, which means he or she always knows what's going on in both the information and physical security departments and recognizes opportunities and needs for collaboration. But a non-CSO also needs to keep tabs on the other side of security, physical or IT. It's imperative to know who the stakeholders are in the company and to know what they're up to, so security can react to new plans and find ways to collaborate to better the business.
Dan Lohrmann, CISO and director of the Office of Enterprise Security for the state of Michigan , works closely with his physical security counterpart in order to ensure that both are on the same page and are recognizing opportunities to enhance overall security. “We get together formally within our emergency management program, and we also get together for lunch and have a personal relationship, because, by the nature of our two departments and our roles, it's especially important that we work together.”
If you as a security director are not yet talking regularly with other stakeholders in your organization, now's the time to start. Jones recommends being flexible and open-minded during these meetings, and listening carefully to what your counterparts in other departments have to say. When you do this, “you start to learn what the common denominators are, what the differences are so that those differences can be worked out between you, so that the bottom line, which is the safety and security and protection of assets of the corporation, is accomplished,” said Jones.
Time to Get Started
If you don't feel business minded, a good way to start thinking like a CSO is to get some business and leadership training. Mattice himself has attended business schools and executive leadership programs, including programs with the Center for Creative Leadership, which is online at www.ccl.org. Many security professionals have been taking this route, going back to school for MBAs or single, specialized courses.
These aren't options for everyone, and for those unable to go this route, Jones has his own suggestion.
“There are a number of books written on effective meetings and all that, but I think one of the best ways to learn it is to just jump into it. Take time to list who your partners may be within and outside of the corporation and spend some time getting to know them and listening to where they are. The hardest part is picking up the phone.”
Marleah Blades is managing editor of Security Technology & Design. She may be reached at firstname.lastname@example.org.