What is the definition of corporate security? Until as recently as 20 years ago, corporate security centered squarely on the programs it owned—those for which the security function was directly responsible and accountable regarding operations and budget. Access control and badging, guard services, personnel protection, and travel security generally fell under this umbrella.
Lawsuits, investigations, and special projects would bring Corporate Security out of the bunker to work directly with HR, Legal, Compliance, or Audit. Still, ongoing collaborative partnerships with other functions were less common. That’s not to say that nurturing communication and engagement with tasks outside of security hasn’t long been a best practice; we at the SEC have evangelized this since our inception, as have many other thought leaders. However, collaboration tended to happen primarily on an ad hoc basis.
Years of profound advances in computing, networking, mobile technology, data management, and machine learning have transformed how organizations work. Businesses today operate within a much more complex, sophisticated, and interconnected competitive universe than they did 20 or even 10 years ago. One of the impacts of these transformations on corporate security is that cross-functional partnerships, once considered a “nice to have,” have become imperative for risk management.
Senior Leaders Expect Security to Team Up
Our subject matter experts have repeatedly reported that in the C-Suite, there is an expectation that all business functions engage actively with their stakeholders across the organization to build understanding, share information, and optimize processes. Corporate security is not exempt from that expectation.
In 2021 and 2022, the Security Executive Council’s Security Leadership Research Institute (SLRI) worked with Kennesaw State University’s Coles College of Business to examine the structures of collaboration specifically between corporate (physical) security and information security functions and the factors that build strong collaboration in any framework. One participant in the study shared the following thoughts about the power and influence of reliable collaboration:
“I think it brings what I would call a calming effect on the business that they realize that regardless of what vector, if there is a security threat to the company, we’re going to be dealing with it the best way that we possibly can, bringing the best minds to the table and hashing it out, regardless of what titles are out there. VP, CIO, CSO, Head of Security – it doesn’t really matter.”
Success in our complex, global business environment requires organizations to manage security threats and take intelligent risks nimbly – to expand into new territories, invest in innovations, and develop new partnerships. The corporate security function can enable intelligent risk-taking by providing risk intelligence and assuring the safety and security of the organization’s physical assets, people, and operations in every venture – not just in the few programs they “own.”
Newer Technologies Bring Functions Together
Some of the same technology advances that have driven overall business change have transformed security-relevant applications, enabling the operational expansion of SOCs and GSOCs, further use of data intelligence and analysis for global threat identification and risk management, end-to-end supply chain security, and enhanced critical event response, to name a few.
All these tools better enable Corporate Security to manage risks in our era of polycrisis. Expanded initiatives like these also necessitate the continued input of multiple stakeholders outside of security. Imagine initiating a GSOC without first discussing its requirements with IT or the business functions from which the data must be collected. Imagine implementing comprehensive supply chain protection without asking regional site managers about their needs, operations, and risks.
However, to effectively engage cross-functional partners and incorporate their input, corporate security leaders and staff must learn skill sets that may differ from those they expect to need in the security field.
Broader Skill Sets Required
In 2007, the SEC developed a model of the skill sets that would help Security succeed in a changing business and risk landscape. The project began with a deep dive into the backgrounds from which security leaders were hired. At the time, the security industry was experiencing a shift from hiring primarily out of military and law enforcement backgrounds to hiring more frequently out of business backgrounds, with information security experience quickly gaining. This led to an examination of the valuable skills that come out of experience in each of these different fields and a recognition that a blended skill set would be a boon for security career options in the future.
Earlier this year, we released a revised version of this Next Generation Security Leader model that reflects our post-COVID global reality.
While some of the skill categories and many of the individual skill recommendations have changed, the overall message remains the same: Security leaders who pursue a blended skill set including elements of executive leadership, business acumen, emerging issue awareness, cybersecurity and information security, skills specific to security technology and concepts, and knowledge of deterrence and enforcement will have the best opportunities to excel in a continually changing landscape.
