Security's Gains and Gridlocks: 2023

Private Sector Intelligence Analysis

Public-sector organizations have long incorporated intelligence analysis into their security operations, but only recently have the same capabilities become more widely available in the private sector. Executives want and need their security functions to glean verifiable, actionable insights from a glut of available data.

This year, corporate security leaders have increasingly turned to open-source intelligence analysis to fulfill that need, to inform risk management and strategy, and to sharpen both protective and revenue-driving services. To further support the private sector in this journey, the SEC launched the Business Intelligence and Innovation Laboratory (BI2 Lab) at Mercyhurst University, which will provide private-sector security leaders with real-time and predictive information to help them make more informed business decisions.

Because of the speed and quality of such intelligence analysis, one client company was able to move proactively to protect assets and people in the very early stages of the Russia-Ukraine war, avoiding significant damage and loss.

Cross Functional Communication Through the GSOC

Organizations have grown to recognize that risk can most effectively be managed by cross functional teams. The SEC has long seen clients adopting this structure for crisis management, relying on the Global Security Operations Center (GSOC) for communication.

An SEC client shared the story of an employee whose life was saved from a wildfire she didn't know was coming because the GSOC, keeping tabs on weather events and remote employee locales, communicated to her the need to evacuate. The same GSOC was also able to lessen the impact of the disruption for supply chain partners and operations centers in the way of the blaze through early warning.

It's now clear that the GSOC can similarly enable cross functional communication for less critical, less urgent issues. To remain proactive, cross-functional teams must know more, sooner. An opportunity exists here to push the GSOC to the forefront as a solution for the speedy and effective transfer of information across the enterprise – even in non-crisis situations.

Artificial Intelligence for Security

While the exact nature of security's opportunity in AI is still cloudy, it's clear that this technology must be examined for both its potential benefits and its risks. Our clients are starting to ask - How is it being used by those who pose a threat to the organization? How is it being used by others within the organization? What can it do to help security leaders better protect the enterprise and improve their services and value? What is security's role in managing the risks it may present?

The opportunity here at the early stages is to organize meaningful conversations and education about AI so that the security community and individual organizations can develop a plan for how to explore it.

Contact us at contact@secleader.com to find out how you can participate in brainstorming meetings on AI.

Executive Influence

For more than 20 years, security leaders have told the SEC their biggest challenge is earning the ear and confidence of senior management, and unfortunately, that continues to be the case. We find only about 15% of security leaders have successfully mastered this. Many struggle to secure the budget they need, the staffing they want, the buy-in for projects. They are frustrated that executives do not ask them for input or inform them of shifts in strategy. Others don't realize they aren't on the same page as management until they find out they're being let go.

Security leaders must look critically at their programs, their skills, and their messaging. What specific, high-level risks does security mitigate? What does security do that drives the organization toward executives' - and the Board's - goals? Where can the security leader improve his or her own knowledge and aptitude? How does the program compare with others, what gaps exist, and what would the function be capable of if those gaps were addressed?

Supply Chain Security

In many industries, supply chain security continues to be viewed piecemeal rather than end-to-end. Supply chain has traditionally been owned by non-security functions -- procurement, manufacturing, warehousing, distribution, even HR – without the expertise to recognize the pervasiveness of product risk from raw materials to customer delivery and use. Perhaps they ensure that the warehouse is secure, but the trucks are vulnerable. If the trucks and trailers are secure, is the shipper vulnerable? The definition of "supply chain" simply doesn't encompass the full product lifecycle in many organizations.

Industries that are not highly regulated may not be motivated to begin looking at security across the product lifecycle. But the problem is vast. Security leaders have an opportunity to collaborate with other functions to offer their services throughout the supply chain as a resource but need to be able to articulate the value they can bring.

Failure to Modify to Meet Risk

In many organizations, security has not kept up with risks. Traditional security measures have repeatedly fallen short in the face of rising incivility, new threat vectors, and evolving attack technologies. Security officers often do not carry the authority that many employees believe they have. Camera surveillance is used but often no one is watching or responding. The criminal element has shifted and evolved. Yet security functions too often continue to do things exactly as they always have.

Change is difficult, particularly when support and resources are low. But security's duty of care requires that the function do better to protect employees, organizations, and communities.