Why Executive Support for Security Stalls and How Leaders Can Break the Cycle

Sometimes, executive leadership mistakes a lack of serious incidents for a lack of serious security risks. Often, insistence or traditional “selling security” tactics, even when recommendations are valid, do not solve the problem.

Q: Funding for security improvements keeps getting postponed. For four years, I’ve been told, “Next year should be better,” but it never is. What can I do?  

A: Such situations rarely resolve overnight. However, they can almost always be set on a path to stable improvement with an immediate or near-term start.     

It may be that you and your security team (whether in-house, contracted, or both) appear dedicated, productive, and not constantly complaining (complaining alone is rarely helpful). Management may wrongly conclude that things are “safe enough for now” because they have other urgent business matters, and they view physical security as cards, cameras, fencing, and guards that appear to be working acceptably.

For enterprise security organizations, the drivers of positive change usually fall into one of these categories, with the three middle categories most common:

• Company Impactful Security Incident.  An incident whose impacts extend beyond a single site. Such events can affect company reputation, valuation, revenue, multi-level employee retention, business continuity, and insurance costs and coverage. A senior security role is often created if one does not already exist; security undergoes a comprehensive overhaul; recovery can take years; and total costs are typically in the multiple millions.
• Site Impactful Security Incident. An incident whose impacts are largely contained to one site and do not significantly affect the company as a whole or generate press. Still, it is visible at senior management levels and can prompt changes in site security leadership or engagement of a security consultant to assess whether broader changes are needed.
• Security Leader Voluntary Departure.  An overstressed security leader burns out, resigns, and is replaced. Management may then be forced to expand the budget and take security recommendations more seriously.
• Regulatory or Governance Impacts.  External requirements, evolving standards, or corporate governance initiatives can compel executive leadership to recognize physical security as an enterprise risk management responsibility rather than a discretionary operational function.
• Security Leader New Mindset. This is the ideal approach. It is grounded in insider knowledge, can be implemented non-disruptively, maximizes internal resources, and moves both the organization and the security function toward an improved future state. It begins with four foundational perspective shifts:  

o   Business-leader orientation

o   Risk-management focus

o   Strategic business security planning

o   Security risk and performance reporting

The remainder of this article explains these elements of a modern security leader's mindset.

Business-Leader Orientation

This is a simple, but very powerful change in perspective. The terms "security leader " and "physical security " can unintentionally suggest a narrow operational role limited to cards, cameras, guards, and fences. In practice, the scope of responsibility is far broader.

Security leaders are responsible for the organization’s physical security program, which touches every functional area of the business and affects every employee, visitor, and contractor, as well as guarding services and security operations center activities. At the enterprise level, this may also include executive protection (on company property, at residences, and during travel), critical asset protection, supply chain protection, and aspects of IT infrastructure protection.

Because physical security risk intersects with so many business functions, in-depth knowledge of how the organization operates is essential. Multiple risk assessment methods are required to understand and manage these exposures effectively.

A more accurate description, therefore, is a business leader whose focus is on physical security. This mindset emphasizes that understanding business and managing security using the same proven practices applied in other functions is critical to achieving meaningful business alignment and sustained executive support.

Risk-Management Focus

The role of physical security is to reduce physical security risks to acceptable levels, at an acceptable cost, in a way that is harmonious with the business. Those risks exist at each site, depending on occupancy and business activities. 

Each functional area has operational risks that its leader is responsible for managing. Physical security risks in each area are a subset of operational risks that can be delegated to the physical security function. This category of risk has many commonalities across functions and thus benefits from being managed by specialists.

What are acceptable risk levels? What are acceptable costs to treat them? Those are management’s operational risk decisions—functional area managers for risks that affect only their outcomes, the senior leadership team (SLT) for highly impactful risks, and the executive leadership team (ELT) for strategic risks with broad enterprise impacts. It is rare for managers, the SLT, and the ELT to have this level of understanding of physical security risk.

The physical security function must involve these decision-makers in the business impact analysis of risk assessments (risk levels and tolerances) and in evaluating risk treatment costs. It is the security leader’s job to adequately educate decision-makers so they can make well-informed risk- and cost-tolerance decisions.

Security leaders should repeat the mantra, “The role of physical security is to reduce physical security risks to acceptable levels, at an acceptable cost,” at every opportunity until stakeholders begin completing the sentence themselves. That is the indicator that the core security message has sunk in enough for the concept of security strategic planning to take root among ELT, SLT, and functional-area stakeholders.

Strategic Business Security Planning

Physical security’s strategic objective is safe, productive workplaces. This leads to the purpose (or mission) of physical security: achieving a uniform level of security due diligence across all sites. Even among identically modeled sites, differences will affect the physical security risk landscape. Decades ago, the profession learned that trying to establish identical operations and technology deployments across all sites to avoid negligence claims is not feasible.

What works is achieving a uniform level of security due diligence, which is the purpose of security risk assessment programs. When security risk decision-makers understand the strategic objectives and purpose of physical security, the security leader’s role in stakeholder minds is elevated to that of a highly valued business leader.

Security Risk and Performance Reporting

Regular reporting to security stakeholders is an important business practice that security functions often neglect or underperform on. Annual reporting to all security stakeholders, quarterly reporting to SLT stakeholders, and ad hoc reporting on matters relevant to specific functional areas are essential.

Highly professional security leaders regularly assess site security risk profiles and manage and report on projects, as the best business units do. This is in addition to reporting on general site physical security risk assessments and narrowly focused assessments, such as those for workplace violence and insider threat risk.

For physical security leaders who are new to metrics, an excellent starting point is George Campbell’s Measuring and Communicating Security’s Value: A Compendium of Metrics for Enterprise Protection (Elsevier, 2015), which focuses on using real-world metrics to tell a compelling value story to senior management. The next Convergence Q&A column will address security function reporting.

Convincing vs. Enabling

There is a world of difference between “selling security” and “soliciting buy-in,” and between both of those and actively enabling stakeholder involvement. The guidance above reflects the successful actions of many effective physical security leaders.