Leadership Solutions


The Roadmap for Security Leadership Success Interviews, Practice #9 - Recognize your organization is different from any other, even from peer companies

Kathleen "K2" Kotwica, EVP and Chief Knowledge Strategist for the Security Executive Council (SEC), interviews Richard Lefler, SEC Emeritus Faculty and former Vice President of Worldwide Security for American Express, on one of the 10 Roadmap for Success practices - the importance of recognizing each organization is different from any other and how this affects how the security leader should develop his or her risk mitigation program.

Why is this important?
If you don't understand this you risk applying the wrong security solutions for your organization. The Council has seen more people let go for this, even if it is not overtly articulated, than any other reason. Don't assume you can apply something in a new organization just because it was successful somewhere else. Our research shows there is no one "best" model for the security department. It's very dependent on organizational-specific factors including differences related to industry, sector, organizational structure, corporate culture, and executive drivers.

The Council uses a process called OPaL+ to identify the elements that need to be understood to start or enhance security programs within an organization. OPaL+ stands for:

  • Organizational State of Readiness: what "is" security to the organization, which impacts the willingness to accept your strategic vision of Security
  • Program Maturity: where your program is now and where do you want it to be?
  • Leadership Continuum: what is your leadership style and how does it fit the organization?
  • The "Plus": Corporate Culture and Organizational Risk Appetite
Knowing this informs your strategic plan and future states. You will need to do the internal research necessary to make these elements align.
Learn more about OPaL+ here: "The OPaL Assessment Executive Summary"

Click the links below to hear Mr. Lefler's response:

Q1. Why is it important for security executives to understand that their enterprise is different from any other?
(Includes a discussion of the key differentiating factors)

Q2. Given variations in the key differentiating factors, how should the CSO approach a risk mitigation strategy?

Q3. What should CSOs consider when moving from one organization to a similar one?

Q4. Given enterprises are so different, even within the same industry, can effective comparisons of one company be made to another, for example for peer benchmarking?

Q5. What take-away should CSOs consider given the core differences between various enterprises?

For ten years the Security Executive Council has proven itself to be the undisputed leader in research and advisory services for security and risk management practitioners. Over the years we have had the honor of working with and for numerous successful leaders of security programs, large and small. We have analyzed many organizations that have effectively managed the changes in the industry; most of the security practitioners of these organizations are horizon leaders. We have learned a lot in the last decade and our research has identified best practices that are becoming the success markers in security leadership. You can read some results of our research in "The Roadmap for Security Leadership Success - Ten trends based on research of successful leaders"