The concept of a corporate security function being a profit center has been discussed for years. Convincing decision-makers of this idea has been difficult. The reason is that in most cases Security really isn’t a profit center that generates new revenue and profit for an organization (sorry, I don’t believe department chargebacks are profit – it’s just moving money from one corporate bucket to the next). Additionally, generating revenue is different than realizing a profit. Throwing these terms around the room with business leaders and not knowing these distinctions only shows that security is not in tune with how a business operates.
I have seen very few situations over my 40 years in the security industry where a corporate security function was truly a sustainable profit center for their organization. My view of security not being a profit center may offend some readers. And yet, the security function can certainly contribute value and be worth investment.
It enables the company to realize profits by 1) equipping business units to embrace more risk while entering new markets, or by 2) enabling them to be more durable and resilient in the face of threats and challenges. Security accomplishes this by helping company leadership properly identify, assess, and understand risks, and then designing and implementing programs to mitigate them. The absence of security mitigation creates perceived and real risks to an organization.If security is not a profit center but still has value, how do you position corporate security to be that business enabler? How do you create and show that value? I would need far more print space to provide detailed answers to those questions. However, I believe you can start by mastering three key areas – Know your business; know your risks; and know your fit.
Know Your Business
I believe this to be the first and most important aspect for any functional leader in an organization. What are the most valuable assets of your business? Which divisions or units create the most revenue? Who are the key people and rising stars within your company?
It is difficult to have a security strategy or plan that will align with the business without understanding the business or the direction it is heading. I created and “advocate and adversary” executive organizational chart as part of my influence strategy. This was not a visual that I shared with anyone else for obvious reasons, but it showed me the choke points where influence was being held up or stalled. It’s critical to know who advocates and believes in you at the executive level just as much as who is ambivalent or negative towards you or the security function. You can create and implement influence strategies that target this group including engaging their peers who are your advocates in influencing them in the right direction.
Is your company acquiring another company? If so, are there assets or individuals that come with the acquisition? The same is true with divestiture. You may be asked to surrender headcount if part of your company is sold to another company. Do you have a contingency plan in place to function at 80%, 70%, or 50% of your current budget? If so, what services would you no longer be able to offer with the reduction? These are all considerations as part of knowing your business and organization. I spend a significant amount of my time working with heads of security to work through these types of scenarios. Those with a plan that has a grasp of their business and the interaction with corporate security tend to? come out winners while those unprepared are left to chance.
Some companies allow members of management to temporarily work in field operations or direct customer interaction as part of their onboarding and orientation. I personally had the opportunity to work for one week at a Grainger branch store and warehouse shortly after assuming the Director of Safety and Security role there. The same opportunity was provided when I became a Director of Security at PayPal and shadowed our customer service representatives who deal directly with customer questions, issues, and complaints. These are invaluable opportunities to learn the business and observe how security interacts with these front-line positions.
Does your company value peer comparative data and benchmarking as part of program validation? At one employer, my first weekly senior staff meeting led by our company’s CFO began with five minutes of reviewing key metrics from our competitors and peers. I’m not sure where you are from but in my world, that’s called a clue. Benchmarking and metrics were a high core value so one of my first tasks was to develop and present value metrics at my own staff meetings and when briefing executives.
Some corporate cultures don’t emphasize board-level risks or peer benchmarking. As my old boss and mentor Bob Hayes, a former CSO and currently the founder and managing director of the Security Executive Council, once advised me, “What will get you promoted at one company will get you fired at another.” Take time to study how successful leaders in your company report their results, process data, and come to conclusions. I have worked in and consulted with companies that require consensus in decision making while others encourage quick individual decisive actions in the spirit of “getting it wrong quickly.” These are all parts of knowing your business culture and what will work or not work.
Know Your Risks
A critical aspect for any security executive is aligning their efforts with board-level risks. The genesis of board level or “10k” risks was the result of Sarbanes Oxley (SOX) and the requirements of publicly traded companies reporting their risks as part of their annual government filings. The term 10k risk is derived from the information reported on publicly traded companies' annual 10k report to the Securities and Exchange Commission. The risks are typically separated into strategic, financial, legal/compliance, and operational risks. Most risk factors that involve Security are typically found in the operational risks category. However, a close review of all risk factors should be conducted to see where the security function has direct involvement. The chart below depicts a simple analysis of a mid-cap pharmaceutical company. It’s easy to make a direct connection between the 10k risks and security’s responsibilities.The Security Executive Council (www.securityexecutivecouncil.com) conducted groundbreaking research in this area soon after SOX was enacted and continues to provide security executives with the strategies and plans to align these board-level risks with the corporate security function.
