Some things in security seem perpetually just out of reach of becoming commonplace; biometrics replacing cards for access control, cyber and physical security departments converging, and the senior security executive/chief security officer reporting to the CEO, for example.
The latter seems particularly elusive. While data varied by study, even when a senior security executive wears a CSO title, a direct reporting relationship to the CEO remains a rarity.
Current and former CSOs interviewed for this story provided advice on how they could integrate their department into the business structure of the organization and earn a place in the C suite. While virtually all security executives believe that security should be integrated into and aligned with the business, a disagreement arose on whether a CSO is best placed in the C suite.
This article discusses factors to consider before trying to elevate security to the top ranks. It then examines the benefits and drawbacks of a direct reporting line to the CEO. Finally, for cases in which the fit is right, the article explores methods of positioning the CSO for such a move.
Should Security Report to the CEO?
Experts are divided on whether it benefits the security department to connect directly to the top. For example, it works well when security is “front and center” in an organization, says Keith White, chief of safety and security at Salesforce.com and former CSO at Gap Inc. That would include companies whose central mission is security, such as guarding services and access control manufacturers, or those in which security is entwined in the corporate mission, such as defense contractors.
But some CSOs worry that a C suite role will enmesh them in corporate politics and turf wars, making it difficult for them to function as a dispassionate advocate and broker. Timothy Williams, formerly CSO of Caterpillar and Nortel, adds that the CSO “may expose the CEO to unnecessary legal proceedings given the nature of the work and the issues typically managed by the CSO.” In his experience, the Chief Legal Officer is often the preferred reporting relationship for the senior security executive, especially in a large company.
“The Balance Sheet”
A solid line to the CEO does not necessarily lead to Shangri-La, however. That reporting relationship comes with a list of consequences that fall on both sides of the ledger.
The Pros
Roy Lemons, the CSO at International Paper and one of the architects of ASIS’s 2022 revision of the Senior Security Standard (formerly the CSO Standard), says reporting to the CEO is an overall positive because “strategically you need a seat at the table to understand what’s important to the people at the table.” It’s difficult to achieve that level of access by osmosis or via others. Members of the C suite are security’s constituents, Lemons says, and CSOs require direct access.
R.C. Miles, global director of safety and security at the AIDS Healthcare Foundation, agrees. The seat at the table offers the security executive “the greatest exposure to the strategic direction of the organization so you can influence decisions early in the process.”
For some professionals, reporting at a lower level is a non-starter. “I don’t know that I would do it any other way, offers Steve Georgas, CSO at Levy, which provides premium food service at sports and entertainment venues. Georgas is one of the rare food services CSOs who report directly to the President and CEO because security was ingrained in the culture before he got there.
The Cons
Williams, who has reported to various C suite denizens during his career, warns that security executives may not be prepared for such a high reporting relationship.
“CSOs often attempt to operate strategically, but have not properly defined the purpose, scope, and process ownership for the security organization in a comprehensive written strategic plan,” Williams says. Doing so is critical, he adds, because while senior executives and the board of directors typically understand other staff and line functions in the enterprise, they may not have as strong a grasp on the scope of security risks and the array of mitigation options. “A good strategic process clarifies these aspects for leadership audiences and establishes process ownership to limit the inevitable turf wars that follow when roles and responsibilities are not otherwise clearly defined.”
The CSOs interviewed for this story agreed that not every security department is mature enough to report to the highest levels of the organization. “Maybe you can’t deliver the value you want to, and you need time to build up,” suggests Lemons. “You don’t want to be called to the carpet because you are still building [your operation].”
In fact, two CSOs explain that they are currently in that exact position. Phil Halpin, head of security at cannabis company Cresco Labs, believes that security departments are well suited to the C suite to articulate risk to risk owners, not business owners, who have their own agendas and may not be seeing the entire picture. Halpin explains that the security operation at Cresco isn’t quite there yet, which is typical in the nascent cannabis industry where security focuses on complying with the specific requirements and expectations of each state community where the business operates.
“We have not been ready to have those board-level discussions that we need to have about risk appetite and tolerance, but that time has come,” Halpin says. “The goal is to evolve beyond compliance mode; to be data led, be more proactive, and to optimize the services we provide to the organization.”
How does security accomplish that lofty goal? “We not only have to think about security differently, but we have to restructure the team to enable enhanced business alignment and the delivery of security programs and services in a more strategic, measured and holistic way," Halpin responds.
