Training and Awareness Initiatives During Budget Reductions

Q: With massive budget reductions and travel restrictions, can you give me some pointers on how I might continue to implement training and awareness initiatives?

Whenever organizations restrict spending, alternative means of delivering work must be considered carefully. Fewer budget dollars generally means having to eliminate or reduce projects and services.  Training and awareness initiatives are often cut back, especially those with high costs. To continue to offer these programs, I would recommend conducting a simple exercise to view each program against the following criteria. First, rate how the intended program supports the company’s overall current goals. Next, rate the program against the company’s principles (such as maintaining a safe and secure workplace); and finally, does the program offer a value for meeting any legal or regulatory compliance.

Once this is completed, the options for delivering the “vital” security employee training or awareness methodologies can be considered. These should include a logical range of options from in person instructor led training to the use of online meeting applications to facilitate training long distance. E-mail campaigns and the company Intranet may also serve as excellent sources for disseminating awareness information to employees. Whatever the delivery form, by aligning efforts to highest needs of the organization, security programs can continue to implement training and awareness in all but the most dire business conditions.

Answer provided by Joseph C. Nelson, Security Executive Council Emeritus Faculty.

Preparing for Security Career Opportunities in the Private Sector

Q. I am ex-military. I would really like to get into private security, specifically in the area of protection more than anything else. I need to be pointed in the right direction so that I can actually apply the skills I have gained and know something about.

A. At the present time there are a number of opportunities for individuals in the area of employee or executive protection. You need to think about the following questions to help guide your path as you make plans for your future career in private security:

1. When you were in the military, what was your specialty and what branch of the service were you in?
2. How old are you now? 
3. Are you willing to work anywhere in the world?
4. How much travel are you willing to do...25%, 50%, 75%?
5. Since leaving the military what defensive/offensive martial arts skills, weapons qualifications, and evasive driving or other skills have you acquired?
6. Have you passed any evasive driving or protective detail training programs similar to those found at the following web sites: < www.safehouse.com > or <  www.rloatman.com  >  and if so what was the most recent course you attended?

The above questions may seem like a lot, but in the field of executive or employee protection they are the criteria organizations look at as part of their screening process.  One of the most difficult challenges is dealing not only with the travel, but also the amount of time away from family.

As you do your research, make sure you do due diligence when checking web sites, schools, and other opportunities in this exciting field.  I would caution you NOT to send any money or subscribe to any "service" until you have checked them out and are satisfied they are legit!  In this area of employment there are lots of scams just like everywhere else. 

If you have broader interests in transitioning into the security area you may want to take a look at my new book, From One Winning Career to the Next, which deals specifically with issues moving from the public sector (law enforcement, military, or intelligence fields) to the private sector of business and service organizations.  

I hope the above helps to point you in some new and positive directions.

Answer provided by J. David Quilter, Security Executive Council Faculty Emeritus.  David’s new book, "From One Winning Career to the Next," is available for purchase at https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=320

Higher Education for the Next Generation Security Leader

Q. I have read the Council’s series of articles in the Knowledge Corner on the Next Generation Security Leader. The article about acquiring security training and knowledge, including academic degrees, prompted a question in my mind. I understand that experience in core programs is essential; however, I was wondering if you could give some insight into how higher education is addressing the needs of next generation security leaders.

A. There are a number of institutions of higher learning that offer undergraduate, graduate, and certificate programs in “Security Management.” Unfortunately, the current curricula in these programs tend to focus on traditional issues including: personnel management, loss prevention methodology, investigations, legal aspects and liability, IT security, emergency management and terrorism. While all of these topics are important, they don’t adequately address the breadth of business competence that will be the hallmark of the next generation security leader. As recent surveys have shown, those selected for high profile security positions are increasingly coming from business backgrounds. This is in large part because CEOs, CFOs, and Boards of Directors want individuals in those positions who understand the company’s business objectives and can make risk management decisions within that context.

One of the most effective ways to protect and preserve a company’s business and reputation is to prevent bad business decisions. A security professional can add value to that process by understanding and being able to provide risk related input on issues such as product development, marketing, business development, advertising, regulation and compliance, and emerging markets. However, to be regarded as credible, the security leader must be viewed as a business professional whose risk management recommendations and actions are based on sound business judgment.

