Next Generation Security Leader Development Program: Inside View
By Marleah Blades, Senior Editor, Security Executive Council
This blog covers the Council's newest initiative, an online executive-level program for security practitioners, led by Council Faculty (current and former CSOs/CISOs) and USC Faculty. Learn more about the program here.
June 25, 2012
Until Next Time
The inaugural Next Generation Security Leader program was a great success. The sixth session has been presented, and participants are busy completing their final papers and awaiting their certificates of completion.
I hope the course highlights weâ€™ve shared on this page have been enlightening to all of you whoâ€™ve followed us, and I hope youâ€™ll be encouraged to participate in the next NGSL program, which should begin this fall. The curriculum for the second program will cover six new topics, so new and returning participants alike will benefit.
Keep an eye on our Next Generation store page
for information on registration and start dates when it becomes available.
June 15, 2012
Final Session Highlights
This weekâ€™s NGSL session, Managing Information Protection, Breaches and Situational Intelligence, featured the Security Executive Councilâ€™s Managing Director, Bob Hayes; Greg Niehaus, Professor of Finance and Insurance at the University of South Carolina's Darla Moore School of Business; Lorna Koppel, Director of IT Security for Kohler Company; and John McClurg, VP of Global Security for Dell. Here are the highlights of the conversation.
- According to the Security Executive Councilâ€™s research, companies have historically hired security leaders based on their backgrounds, and there have been shifts in the most-hired backgrounds each decade or so.
- Next-generation leaders should have at least some of the skills prized by each background category (military, law enforcement, internal, IT, etc)
- Managementâ€™s expectations of the security function and its risk management capabilities are increasingly important, and itâ€™s critical to manage those expectations effectively.
- The risks and processes owned by corporate security in earlier years are now nearly all influenced, owned or co-owned by other business units, most notably IT.
- Engaging, sharing with, and delegating to other business units is the way forward for many security leaders, and communication is the key to effectiveness in this.
- John McClurg emphasized that different risk and security structures will work for different companies, discussing his transition into an organization that thrives under very cross cultural engagement and ownership.
- Cross-organizational distribution of traditional security responsibilities works best when there are common processes, common databases, and common procedures that are recognized and followed by every entity involved.
- Lorna Koppel discussed how a security leader can gain traction by leveraging corporate culture and remaining flexibleâ€”both to make improvements and to deal with setbacks.
- In some corporate cultures itâ€™s best to piggyback on existing processes or initiatives to get security changes made; this enables the leader to move initiatives through without taking management or employees out of their comfort zone.
- As in previous sessions, all presenters emphasized the importance of educating other business leaders and management, specifically on the point that security doesnâ€™t own riskâ€”the business does.
June 8, 2012
The Final Countdown
The final session of the NGSL program, Managing Information Protection, Breaches and Situational Intelligence, will take place next Wednesday afternoon. To get an idea of the issues that will be covered, take a look at the article Managing Risks: A New Framework
(Harvard Business Review) and the column Crisis Management at the Speed of the Internet
(Security Magazine). NGSL participants are also beginning to develop their final papers, which are a required component of course completion. Hard to believe this inaugural program is nearing its end. Stay tuned next week for Session 6 highlights.
May 25, 2012
Next Generation Coverage in Security Magazine
Many of you may be aware that since January the Security Executive Council has contributed a monthly column to Security Magazine called Next Generation Security Leader. The column has allowed us to pull out one or two innovative or poignant ideas from each session and discuss them from a slightly different angle.
If youâ€™ve missed any of these columns, you can read them at the links below.
January: Running Security Like a Business
February: Risk at High Velocity
March: The Titanic: Risk Management vs. Compliance
April: Delivering Meaningful Metrics
May: Do You Understand Risk Appetite?
May 18, 2012
Cost Center or Profit Center?
One of the lessons that came out of last weekâ€™s NGSL session was that there are two parts to adding business value. The first is implementing the kinds of processes and improvements that will tangibly and measurably add to the bottom lineâ€”things like helping security technology become a sales showcase per Microsoftâ€™s Mike Howard, and increasing cash flow by implementing safer processes, as per Francis Dâ€™Addario. The second part is demonstrating this value to senior leadership by presenting persuasive, well documented metrics.