A CSO at a regional automotive company finds himself in a similar situation. “The security culture is still developing here,” he says, sharing that he created the company’s first security program when he came on board a year ago. The CSO needs time to inculcate the importance of security and build a business-based value proposition before the department is ready to make the leap to direct reporting to the corporate apex.
Other drawbacks to reporting to the CEO exist as well. “It’s a constant highwire act,” says Miles. “There are two things you worry about most in the C suite—budget and politics.” They can distract security from its mission. “It’s real Game of Thrones stuff,” he says.
Also, one security executive who held the senior-most roles at several multinational corporations worries that CSOs might not have the educational and professional heft of their colleagues. “You’re sitting with the Chief Legal Officer, COO, Chief Human Resource Officer, CFO, who understand the issues, politics, and personalities, because they have critical thinking skills,” the executive says. “Most CSOs don’t have that level of skill. They are going to get their [butts] kicked.”
Does It Really Matter?
CSOs may be able to get the benefits of a direct line to the top without having to do battle with the likes of the Lannister and Targaryen clans.
Salesforce’s White, for one, touts the advantages of being a hidden power behind the throne. Although he doesn’t report directly to the CEO, White meets with him regularly and has developed a trusting relationship. “It’s a bit of a misnomer to say that if you don’t have a straight-line reporting relationship to the CEO you’re not working directly with him or her, taking direction, or giving advice,” he says. CEOs often want to talk to directly to a subject matter expert unfiltered, and anyone in between on the reporting line has to be able to accept that.
That’s another way of describing influence or soft power. “The number one tool the CSO has is influence,” adds International Paper’s Lemons. “If you are a trusted partner,”—regardless of whether you report directly to the CEO— “you can influence things that happen in a company,” he says.
Though he reports to the SVP of Operations, who in turn reports to the CEO, the AIDS Healthcare Foundation’s Miles says he has developed that influence. Miles meets with the CEO every week and presents biannually to the board.
“It’s about the relationship more than the position,” he says. But the relationship has to be built over time. What derails many CSOs, he says, is coming in with an attitude of, “’I’m the CSO, and you have to listen to me.’ No, you have to earn it.”
Roadmap to the C-Suite (or to C-Suite Authority)
Assuming that the CSO has done the groundwork and developed a mature department, how do they access the rarefied heights of the organizational chart, or at least attain the gravitas and respect to influence the CEO? Here are the experts’ keys.
Build relationships. Develop authentic relationships that build trust and influence. Show to the people that matter why you and your department matter. That can be tricky, according to Georgas of Levy, CSOs may have to investigate alleged wrongdoing by their colleagues, which puts CSOs in a tough position because their allegiance belongs to the organization, not any particular executive.
Understand the business. Some CSOs say that they’ve learned every facet of the business—from its culture to its policies to its operations to its personalities to its balance sheet—so that they know the organization and how it functions better than the CEO or COO does. They become invaluable to the business and to the ultimate decision-makers. “Know the business cold,” counsels Steve Antoine, PepsiCo’s Vice President of Global Security, who reports to CSO Michael Lee.
Speak their language. The automotive CSO emphasizes the ability to communicate with senior executives on their own terms, rather than via security jargon or security metrics that matter little without context. He creates meaningful metrics for short-, medium-, and long-term goals. Lemons agrees, pointing out that since security constitutes about 1 percent of a business, “We have to speak their language, not the other way around.”
Offer options. Security often has the reputation of being the ‘Department of No.” Instead, partner with leaders to offer creative problem-solving that acknowledges risk but doesn’t wilt under it. For example, food delivery services often refuse to deliver to places without addresses, such as parks and beaches, for safety reasons. But with the help of security, some services deliver to those destinations. “Security helps deliver profit and becomes a growth driver,” says PepsiCo’s Antoine.
Identify advocates. Both White and Miles stress the criticality of having powerful advocates who will speak on your behalf. As Miles puts it, “You have to identify key stakeholders that your boss trusts and win their trust. You have to engage people that surround the decision-makers in a way that solves their problems, and they will help solve yours.” Though Miles is one level removed from reporting to the CEO, his position rolls up in the SVP of Operations, which Miles says has helped foster his relationship with the CEO.
Your best advocates can come from unexpected places, adds White. In one instance, a powerful executive with whom he had limited contact turned out to be one of security’s biggest supporters, winning the department additional clout and resources.
Just as biometrics shouldn’t be forced onto access control and convergence of physical and cyber isn’t for every organization, senior security executives do not necessarily need to occupy the C suite to gain the same results. While reporting directly to the CEO on the organizational chart comes with clear advantages, CSOs can achieve many of the same goals through influence, business acumen, relationship building and other traits of an effective leader.