What is the role of institutions of higher learning in helping to educate future security professionals? The challenge is to evolve programs to support the changing requirements of security leadership. This means developing degree and certificate programs that include multidisciplinary content drawn from business, IT and criminal justice programs. For working professionals, this also means programs that are offered mostly or completely online. I am aware of one university that is considering such a multidisciplinary program, but it is still at least a year from being launched. Hopefully, other institutions are looking at similar programs. For now, students will have to choose elective courses within existing programs that give them the knowledge foundation they will need to be successful.

Editor’s note: See the Council’s guide: Security Training Resources, for some education and training options

Answer provided by Dan Rattner, Security Executive Council Emeritus Faculty.

Business Continuity Plan Certification

Q. We are a medium sized business and as such my team is having a hard time showing a cost-benefit to have our business continuity plan certified to a standard as recommended by Public Law 110-53. We are not a heavily regulated industry and to follow one of the recommended standards and go through the certification process seems like overkill. Can you give some examples of benefits to becoming certified?

A. The United States Congress made it quite clear that the program is to be voluntary and what it refers to as "market based."  Simply put, there are no clear cut financial incentives on the front end to have a company's plans certified.  However, as the concept of Enterprise Risk Management takes hold in the private sector, many believe market forces will virtually mandate certification due to pressures from Boards of Directors, the financial rating agencies, the plaintiff's bar and individual investors.  Furthermore, simply going through the certification process will enhance overall business resiliency, thereby allowing an organization to recover more quickly after the inevitable crisis is past. 

Answer provided by Don L. Hubbard, Security Executive Council Emeritus Faculty.

Helping Management Understand the Value of Your Security Organization

Q. I have been in charge of security for only a few years after leaving government and have no idea how to proceed in developing and presenting a plan to management.  What are some of the specific areas that I should highlight to emphasize the importance of security’s role?

A. Great question. As the person asking the question you understand the critical issue. The critical issue is, of course, creating a context or framework in which your business leaders can understand how security adds value.
 
Here are a few ideas to think about as you put your plan together.
 
How does security help the business leaders achieve the company's goals?  For example:  An "employees at risk program" helps protect all employees in a number of different ways. Working with the company travel department and human resources (HR) a review of all hotel properties where employees may reside while traveling should be done. This would include analyzing crime statistics,  speaking with the hotel chain about security at that specific hotel, interviews with employees after trips, maintaining a travel monitoring program, providing international travelers with country warning notices twice a year and conducting educational awareness training. In very difficult markets like Mexico a company may decide to use security car services to move employees around town and from/to the airport. They may also provide an emergency hotline number to all employees in the event of an emergency.  From a metrics standpoint, HR should conduct an annual employee survey to gauge feedback on the program.
 
Another example:  Working with legal counsel and HR, security may want to establish a background verification process for new employees. HR should track percentages of all applications that contain inaccurate information and the attrition rate of the new hires after verification.  Using this data HR can track hiring costs, employment law costs, disruptive employee costs and even training costs with the goal that these should trend down as a result of hiring the right people. If a drug testing program is set up along with the applicant verification, rates of applicants who screen positive for illegal substances should be tracked as after time the company may see a drop in employees with substance abuse issues because they are avoiding applying to the company.
 
These two examples are easy and almost everyone has these programs, but there are numerous other examples that can and should be used to tell the value story.  Remember this is a great opportunity to add a slide that says, "if resources were available we would be doing the following to reduce risks and costs in order to better achieve our company's goals.”

Answer provided by Richard Lefler, Security Executive Council Emeritus Faculty.

Developing a Security Strategic Plan

Q. I have recently been put in charge of defining the direction that security will take going forward within our company. Our group has already identified a department vision and mission.  Can you give me some pointers on developing a strategic plan and communicating it to management in a manner that shows the value that it will bring to the company?

A. First, congratulations on developing your vision and mission before tackling the task of creating a strategy.  A mistake often repeated is the misunderstanding of the differences between a mission, vision, strategy, and goals.  Quite simply, the strategy is the “how” or means in which you will fulfill the “what.”  Goals are the measurable activities you perform to get to the end result or the “what” – your vision and mission.

Your strategy must align with your company’s form, language and values.  Take the time to get input from trusted peers who have had success in developing, gaining approval and implementing strategic plans within your organization.  There is usually a common thread amongst all companies in what they want to achieve and how they achieve it.  However, priorities and emphasis will differ depending upon the company’s overall business strategy, culture and mission.  If your management and organization is known for its fiscal strength and emphasis, then be sure to include these as key ingredients in your strategic plan.  If personal growth and responsibility are emphasized, then ensure your plan reflects this value.