In the NGSL pre-registration poll, participants were asked â€śHow does senior management view the security department?â€ť The split in responses was fairly even, with 37% viewed as adding value to the bottom line, 33% as a business enabler, and 30% as a cost center. I would be interested to see how those numbers will change after participants begin to put into practice the lessons learned through these sessions.
May 11, 2012
Improving Profit Through Security
Session 5, Adding Business Value with Mission Assurance and P&L Performance, was held this week by presenters Gregory Niehaus (Professor of Finance and Insurance at the University of South Carolina's Darla Moore School of Business), Mike Howard (Chief Security Officer for Microsoft) and Francis Dâ€™Addario (Security Executive Council faculty and former security leader for Starbucks Coffee, Hardees Food Systems, Jerrico Inc. and The Southland Corporation). Here are the highlights:
- Mike Howard described the staggering size and breadth of Microsoft Global Security, emphasizing his groupâ€™s focus on advancing company strategy, advising other business leaders and management, and enabling business operations and opportunities.
- Mike shared in detail his organizationâ€™s journey in building a business case for the design and implementation of multiple redundant Global Security Operations Centers (GSOCs) that provide global situational awareness, off-site triage, and greater efficiency in crisis management and business continuity.
- Throughout this description he clearly stated the business drivers behind the GSOCs. His team took one year to secure buy-in and funding by focusing on the business case, and the GSOCs now help build new revenue by serving as showcases for MS and partner products. The strategic business focus of the Global Security organization has helped to sustain funding; they have never suffered cutbacks to their budgets.
- Howard described multiple occasions in which a single GSOC had to be evacuated and another across the globe was able to pick up its operations within minutes, seamlessly. He remarked that his organization has briefed all members of the C-suite on the technology and its value.
- The direct and indirect revenue influence of the GSOCs is significant, and Howard reports that the process of building value through the GSOCs has increased the business acumen of the Global Security team, helping them to learn more about company strategy and customer needs.
- Francis Dâ€™Addario then described his experience changing mindsets and mitigation strategies at 7-11 stores in the 1980s. Dâ€™Addario used research to identify five criteria that make certain stores attractive targets for robbery, then used some simple and some technological methods to eliminate these factors and achieved a risk improvement worth more than $90 million.
- Dâ€™Addario was able to duplicate these successes at Hardees and Starbucks, and Greg Niehaus emphasized the importance of one part of his strategy: the use of pilot stores. In each case Dâ€™Addarioâ€™s teams were able to make risk-centered changes to a series of pilot locations, and then compared their performance and crime rates over time with other, similar locations as controls. This allowed for the collection of reliable metrics and persuasive numbers that showed not only increased risk mitigation performance but added value in areas like cash flow and reduced shrinkage.
- Last, presenters referred to the Councilâ€™s Nine Practices of the Successful Security Leader, which outlines many of the practices that lead to success stories like those shared in this seminar.
April 27, 2012
How Deep Is Your Bench?
Over the past two weeks, several in the NGSL LinkedIn community have shared snippets of their successes and weaknesses in continuity and resilience. One cautioned that crisis management training must extend to the management level if companies hope to avoid a follow-up crisis of public relations. Another admitted that his companyâ€™s security operations center, while remarkably successful, represents a single point of failure that heâ€™s trying to rectify. One participant addressed the leadership challenges of multiple divisions owning multiple pieces of the resilience and response puzzle, while another decried the too-familiar scenario of developing response plans that no one reads or uses during drills or events.
One issue thatâ€™s arisen as fairly common is personnel redundancy. Many share a concern that their bench is not deep enough, so to speak, to ensure that someone knowledgeable will be available to manage a crisis in each region. One participant stated, â€śIn some geographies, the loss of a single performer would limit an organization's ability to respond for hours, if not days.â€ť Others shared that they are dealing with this issue through talent development and cross training.
While the challenges vary across a range of organizations and industries, the point of all this is, as one participant deftly put it, â€śthat any contingency planning should include an honest self-assessment.â€ť
April 20, 2012
Does Your Corporate Culture Hinder Risk Management?
