Created by the Security Executive Council
The role of the Security function is essentially to identify and mitigate security risks to the organization. However difficult that may be, it is arguably not the biggest challenge Security faces. In this 2016 Security Barometer, we wanted to investigate the hurdles that Security must overcome within their organizations to accomplish their goals.
A Sampling of Comments from Participants
We received many interesting comments on this survey. There were too many to list them all, but here are a few (edited to preserve anonymity).
- "The Security business is mostly still the physical security world. The solutions are almost always the same. There is not real innovation in the way of thinking of security while the business changes faster and faster."
- "Continuing budget cuts are severely affecting security and this is an annual process, increase in salaries, cost of equipment and maintenance have a tremendous toll on opex."
- "The breadth of the challenges and their constant evolution are not seen by others and given the nature of the issues, it is difficult to share the details to raise awareness."
- "The cost of security that the client is willing to pay is tied directly to their budgeting process. When the client decides to tighten their belt it is the service providers that bear the initial brunt of cost cutting."
- "We have the first world problem of successfully selling our services and a team that delivers outstanding results. This drives demand for our services that outpaces our ability to add to the team. Supply and demand issue. We continue to focus our team on high level strategic issues and relationship nurturing, and try to outsource as much of the sausage making as possible."
- "The main challenge in my organization is structural....the placement of security in the organizational chart is buried in operations. There is no interaction of senior security leaders with executive staff, and little of understanding of what security can do to safeguard the organization."
- "It is not that security is not making an effective business case or is not seen as a true business partner. It is that security is not executing well enough to get recognized as either. Security is not 'built' to enable the business mission, thus it needs to be rethunk and rebuilt or it will continually to fall short in the eyes of business."
- "Physical Security convergence to IT and associated technologies is lagging behind the IT industry. Modern Security is ineffective without technological aids."
- "Still security is considered as someone’s job, until the day it realizes that it's everyone baby, only then true meaning of security will evolve."
Insight on Addressing the Challenges...
Security is not seen as a true business partner
When senior management does not understand the range of services and capabilities of the Security department or Security staff has trouble explaining to management the value of what the department does, it is time to examine the methods being used to communicate to executives. Too often security leaders think they know what resonates with their management but fail to see that creating a list of their programs is not sufficient for most thoughtful executives.
What is the most important concept you need to communication to management?
Security is not making an effective business case for its value to the organization
For many years the SEC has been offering insight to security leaders and a common theme is the importance of showing the value Security brings to the organization. The SEC's Measures and Metrics program guides Security away from the easy counting of activities or incidents to presenting meaningful metrics that presents a strong business case to executive management.
Persuading senior management with effective, evaluated security metrics
Security is continually asked to do more with fewer resources
Too often we see security leaders overly confident with their programs and their standing within the organization. Almost without fail they are eventually faced with an unforeseen shakeup in management that forces them into a defensive stance. Having a strong, fact-based argument, such as that provided by the SEC's Internal Value Analysis process, allows the security leader to defend against attacks on budgets and position the security leader to offer strong business cases for alternatives.
Managing and defending a security budget – laying a foundation
There is a mismatch between Security's mission and management's perception of what we should be doing
Ultimately the role of Security is not to guard access to a facility or to help mitigate insider threats. Rather, it is to help empower the organization to achieve its goals. Frequently executive management and security leaders are not seeing eye to eye regarding the programs and methods that best enable the organization. The SEC's Enterprise/Security Risk Assessment (E/SRA) has been hugely successful in finding ways to connect Security with executive management on the things that matter most to the organization. An E/SRA is not about checking elements off a list; it helps Security align with the organization's goals and provides an opportunity for security leaders to build stronger ties with top executives.
Contact us for more information about the SEC's Enterprise/Security Risk Assessment.
Much of the Security staff does not think strategically
Many people within security departments are satisfied being in the proverbial trenches dealing with the day-to-day gritty details of safeguarding organizations from threats. For those that want to lead programs, a strategic view of the battlefield is required. Unfortunately, gaining the experience and knowledge to be effective at a strategic level is difficult. The SEC offers the Next Generation Security Leader (NGSL) program to provide the opportunity to learn from those that have successfully made that transition to strategic leadership.
The evolution of security leadership
Security is unsure security programs are as good as they can be
Beyond death and taxes, one thing you can be certain of is that the threat/vulnerability landscape is constantly changing. What is not so clear is whether your security programs are keeping up. The SEC applies its successful experience running programs for some of the most admired organizations in the world when conducting security program reviews. It is our experience that sets apart our holistic all-hazards view point from the alternatives.
More information about Security's challenges and the proven solutions the SEC can offer you can be found here