Those employed by private corporations may have more of a challenge in finding their board-level risks. Annual reports provide key information and discussions with top executives will inform of these risks. Most likely some of the same operational risks found in similar publicly traded corporations will exist in a private corporation.
Know Your Fit
In my mind, this is the one area that is most challenging. Most people are promoted into roles or hired to affect change. Ambition and patience sometimes collide in these scenarios. There is a balance of learning the culture and processes. If you wait too long to make a change, it can create turmoil with the assumption that the status quo was accepted upon arrival. And yet, immediate changes are not the right answer as noted later in the article. Additionally, making changes within the organizational boundaries you are given is expected. I have worked with several security executives that spend more time trying to distance themselves from their functional leadership feeling like it’s not the right fit rather than being innovative in making the situation work within the current structure.
For example, my first corporate job was reporting to facilities (and it wasn’t the last time in my career that I reported to that function). It wasn’t ideal because my scope of responsibility was beyond my own boss’s scope. I could have spent effort campaigning against the reporting relationship. I was a one-man army at the time so was busy learning the business and putting out fires at the same time. I finally accepted the situation and looked for ways to innovate within the current structure.
As I looked around the organization, I saw that the safety function had lots of people and was embedded in every area where I needed to impact. I proposed a partnership to the functional leader of that organization in which I would support his group on security-related issues – a dotted line report. I found a way to create a win for everyone. I didn’t usurp my Facilities boss and still had a solid line reporting relationship with him.
The safety team was excited to be able to add security as another area where they could service our manufacturing plants, distribution centers, and sales offices. I certainly could have tried to do it myself by spending time trying to hire a bunch of people. However, that was not the answer as I will address at the end of the article. Besides, it would have taken a couple of years to get traction with that service delivery model. Instead, I resisted the temptation of empire building and the perception of a large and powerful corporate security organization.
Security was instead embedded as part of the overall operational risk in the Safety organization. In the end, the model was successful and was the “right fit” for this corporation.
Unless there’s a specific mandate given, delay any immediate hires or terminations upon arrival. It will take some time to figure things out and contracted supplemental staff can be used to meet immediate demands. If the outgoing security executive is leaving on good terms (e.g., voluntary retirement) then consider hiring them back for 6-12 months as a consultant. It’s valuable having this person available for one full year business cycle (i.e., budgets, seasonal business cycle, etc.). You won’t have gathered all the answers you need from the interview process.
Respect legacy staff and don’t be hasty in making immediate moves. In one company, a key direct report had the position before me, and I essentially replaced him. The easy move would have been to remove him from the organization thinking he would be a liability, but he ended up being a close and trusted ally. It was as simple as someone in Management not wanting this person as the senior security executive but no reflection on the value they brought to the organization.
Resist the age-old mentality of “doing more with less.” This is a classic temptation where a security executive is presented with either a reduction in staff or resources with the same responsibilities or an increase in their scope of responsibilities with no additional resources added. The knee-jerk reaction is “well, I guess we will just have to do more with less.”
I challenge you to find a more fraternal and helpful group of people than those professionals in law enforcement and the security industry. Unfortunately, this approach is not a sustainable service delivery model. Other corporate functions will draw the line in the sand and either reduce services when a reduction occurs or refuse to move forward with additional responsibilities without resources.
I learned the hard way early in my career when I just tried working harder and overburdening my staff with no resource allocation provided as my responsibilities were rapidly increasing - I had totally bought into doing more with less. One executive drew the conclusion that I must have been previously overstaffed or underperforming since I was now “operating effectively” with increased responsibilities but no increased resources.
Always, and I mean always, have a budget defense strategy to operate your department at 80%, 60%, and even 50% of your current situation. Know what services would be eliminated and the potential consequences of those reductions. At the end of the day, you don’t own the risk – the business leaders own the security risk in your organization. I have been in a situation where the entire security function was eliminated within a large cap company. The executives were willing to assume the risks even though the potential consequences were clearly presented.
The security function may not be a profit center, but it is an important part of every organization. The security leader can demonstrate their value by first mastering the concepts of knowing their business, knowing their risks, and knowing their fit in the organization.