At the close of last monthâ€™s NGSL session, participants were asked to weigh in on a quick poll: â€śThe culture of my organization makes it more difficult to successfully manage riskâ€ťâ€”Yes, No, or Neither. This question was simultaneously asked of non-NGSL site visitors to www.securityexecutivecouncil.com
The NGSL poll showed a fairly even split. Forty-one percent responded yes; 55% said no, the culture of my organization enhances my ability to manage risk; and only 4% said the culture had no effect on risk management capability. The open poll results were markedly different, with 73% responding yes, 19% no, and 8% neither. (For a little analysis on this, click here
To me, these results once again show that our NGSL participants represent the head of the class of security leaders, in part because so many of them manage risk in environments that support their role, whether through hard-won security leader influence or an existing organizational appreciation of risk management. But even the head of the class still must battle organizational perceptions, priorities, and readiness issues that hinder the appropriate management of risk.
April 13, 2012
All-Hazards Preparedness and Public-Private Partnership
On Wednesday, NGSL participants heard from Francis Dâ€™Addario, Council
Emeritus Faculty and former VP of Partner and Asset Protection at Starbucks Coffee; Rad Jones, instructor in the School of Criminal Justice at Michigan State University; and Brad Brekke, Vice President of Assets Protection for Target Corporation, on the importance of influencing community preparedness and resilience. Here are a few highlights of the session:
- An Oxford Metrica study shows that organizations that persuasively communicated that they had a plan to recover operations after a catastrophic incident, and that recovery was job #1, were able to reestablish valuation of stock offerings within a year of the calamity. Those who couldnâ€™t do that often didnâ€™t recover at all.
- Francis related his experience at Starbucks during the Nisqually earthquake in 2001, sharing how Starbucks was able to communicate effectively and resume operations quickly.
- One thing that canâ€™t be overemphasized is the impact and value of community partnerships for influencing outcomes for these sorts of events.
- A critical incident is an event that requires swift action involving multiple components and a number of internal and external entities. It requires consensus among a range of company leadership as well as public sector responders and regulators, which is difficult if there are not already pre-determined roles, responsibilities, and plans in place.
- Companies should have strong and trusted internal partnerships, as well as strong and trusted partnerships with public entities, to provide the best response and resilience. If emergency responders are aware of internal and external stakeholders in advance of a crisis, then when the event occurs their attention can be immediately focused on resolving the incident and not on nonproductive discussion.
- The MSU Critical Incident Protocol program helped a number of communities develop effective public-private partnerships to enhance resilience and preparedness for the entire community.
- Understanding culture and business values is key in developing crisis preparedness.
- You canâ€™t plan for everything. Instead of planning for a certain type of crisis, consider planning for consequences. What happens if you lose communications, transportation, energy?
- Itâ€™s important to identify partnership opportunities early on â€“ sometimes before your company moves into a community. If you identify resources you can bring, such as funding, education, and equipment, and identify security challenges your company may have in that location, you can determine where a public-private partnership can fill gaps on both sides.
- Brad described how Targetâ€™s quick response to the April 27 tornadoes in Alabama was enabled by the crisis tabletops already conducted and the trusted relationships of the company with local public entities. He also emphasized that the ability of Target stores and distribution hubs to quickly resume operation not only helped the company, it aided the community significantly in a wide variety of ways.
April 6, 2012
Next weekâ€™s NGSL session will focus on resilience and all-hazards preparedness. The world is an uncertain place, and disasters of all typesâ€”manmade, natural, cyber, financial, reputationalâ€”are possible for nearly any business. Security professionals are in the business of recognizing these possibilities and developing plans to keep the business running in any situation. In next weekâ€™s session, presenters will review the latest global requirements for preparedness compliance as well as the means to protect the brand through alliances. Check back next Friday for the session highlights.
March 30, 2012
Looking back through the session notes and online conversations of the first half of the NGSL development program, Iâ€™m struck by the through-line of business value. Participants and presenters are all invested in moving the bar first to providing/demonstrating value, and then beyond that to becoming valued.
