The International Security Ligue convened a focus group of Chief Security Officers and leading industry voices, primarily from the U.S., Canada, and Australia. These executives offered some valuable tips, a few words of warning, and some simple actions that said made a world of difference. Because smart security solutions are typically industry- and risk-specific, we’ve concentrated on management tips that are more universally applicable.
These leaders offered thoughts on…
…elevating security department prestige. “There has probably never been a time when security has been more important to the business but [as an industry] we’re not doing a great job communicating,” said one leader. “C-Level executives are confused by us, our message is cloudy, confusing, and they don’t see us as coming in to solve their problems.” The advice: Sharpen communication with management. Time with senior leaders is precious so make it count, by focusing on making clear points and focusing on providing the information that company leaders will need to make decisions.
…keeping security operations aligned with risk. The CSO of a global tech company said security operations need to focus on being more agile, warning that it’s imperative in light of how fast threats are evolving and how quickly business is changing. How do you do it? Cultivate connections within your company that will allow you to get things done more quickly. “You need to establish touch points with all the people in your business that you need to get things done so you can move more quickly.” Another leader said security executives must regularly re-examine the big forces that shape security risk. “We spend a lot of time on where we’re going. Before, we spent way too much time being tactical and not enough time being strategic,” he said.
You need to establish touch points with all the people in your business that you need to get things done so you can move more quickly. — Technology Company Chief Security Officer
…adding relevance to the business. More than ever, security leaders are expected to understand and demonstrate an ability to discuss subjects that have only indirect ties to security, such as business and trends, economics, geopolitics, organizational design, and technology. Warned one security thought leader, “A good security professional stays current on more topics than just security.”
…using vocabulary that carries added weight. Security directors shouldn’t talk “security” with the Board, said a CSO in the hospitality industry. "Instead of 'security speak', relate everything to others in business terms.” Frame security as an element of operational business risk, since that’s something management understands, he suggested. Another CSO advised security directors to 'keep it big picture' when communicating about security threats. “The C-Suite doesn’t want to know about threats; they want to know about the risk of the threat.”
…ensuring numbers tell the true story. The director of security at an engineering firm warned against letting dashboard metrics like “Number of Incidents in Building A” speak for themselves. “That particular metric can turn around and bite you when it’s actually a good thing.” For example, if the security department undertakes an effort to raise awareness among “Building A” employees to report hazards such as wet floors or propped open doors, then the number of reported incidents should increase, a reflection that the training was effective. However, if such incident numbers are simply reported to management as a standalone key performance indicator (KPI), the only conclusion they will draw is that there is a troubling rise in safety and security hazards. “Don’t get in the habit of using number of incidents as your KPI,” he suggested. “You need to provide context.” In this case, for example, incidents numbers should be used as a measure of the effectiveness of awareness training, by comparing incident numbers pre- and post-training against incident numbers in other buildings where awareness education hasn’t been conducted.
‘Smartest Thing I’ve Ever Done’
As part of discussions, several security leaders shared a simple action they’ve taken during their career that had outsized results.
‘Got security to be included in on-boarding of new vice-presidents.’ In an effort to improve awareness of security’s true role in the company, “I reached out and successfully got the mandate to give a briefing on security to every new corporate vice-president that comes into the company. Many people think of security as only the uniformed officers and the people patrolling the campus. That’s a vital part of security but it’s not the only part of security.” A necessary precursor to getting the value of security department recognized is getting company leaders to understand what security does.
‘Resist the inclination to present a fully developed plan.’ One security consultant shared her history of having worthy projects rejected by senior management because “too often, I’d show up with the complete proposal in hand, with all the work already done.” But that doesn’t work, she said, because senior management loves to tinker. “I learned that if you haven’t given them a chance to shape the idea, you’ll get a ‘no.’” Now, she recommends socializing ideas with stakeholders and conducting analysis to “examine who wins, who loses, and who cares.” Then, conduct early discussions with promising supporters to give them a chance to offer input and or shape the project. “Go in and say, ‘I got this idea, and want to get your thoughts and ideas.’” Socializing a project in this way builds support and shifts the focus away from whether the project is a good idea (you secure agreement on that) and put the focus on whether it can be effectively implemented.
I learned that if you haven’t given them a chance to shape the idea, you’ll get a ‘no.’ — University Professor and Security Consultant
'Held tabletop exercises so management could appreciate how they can best help in a crisis.' It is common for previously disengaged CEOs to abruptly take charge during an emergency, noted one industry leader. “You have the team, you train, you got the plan, you’re a smooth-running machine, and then the real crisis hits and the CEO, who hasn’t been paying any attention at all, takes over and screws everything up.” To prevent this too-common phenomenon, he worked with senior leaders on establishing what their real role is in an emergency. “You want senior management to know at what point they want to be involved and at what point it is below their threshold to get involved. You don’t want the CEO driving the fire truck.” Holding tabletop exercises subtly helped them appreciate it and showed them that they have a high-level role to play in managing major crisis events in which core assets are threatened rather than an operational role in smaller crisis. “If it is a part of planning, and stems from decisions they’ve made, it becomes less likely that will feel the pull to take over during an emergency and ‘screw things up,’” he said.
'Asked the CEO to wear his security ID during a company address.' Requiring identification badges and employees wearing them aren’t always synonymous—and if you’re having trouble with ID badge compliance, you likely have a security culture problem, according to the head of security for a large pharmaceutical firm. He said he stumbled into a quick culture change when he asked the CEO to clip on his identification badge before a staff-wide address. “Something as simple and easy as that can help,” he said. The CSO for a research lab told a similar story, asking his CEO to write a short statement about the importance of security that trainers now read before employee security training. “It can be very short, just something that says, “This is important to our organization, listen to what they have to say, and I expect you to follow the rules.’” Ever since, he says he gets more bang for his buck from security education initiatives.