Business Evolution Requires Active Security Alignment

Return to Security Leadership
Created by Security Executive Council staff, with insight from Dick Lefler, Former VP and CSO of American Express and current chairman and dean of Emeritus Faculty for the Security Executive Council; and Greg Niehaus, Professor of Finance and Insurance for the Moore School of Business, University of South Carolina

Business continues to change, and if the next generation of security leaders hopes to succeed, they must be prepared to change with it, says Dick Lefler, Former VP & CSO of American Express and current Chairman and Dean of Emeritus Faculty for the Security Executive Council. This will require, among other things, a much more active pursuit of alignment with the organization’s structure, goals and strategies.

“What matters to the organization in terms of a risk management role is that you’re identifying the risks that could either disrupt or enhance the organization’s strategy,” says Greg Niehaus, Professor of Finance and Insurance for the Moore School of Business, University of South Carolina. “Alignment is important in that you want everyone in the organization to be thinking about and potentially identifying those risks.” When the security leader is confronted with evolving business goals, evolving operational models, and evolving risks, such alignment can be more of a challenge than it has ever been.

“I think the next generation of security leaders is going to be faced with two significant risk issues to manage,” says Lefler. “First, companies are doing business differently than they have in past generations. The next generation security director will have to demonstrate skills that not only are aligned to the business enterprise but that also reflect change in the way business is conducted.”

The biggest change Lefler sees is an ongoing shift from a vertically integrated business model to a horizontally integrated one, meaning that fewer and fewer business functions are performed in-house. “From that point of view, a lot of your risk lies with somebody else’s employees, goods and services, and the ability to deliver those to you to further enhance or add value to the product and ultimately sell it. In today’s competitive environment, you depend on others to provide raw resources, manufacture goods, and manage services like IT. The radical shift is that you’re now managing risk relationships as opposed to managing the risks themselves,” he says.

He offers the example of an electronics company that outsources its manufacturing. “If your manufacturer fails to provide you with adequate supplies based on your contract, you won’t be able to sell as much product as you planned, and that will have a significant impact on your revenue and stock price,” he says. “So part of that risk exposure may be the failure of your electronics manufacturer to adequately vet its employees or manage the risk in its own facilities.” The security executive’s responsibility in this case includes working with Legal to develop contracts that limit this risk exposure and to act as an agent of influence not only on his or her own senior management, but on the management of the contracted manufacturer. This expansion of responsibilities is just one of the elements of business alignment in an evolving risk atmosphere.

The second issue Lefler feels will most impact the next generation of security leaders is compliance. “Compliance in the global marketplace is continuing to grow, and we’re continuing to see sovereign nations work together to create increasing levels of compliance requirements that carry with them penalties for failure to comply. The next generation of security leaders will have to be as sensitive to compliance as they are to the risk issues that can impact on the company. Failure to comply is a risk issue in and of itself.”

Alignment in a changing risk and operational environment will require security leaders to actively engage management in an ongoing dialog, to ensure a shared understanding of business strategies and goals as well as identification of risks that are critical to the company and the board of directors.

Return to Security Leadership