As Greg Niehaus noted in the most recent session, there is a difference between these two goals. â€śIf youâ€™re valued, other groups in the organization start coming to you for advice, asking you about new projects, et cetera,â€ť he said. You can provide and demonstrate value without necessarily being valued as a business partner, and vice versa. In some organizations, being valued may require several years of showing value, whereas in others, being valued comes first and allows the security leader the flexibility and authority to create value. In whichever order they come, providing value and being valued are both very important goals for security leaders.
All the session topics so farâ€”aligning board level risk and mitigation strategies, communicating measures and metrics, and organizational readinessâ€”have provided crucial stepping stones to help security leaders show value and be valued.
March 23, 2012
Reaching Higher Readiness Levels Requires Patience
The NGSL LinkedIn group has been abuzz all week with talk of organizational readiness, spilled over from last weekâ€™s session. Moderator Francis Dâ€™Addario posted the question, â€śHow would you rate your organizationâ€™s state of readiness?â€ť and the responses have been detailed and varied as participants continue to discuss solutions and pose new questions.
Most respondents rate themselves at the Business Partners/Enablers stage. One particularly innovative response likened the organizationâ€™s view of security to a Twister game boardâ€”if the readiness rankings are colored circles (as they are in the OPaL chart), management lands on different ones depending on the situation. This description probably strikes a chord for a number of security leaders.
One trend in the LinkedIn posts this week is a call for patience in influencing change:
â€śâ€¦ the journey from concept to reality can be very slow.â€ť
â€śWe have been on the journey â€¦ for about 5 years.â€ť
â€śThis has seen a gradual (Rome wasn't built in a day!) perception change â€¦â€ť
Itâ€™s important to remember that the organizationâ€™s state of readiness is something to be influenced, but not to be disrespected through bullying or heavy-handedness. It takes time to build a perception of greater value; but itâ€™s worth the time spent for both security and the organization as a whole.
March 16, 2012
Running Security Like a Business
Itâ€™s hard to believe that this week's session, â€śNext Generation Organizational Leadership: Running Security as a Business,â€ť marks the halfway point of the NGSL program. The insights and experiences that have been shared thus far have given all involved a number of great ideas and resources to apply to their organizations going forward.
This week's session was led by Kathleen Kotwica is EVP and Chief Knowledge Strategist for the Security Executive Council; Tim Janes, CSO and Managing VP for Capital One; and Gregory Niehaus, associate dean for research and academics at the University of South Carolina's Darla Moore School of Business. Here are the highlights.
- Security can be more influential and more effective if security leaders understand the business concepts that drive the other business units and apply them to their own function.
- Security Executive Council research has shown that when security leaders have a strategy for and an awareness of the following three factors, they can advance securityâ€™s success: organizational state of readiness, program maturity and leadership continuum.
- There are five common states of organizational readiness for security, from â€śno security neededâ€ť to seeing security as a revenue enhancer. Itâ€™s important for security leaders to know which state their organization is currently in if they are to work to â€śnudgeâ€ť the organization to a more advanced state of readiness.
- Itâ€™s critical to listen to business leaders and internal constituents to assess their impressions of security to find out where the organization stands.
- There are also five common states of program maturity, from startup or initial service to business transformation. Again, you must know what state your programs are currently in if you are going to make a plan to advance them.
- Having a defined and documented program gives you transparency, which leads to credibility. Credibility is securityâ€™s currency in the business.
- There are seven common personas of security leaders, from those new to security, to the next generation security leader.
- Success is advanced when these three factors â€“ organizational readiness, program maturity, and security leadership persona â€“ are aligned. Even if they arenâ€™t all at the highest level, alignment means the security leader and security programs are accomplishing the security goals the organization needs and wants them to accomplish.
- Corporate culture and organizational risk appetite are two other concepts that the security leader must understand if he or she is to communicate the value of security programs effectively.
- Risk is owned by the business, not security. Securityâ€™s role is to make sure businesses are fully educated on the risks they face and to help them to figure out ways to manage or reduce risks outside their appetite.
March 9, 2012
How Ready Are You?
