Leadership Solutions


The Roadmap for Security Leadership Success Interviews, Practice #7 - Running Security as a Business

Kathleen "K2" Kotwica, EVP and Chief Knowledge Strategist for the Security Executive Council (SEC), interviews Herb Mattord PhD, SEC Content Faculty Expert: Information Security and Assurance. The discussion delves into one of the 10 Roadmap for Success practices - the importance of running security as a business .

Why is this important?
Many organizations think of Security as something "outside" standard business functions (finance, sales, marketing, HR, etc.). How did this happen? It's because often the security department does not use the basic business processes everyone else relies on such as:

  • Understanding all of your internal customers and what "products" they want or need
  • Where security efforts fit into the BIG ultimate goal - creating revenue
  • KPIs (key performance metrics) and other ways to measure activities are working as planned and adding value
  • Cataloging what Security offers and it's perceived value
  • Constant communication to stakeholders on where Security is and where it is going
Regarding the last point, work on your communication strategy to the business side. This is different than your communication and management strategy to security colleagues and staff. If you only remember one thing around this topic make it this - at the end of the day security may provide value to the organization, but are you valued? Your communications to the business side should always expose the insight you have on what the business is trying to do and that you are helping the company get there. More business executives are expecting business leaders that have expertise in security and not the other way around.

Click the links below to hear Mr. Mattord's responses to the questions:

Q1. What is meant by the term "running security as a business"?

Q2. What are the benefits of running security as a business to the organization?

Q3. If you had to define one skill or practice that would make security more business like what would that be?

Q4. What does the security department gain by creating the measures and metrics program?

More information on running security as a business can be found here:

Using Business Research to Increase the Effectiveness of Security Leadership:
Click to download PDF file

For ten years the Security Executive Council has proven itself to be the undisputed leader in research and advisory services for security and risk management practitioners. Over the years we have had the honor of working with and for numerous successful leaders of security programs, large and small. We have analyzed many organizations that have effectively managed the changes in the industry; most of the security practitioners of these organizations are horizon leaders. We have learned a lot in the last decade and our research has identified best practices that are becoming the success markers in security leadership. You can read some results of our research in "The Roadmap for Security Leadership Success - Ten trends based on research of successful leaders"