Leaders with diverse skills will also be more capable of communicating effectively in business terms, understanding the operations and concerns of business function leaders, and building the influence required to lead cross-functional teams. They may also be more highly valued and compensated by the organization. Where a single leader can only incorporate some of the skills in the list, a security team of individuals with knowledge or experience in the different categories will be more able to rise to various risk management and business challenges.
Evaluate the Security Role Differently
With today’s expanded capabilities, Corporate Security’s scope and structure have branched out in many organizations. In others, however, evolution has occurred more slowly. This variance has always been with us – the answer to “What is Corporate Security?” has always been, to some extent, “It depends.” It depends on the circumstances, conditions, corporate culture, and resources (C4R). It depends on industry and sector, executive engagement, and Security’s functional and leadership maturity.
The SEC uses a relatively simple visual to assist security leaders in defining and communicating to executives what corporate security is in their organizations by identifying their realms of responsibility, levels of collaboration, and potential for growth in other areas.
This chart is based on SLRI Research's analysis of more than 400 corporate security leaders’ self-reported program structures and responsibilities. The analysis found that more than 70% of respondents were responsible for the six programs in green. Less than 50% had responsibilities that expanded to the three programs in blue, less than 25% had responsibility over the purple programs, and less than 10% reported that they were responsible for the four programs in red.
We provide security leaders with a colorless version of this graphic and ask them to identify programs they own, programs they partner on, those they consult on, those they’re uninvolved in, and those that don’t exist at their organization. Then, we look more closely at the partnered programs, identifying which functions they partner with and estimating each party's responsibility percentage. This process not only provides clarity to all parties, but it also helps reduce redundancies and achieve stronger accountability, and it helps identify possibilities that haven’t yet been explored.
Most corporate security functions own between five and 10 programs in the graphic and participate in the others to varying degrees.
While security success in years past may have looked like a lot of programs marked “Own,” “Partner,” and “Consult” may be the way of the future.
Leading without Owning
Today, Corporate Security isn’t likely to own all risk management programs. However, the corporate security function can act as the trusted advisor on risk to risk owners and stakeholders, providing a shared service across the enterprise.
Building the credibility and influence to become a trusted advisor may take time. Based on SEC research and collective knowledge, here are some helpful areas to focus on.
- Build trust. The SLRI/Kennesaw State study on physical and cyber/information security collaborative structures identified a theme of trust building as a crucial component of effective partnership. “Trust between the two organs is critical,” said one participant. “We have to think about one another and not throw one another under the bus.”
“Trust is critically important because it helps execs trust that you’re bringing unbiased, objective analysis and good judgment,” said another. “Hire for collaboration in your teams. Be willing to speak frankly and negotiate.”
- Use meaningful metrics. Meet with cross-functional partners to determine what they value within their functions and develop security metrics showing how Corporate Security’s services contribute to those outcomes. If analyzed and communicated well, strong, reliable data can transcend barriers of language and distrust.
- Document expectations and strategies. All parties must document and approve commitments and expectations in cross-functional initiatives. This provides transferrable clarity, strategic support, and accountability. We at the SEC have used the operations process concept to achieve this with much success.
Communicate the Possibilities
As the diversity of security roles has grown, it’s become more difficult for business functions, executive management, and sometimes even security leaders to ascertain the scope and depth of what Corporate Security does or could do. Corporate Security teams have skills and knowledge that are widely beneficial across the organization, but if senior management doesn’t recognize that potential, it cannot be fully realized.
We have seen executive teams have “a-ha” moments when presented with the visual of the Security Program Responsibility chart showing the extent of Corporate Security’s cross-functional involvement because they had no idea how far the function’s reach extended. Once they see it, the security leader or an advisor must follow up by explaining the details of Corporate Security’s capabilities within each program area.
We can’t overstate the importance of clearly communicating security’s diverse roles and values to executives. It will build influence within the organization and cement the security leader’s identity as a team player, someone reaching out across functional lines to offer services that improve the company's risk posture. If there is any question about whether the C-suite understands Security’s role and capabilities, it is time to educate them.