Next weekâ€™s NGSL program session will cover a number of factors that typically contribute to security program success. The Security Executive Council has researched this topic on several levels in the past 6 years, and their findings indicate, among other things, that organizational readiness, program maturity and leadership status all play a significant role in enhancing or furthering security programs in any organization. Interested in finding out more? Next week weâ€™ll update with session highlights. In the meantime, visit www.securityexecutivecouncil.com/oplqz
to take a free, abbreviated version of the leadership component of the Council's OPaL assessment.
February 24, 2012
Measuring the Value of Business Continuity and Crisis Management Programs
I can be difficult to effectively show value in many facets of security, simply because securityâ€™s effectiveness is measured by the absence of negative impacts. Crisis management and business continuity programs specifically have been brought up in the NGSL participant conversation over these last two weeks. How do you tangibly demonstrate the effectiveness of a program that is protecting against an event that may or may not ever occur? Some questions to consider, drawn from participant responses:
If there has been a negative event in your organization in the recent past, are you measuring only the direct loss associated with the event, or are you considering also the indirect losses, such as loss of productivity (not only in days workers are out of work but in number of meetings to be held, counseling sessions, etc.) and reputational damage?
Are you measuring positive preparations and responses, such as numbers of exercises held, trained personnel, speed of accounting for employees, call tree activations, and number of escalations?
If your organization hasnâ€™t had a crisis to put a dollar tag on, can you glean meaningful metrics from the impact of negative events on companies similar to yours?
Are you working with other functions, such as Legal or Corporate Insurance, to help measure and communicate the cost of negative events?
February 17, 2012
What Are Your Priority Metrics?
This was the question posed of NGSL program participants at the end of Session 2, and there has already been some interesting conversation around it. So far, the common and critical aspect of the metrics identified has been their importance to company leadership.
â€śOur most effective metrics are those that are clear, measurable and have a direct impact on business,â€ť wrote one participant. He continued that his best metrics provide â€śreal and tangible numbers regarding how our department adds to the bottom line and protects the integrity of the brand--both which are paramount to business leaders.â€ť
The thread of showing measurable value enhancementâ€”a priority of management--continued into another conversation about business continuity metrics. One participant remarked that while heâ€™d previously presented BC proposals strictly on the grounds of their being â€śthe right thing to do,â€ť lastâ€™s weekâ€™s session opened his eyes to the importance of value communication. â€śThey probably were reasons that might add value to the business, [but] the evidence showing this clearly to senior management was lacking,â€ť he wrote. â€śHaving listened intently to the presentations, I am clear that the ERM method of presentation will be more likely to yield the required results and I look forward to learning more on this and associated subjects.â€ť
February 10, 2012
NGSL Session 2, â€śCommunicating All-hazards Risk, Mitigation and Performance Metrics,â€ť included great insights on metrics development from George Campbell, SEC Emeritus Faculty and Former CSO of Fidelity Investments; Dave Komendat, VP & CSO of the Boeing Company; and Greg Niehaus, PhD, Professor in the Darla Moore School of Business. Here are some highlights:
- Metrics should help us make better decisions. A good decision is one that furthers the organizationâ€™s goals. Creating value is an important goal for most companies, so metrics should address our impact on expected cash flow or variability of cash flow.
- Itâ€™s useful to distinguish metrics that are forward looking for decision making and backward looking to assess performance. These are interrelated.
- An ERM approach requires that metrics be shared throughout the organization.
- In building metrics itâ€™s important to recognize some risks are associated with large indirect losses that arenâ€™t covered by insurance, such as reputation losses and lost productivity.
- Value metrics are focused on risk, performance, communication, and customers.
- We live in times of scarce resources and this imposes somebodyâ€™s measurements on us. Do you want those measurements to come from you or from someone who knows nothing about security?
- Security functions collect mountains of data, but rarely use it. Metrics creation is taking that data and turning it into actionable info: telling the value story of security.
- Itâ€™s the job of the business to manage security to the business. Metrics can help empower employees and managers across the business and hold them accountable for the management of security risks.
- In developing metrics, consider what type of information would be meaningful in a 30-minute presentation to the CEO and his or her leadership team.
- When beginning a metrics program, consider a few metrics that can be linked to other data that will allow others to show through research the credibility to the metrics, such as total cost of security as percentage of revenue.
