Wanted: A New Type of Security Leader
Created by Bob Hayes, Managing Director, Security Executive Council (SEC); Kathleen Kotwica, PhD, EVP and Chief Knowledge Strategist, SEC; and Francis D'Addario, SEC emeritus faculty and former VP, Partner and Asset Protection, Starbucks Coffee
How Corporate Security Executives Have EvolvedThe evolution of corporate security to its place as a board-level consideration has had a somewhat segmented and utilitarian trajectory over the past 60 years, with each decade being marked by an emphasis on a different aspect or approach.
As the security industry passed through each phase, senior management looked at security in a singular manner, often defined by the most recent security situation they had to deal with. If an organization had a loss of life on an international business trip, it became the focus.
As the internal security focus would shift based on one of these incidents, senior management felt they must go outside the organization to acquire talent with this new required skill set, instead of realizing they had it internally. As a consequence, security professionals also began to view their profession through silos, and as one set of requirements gave way to another set, security professionals found themselves defending their skill set, as opposed to going out and acquiring new ones.
Security practitioners that happen to have business-side experience will find themselves better prepared to thrive in this demanding environment, and those that do not possess a business background will need to bridge the gap in the following several core areas if they hope to be successful.
Dealing with Upper ManagementSecurity has really never been viewed or taught from the P-side of a P&L. It’s critical that security leaders not only understand what the organization's security needs are, but also be able to articulate the value of these security services and programs to an organization’s bottom line or prove that their programs are cost neutral. Developing this set of specialized information, resources, and expertise is an imperative that has the potential to be game changing.
For security and business to be a truly unified discipline, there needs to be a common and shared language for defining risk and mitigation and for articulating the success (or failure) points for any given initiative. This common language needs to be accessible and inclusive to all units with an organization, including executives, HR, Legal, Finance, Security.
Additionally, today's security executive needs to be committed to communicating their plans as part of SEC 10K statements and then actively work to achieve that alignment. Private companies that don't need to file 10K statements should also be committed to communicating their perceived risk to their board and implementing a unified mitigation strategy. This requirement has all parts of the business ramping up their security efforts. The message here: If you're a security executive who's approached senior management in the past (perhaps unsuccessfully) about a unified approach to enterprise risk management, go back and try again; they're more likely to listen at this point.
Matching security with Company CultureToday's security leaders need to attend to their organization's "state of readiness" for their proposed programs. That is, does senior management view security the same way as the security practitioner? If not, there will likely be misunderstandings that prevent the most successful partnership involving security programs. As well, corporate culture needs to be attuned to. The Council has done research in this area and has found different categories of corporate cultures that will have an impact on how programs need to be built and communicated. For example:
New Blood and Heightened AwarenessWith the first group of baby-boomers reaching retirement age in 2011, we stand at a defining chapter for our industry. While the workforce will contract, the risks to be mitigated will continue to escalate. And escalation brings awareness, which is evidenced by the fact that the business trade magazines are writing about it, there are events around it, and laws are being passed about it. However, while there is much coverage of risk in business, it's usually from the views of specific business functions; no one is talking about how we are going to all play together to make this unified vision of risk management happen.
A heightened state of awareness and attention to board-level risk can certainly lead to positive things, assuming the right people are in place leading the effort. We as industry practitioners must take an active part in providing current and emerging business leaders with tested and validated security best practices presented in a business management context. We must also seek to partner with other entities and industries, including higher education, to develop highly specialized, comprehensive, security/business curricula.
Six Best Practices of Today’s Security LeaderOur research shows the most successful practices are rooted in risk theory and business processes, focused on application and value contribution, to arm security managers and other risk mitigation managers with the business leadership acumen necessary to propel them and their organizations to the next level of strategic performance. These best practices fall into six core areas:
1. Aligning board-level risk and mitigation strategies
Managing brand reputation requires cross-functional risk mitigation oversight for people, assets and critical processes, including board-level risk and unified protection business-unit considerations for relevant assessment and mitigation strategies. 2. Communicating all-hazards risk, mitigation, and performance metrics
Boards, management teams, and stakeholders increasingly make critical decisions based on a host of divergent data, spreadsheets, graphs and analysis. Effective, actionable risk management requires discipline. Understanding data to identify risks and tell a compelling story of injury, loss, damage and cost avoidance is our objective. 3. Run security as a business
Practitioners must remember they are "selling" their services and programs: you need to know the marketplace, your customers, program capacity and value. Our research shows there is no one common type or even universal “best” security model – you have to do the business research to make the best decisions.
4. Influencing community all-hazard preparedness and resilience
Catastrophic, man-made and natural risks continue to threaten organizations and communities. Incident, crisis and continuity management are increasingly important. Practitioners need to be aware of the latest global requirements for preparedness compliance; as well as the means to protect brand with alliances.
5. Adding incremental value with mission assurance and P&L performance
Board-level risk mitigation is no longer just consequence protection. Business acumen quantitatively and qualitatively enables a path to value. Practitioners should be versed on connecting revenue influencing and cost avoidance for return-on-investment and operating results.
6. Managing information protection, breaches and situational intelligence Brand stakeholders require confidence. Information ranging from intellectual property assets to personal identifiers must be protected from persistent physical and cyber threats. Practitioners need to road-map protection architecture and manage information crises.
Additional areas the Council has identified through its research include: managing extreme risks; evolving operational excellence; assessing next generation executive(s) and service organization(s); achieving all-hazard preparedness for resilience; compounding value beyond mission; and managing uncertainty for confidence.
Embracing and building corporate security programs around these core areas is not only critical for security executives working today, but also for the emerging leaders of tomorrow. Providing this type of security business education to tomorrow's leaders before they hit the workforce has huge implications for our industry's ability to continue to respond and remain current with corporate risk.
It will be up to the next generation of security leaders to seize upon the opportunities facing them, the industry, and the organizations they work for. Unified risk oversight is not only a practitioner concern or a senior management concern; it's an enterprise-wide concern impacting all levels and units within an organization. There's no single point of failure – there are lots of players and moving parts.
Who will lead the effort? The answer is, it will take a new type of security leader.
For more information on this topic see Security Leader: Next Generation Security Leader
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: July 30, 2018
You can download a PDF of this resource below.