Security State of the Industry (SSoI): Measuring Security Leader and Program Value Potential and its Relation to Being Valued by the Business
Created by the Security Executive Council
After the Next Crisis Happens, Will You be Ready to Quickly Explain Security's Value to the Business
Corporate security success is multidimensional. It's complex and interrelated: a fluid and ever-changing value proposition. With close to two decades of research, the Security Executive Council (SEC) is working on collating its comprehensive findings to benefit chief security officers—with the goal of developing a tool to measure the potential value of security programs.
“Our constituents call us all the time to ask ‘What's the best metric of the success of a security program?' and ‘What's the best plan?' Many factors have an influence. You need to be constantly evaluating your value potential to your organization because it's related to your success, and SEC will soon provide a tool to do that,” said Bob Hayes, Managing Director, SEC.
“Measuring Security Leader and Program Value Potential and its Relation to Being Valued by the Business,” was the topic of the SEC Security State of the Industry online briefing presented in March 2018. Speakers included: Bob Hayes; Kathleen “K2” Kotwica, Executive Vice President and Chief Knowledge Strategist, SEC; and Francis D'Addario, Emeritus Faculty, SEC. More on their bios here
“We have been studying programs and leaders even before the official establishment of the SEC and have compiled those learnings,” said Bob Hayes. “Our goals are to identify the elements of success; find ways to benchmark various leadership styles against programs; and help our security leaders conduct a self-assessment of their program”
Success is Slippery
The “big picture,” said Kathleen Kotwica, is that success in corporate security has many interconnected elements. “It may seem simple, but there are many facets that contribute to being successful and bringing value to your organization, all interrelated,” she said. She used complexity theory as a way to explain how something simple can also be complex.
“Complexity theory,” said Kotwica, “looks at complex behavior patterns and how they can self-emerge from simple rules. These patterns can be impacted by external events. Dynamic Systems (the origins of chaos theory) looks at complex systems and their relationships and where a change in one part can influence all of the other interrelated parts.”
The lesson is there is no “12-step” program to guarantee success, she added. Using a diagram that depicted stable and unstable zones from concepts from the theories (see Figure 1), she stated, “You can be in a stable mode, where we all want to be relevant to success, but seemingly simple events, like the introduction of a new member of senior management, can cause huge, far-reaching change. And we have seen it happen. You need to be adaptable to future states.”
Figure 1. Extracted from a presentation created by UK Defence Academy "Leadership Derailment" slide 9 http://slideplayer.com/slide/8636632
Francis D'Addario said there are moving pieces interacting that effectively denote the health of a risk management program. “At the end of the day, our leadership qualities are probably our greatest asset. We bring to the game a Board-level understanding of risk and its mitigation, but there's always a question mark because we know ultimately there will be an unfamiliar risk issue down the road. The question is this: ‘How can we reshape our mitigation services and programs against that constant change? Why is it that some leaders and security programs weather change better than others?”
Tools for Success
The presenters discussed some of the existing success measures the SEC has created:
Figure 2. OPaL+ Continuum
- SEC's OPaL+ research (Organizational readiness, Program maturity and Leadership continuum plus corporate culture and risk appetite)—One of the methods the SEC has created for calculating success. It examines the combined impact of the elements that make up OPaL+ for the security leader and team. And it can show how others perceive the security leader and the security program. The particular combination of these can increase or decrease your chances for success.
Figure 3. Program Maturity Model
- Corporate Security Program Maturity Model—this model is currently being developed by the SEC and is a work in progress. It encompasses 5 levels of maturity: Level 1 (Reactionary); Level 2 (Managed); Level 3 (Documented); Level 4 (Measured and Incorporated); Level 5 (Continuous Improvement). The assessment has 43 “declarations” that are answered to pinpoint where a security organization is on the maturity continuum. This assessment is from a leadership point of view, with each maturity model level building from the preceding one.