February 3, 2012
Preparing for Metrics
The NGSL registration survey shows that around half of program participants have built some security programs from the ground up. Of those, fewer than 20% mentioned metrics in descriptions of their from-scratch programs.
If security organizations arenâ€™t focusing on metrics should they be? How can effective metrics be defined and developed? How have security leaders earned support for and implemented metrics programs, and what have those programs achieved for the organization?
In NGSLâ€™s second session, â€śCommunicating All-hazards Risk, Mitigation, and Performance Metrics," SEC Emeritus Faculty George Campbell, Professor Greg Niehaus and Boeing CSO Dave Komendat will address these questions and more. Weâ€™ll post the highlights here at the end of next week.
January 27, 2012
How Do You Show That You Enhance Value?
This question in the NGSL LinkedIn Group has generated nearly 30 responses. Some of the more commonly referenced methods:
- regular reporting of detailed metrics
- effective and frequent communication of risk
- proactive controls
- maintaining a cost-effective approach
- identifying non-traditional ways to use technology and staff
These responses are likely to resonate in the context of the next presentation, "Communicating All-hazards Risk, Mitigation, and Performance Metrics," to be held February 8.
January 20, 2012
Lively Discussion Continues in NGSL Participant Forums
Next Generation Security Leader participants continue to have lively discussion on Session 1 topics in the NGSL LinkedIn group.
Will McCann of Capital One began a thread on compliance vs. risk mitigation with a reference to the Titanic. â€śIn 1912, UK lifeboat requirements were based on tonnage rather than passenger load. And since White Star's leaders were focused on legal compliance rather than mitigation of risk, they simply bought enough boats to keep the authorities at bay and went to sea. One hundred years later, I wonder how many companies really make the distinction.â€ť
One group member added a question all security leaders should consider: â€śIf a company is in compliance with the law, how does one make the case for further risk mitigation without the benefit of knowing the actual outcome as in the Titanic case?â€ť The analogy deepened as the thread continued, and it shows a great deal of insight on the topic from all participants.
January 12, 2012
First Session Covers Board Level Risk and Security's Role
The Security Executive Council, in partnership with the University of South Carolinaâ€™s Darla Moore School of Business, kicked off the Next Generation Security Leader program yesterday with its first session, Aligning Board Level Risk and Business Unit Mitigation Strategies, taught by Dick Lefler (the Councilâ€™s Dean of Emeritus Faculty and former CSO of American Express), Dr. Greg Niehaus (Professor in the USC Moore School of Business), and Randy Harrison (Director of Corporate Security for Delta Airlines).
Here are some highlights:
- The boardâ€™s goal is to create value and to develop strategies that create value.
- There are various ways of defining risk: 1) as the likelihood or severity of a negative event; 2) as expected loss on average (likelihood and severity combined); and 3) as a level of unpredictability.
- Each of these definitions impacts value, but security typically influences the type of risk that is defined as average expected loss. Therefore, securityâ€™s primary value to the board is in its impact on expected cash flow, and security should communicate its activities and proposals in terms of this impact.
- Part of securityâ€™s responsibility is to reduce uncertainty. In companies large and small, there are security-related risks in every business unit that security has the skills and capabilities to mitigate or to provide support in mitigation. There are value opportunities to be found in identifying these risks and presenting the security function as a resource to help manage them. (Mr. Lefler used the Councilâ€™s Board Level Risk Diagram to illustrate)
- A unified risk oversight model can ease the identification of organizational risks and build a culture of proactive risk management in which security plays a company-wide role. (Unified Risk Oversight Model diagram was used to explain this concept. Scroll down to view graphic.)
- Security must think about risk management in terms of impact on customersâ€”not only internal business units but on the customers of the organization.
- Compliance is not the same as risk management. Regulatory rules are not always adequate to reduce uncertainty.
- By carefully examining annual corporate objectives against securityâ€™s roles and capabilities, Delta corporate security has been able to identify and articulate measured value to the organization through a number of direct and indirect impacts on multiple initiatives and business units.
- There are a number of tools that can be used to quantify enterprise risk in order to measure effectiveness and value.
- Organizational engagement from top to bottom is one of the most important elements of the success of alignment and enterprise risk management.