Earlier this year, the U.S. Intelligence Community’s annual threat assessment described “a complex and pivotal international security environment” dominated by geopolitical competition, climate change, disruptive emerging technologies, and increasingly powerful non-state actors.
This environment drives significant corporate risk, especially to businesses in critical infrastructure sectors. We see this manifest in headlines about Chinese hacking into corporate networks, ransomware shutting down major pipelines, and violent extremist attack planning against the electrical grid. What makes this security environment particularly challenging for businesses is the speed with which a corporate security incident can become a national security issue. Consequences can be severe: disruption of critical services, financial losses, reputational damage, and increased regulatory scrutiny.
Many businesses are not well positioned to mitigate these risks because traditional security programs are insufficient in addressing today's complex security issues. By “traditional,” we mean corporate security programs that focus only on the “three G’s” – guns, gates, and guards – and cybersecurity programs that focus only on IT. These programs allocate insufficient time and resources to strategic analysis and planning, cross-enterprise coordination, and engagement with policymakers, regulators, the public, and the media. As a result, they’re always reacting, caught in a never-ending cycle of being behind the curve, and doing a disservice to their executive leadership, board of directors, shareholders, and customers.
The Anatomy of an Innovative Security Program
The solution is to reconceptualize how we think about corporate security programs. We must move from a world where corporate security is a reactive, compliance-driven, stove-piped “department of no” to one where the security function leads the way in forecasting and mitigating strategic risks. Security programs must become intelligence-led, management-focused, and holistic.
Intelligence-led. Security programs must have some intelligence capability to be successful. In addition to adopting an intelligence subscription or platform (there are now many options on the market), businesses must build processes for determining what information is valuable, gathering it, analyzing it, and communicating it to support decision-makers. The gold standard for this is the intelligence cycle, which is used widely in the U.S. government, and should be tailored to your organization. An intelligence process enables the business to identify and mitigate threats, both proximate and over-the-horizon before they result in a material impact to the organization.
Management-focused. Security programs must be driven by management priorities and business objectives. Many security leaders get dragged into the weeds of day-to-day security challenges. They find themselves living in the world of access controls, video surveillance, network architectures, and vulnerability management - often dealing with routine, low-level incidents. Then, when the CEO needs a trusted advisor on issues of strategic importance, security has little to say. Security leaders must build programs that align with the mission, vision, core values, and risk appetite of the broader organization and allocate the majority of their time as a senior security executive to strategic partnership, strategy development, business enablement, and organizational preparedness.
Holistic. Security programs need to tear down stovepipes and become holistic. Major security incidents can impact every part of the business. To be successful, security executives must identify and align with key stakeholders across the organization, working with them to assess threats, advise on mitigation, and think through scenarios for crisis management. Not only does this strengthen the resilience of the business, but if done tactfully and in partnership, it also enhances security’s reputation with counterpart offices.
How to Enhance Your Program
It can be overwhelming to consider a significant overhaul of how your security program works. But there is a clear path to getting there, which can typically be achieved by dedicating some part-time resources or collaborating with an external consultant. We call this the program enhancement cycle.
Step 1: Conduct a strategic risk assessment
The first step to developing a security program that is fit for purpose in the new threat environment is to conduct a strategic risk assessment. A strategic assessment should provide a comprehensive picture of the company’s position in the global threat environment. It should identify threats (both physical and virtual), analyze systemic vulnerabilities, imagine the impacts of potential adverse events, and develop a prioritized list of organization-wide security risks. A proper strategic risk assessment supports strategic planning, resource prioritization, organizational design, executive support, and stakeholder engagement; it forms the foundation of your innovative security program.
Step 2: Develop a strategy
Once your risk assessment is completed, you can turn to strategy development. Strategies must go beyond traditional security activities to consider how various elements of the business come together to mitigate risk. (Note: Take a look at your existing strategy. If it’s better described as an implementation plan for new technologies, it’s not really a strategy!) Strategy development is an inherently creative exercise that serves as an opportunity to imagine new value the security function can provide in an increasingly turbulent world. For a full walkthrough on how to build a strategy, you can check out one of our previous articles here.
Step 3: Stand up a stakeholder working group
Every business should have a cross-enterprise working group that considers strategic security risks and generates recommendations to leadership. Ideally, this should be led by the Chief Security Officer or a similar leader, and include representatives from communications, finance, government relations, human resources, legal counsel, risk management, and others as appropriate. This working group is the incubator for proactive decision-making, a driver for collaboration, a clearinghouse for external engagement with the government and the press, and a clear example of security leadership to the C-suite.
Step 4: Monitor and evaluate
Once these building blocks are in place, the security program should be continuously monitored and evaluated. This involves day-to-day review of security risks, implementation of the strategy, and continuous stakeholder engagement. It can be beneficial to maintain a single tracking mechanism (e.g., a set of slides or an Excel document) that can be reviewed weekly to assess the effectiveness of the security program. This monitoring and evaluation process also forms the basis of ongoing reporting to upper management, including on threats that should keep them up at night, and should signal when it would be beneficial to conduct additional risk assessments and strategy revisions.
In last year’s National Security Strategy, the Biden administration described the 2020s as the decisive decade for the United States’ position in the global order. Likewise, it is a crucial time for corporate security leaders. They will either rise to meet these fast-moving challenges or lose influence and stature within their organizations.