Leave yourself some options.  Devise and communicate your preferred plan with several different options in mind for management to consider and approve.  So often there’s the temptation to believe that a plan is so great that it’s presented with only one of two options – take it or leave it.  You are competing with other important functions for attention and resources.  Your ability to plan for this and have options for management to consider gives you credibility.  Your three-year strategic plan may end up taking five years to complete, but you have gained favor with key decision makers by putting yourself in their shoes and seeing the big picture.  Be very clear to inform them of the risks associated with their decisions, but be ready to be a team player.

Finally, be concise in your documentation and delivery.  Choose three to four memorable cornerstones to build everything around.  For instance, my most recent strategic plan was developed around four key ideas.

1. Create security ownership at every level of the organization
2. Partner with other functions to gain traction and integration of security solutions
3. Raise security issues to appropriate levels to gain quick and decisive action
4. Create solutions that are understandable, affordable, and align with business objectives.

Developing a successful strategic plan can be challenging; however, you will be rewarded for your efforts.  It’s your group’s roadmap to success.

Answer provided by Mark Lex, Security Executive Council Emeritus Faculty.

Defining the Value of Security During the Current Economic Downturn

Q. My company has done fairly well through the growing pressures of the current economic downturn but it has been made clear that we need to be in for the long haul; management is asking us to identify prioritized targets for cost reductions.  Where should I focus my efforts?

A. Even when our mission is clearly understood and accepted, it is unrealistic to believe we will be exempted from the commitment to contribute to expense reductions.  In both good and hard times we need to have data to support what we believe is valued and essential work.  Good data will provide support to a business case that demonstrates which programs, if eliminated or gutted, would reduce protection below an acceptable threshold of risk.  Your metrics need to support the concept that cost reduction efforts that fail to discriminate between programs that provide clear risk reduction results versus less productive activities will add to cost rather than reduce cost of doing business.

Regardless of the state of the economy we demonstrate value when we enable the business to do what would otherwise be too risky.  Consider what programs you now have in place that clearly address the specific risks you have identified for your company while implementing a contraction strategy.  Then consider how you propose to address the currently unaddressed vulnerabilities that could be exploited, including the greatest threat during this stressful time -- the disgruntled and knowledgeable insider.  Working with your HR and other business unit colleagues develop a protection strategy to mitigate potential threats based on the data you have gathered on the ability of your safeguards to detect and respond to likely risk events.

Answer provided by George Campbell, Security Executive Council Emeritus Faculty.

For more information on metrics or measures that may be applied to reliably define and communicate the value security, visit our store at:
https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=180

Security Leadership Career Transition from Public to Private Sector

Q. As a retired law enforcement officer who would like to continue working for 15 more years, I am considering whether a career in corporate security would be a good option.  What steps do I need take to determine if there are enough opportunities in security to make this a good decision? Can you offer some advice on a career path for me?

A. This is "THE" question posed from law enforcement, military, intelligence and other public sector leaders to senior security leaders in the private sector and business. The opportunities for hard-working and dedicated law enforcement professionals to excel in corporate security are everywhere around the globe.  As a start here are four key questions you can ask yourself:
 1.    Are you flexible enough for such a career?
 2.    Do you want to manage or do you want to lead?
 3.    Do you have the stamina to meet the needs of a large or global corporation?
 4.    Are you a life-long learner?  What is your personal work ethic and are you smart enough to know what you don't know?

Before addressing these four questions there are a few other things you need to consider and take time to ponder.  First, the most important action to take is to start your quest well before any possible or expected date of departure from your current position.  I consistently recommend everyone start 24 to 36 months (or earlier if you can) to learn everything you can about business.  A significant shortfall when moving from the public to private sector is not having a clear understanding of the cultural and organizational dynamics of the environment in which they hope to succeed.  A good way to start is to join security organizations, such as:
• ASIS International (formerly American Society for Industrial Security)
• ACFE (Association of Certified Fraud Examiners)
• CSI (Computer Security Institute)
• SEC (Security Executive Council)

You will enhance your business acumen by becoming professionally certified with credentials like a CPP (Certified Protection Professional), CFE (Certified Fraud Examiner) or CISSP (Certified Information Systems Security Professional). This is what I refer to as the academic side of a security career and is similar to going though a good law enforcement academy.  When any of us came out of our basic training or academy we knew it was simply a starting platform; our real learning was going to be on the street.  Real success in corporate or private security goes well beyond finding leading organizations and having the right credentials. 

The key component to becoming a really successful corporate security leader comes by finding industry security mentors with proven security management, operational know-how and skills that have been honed in the business world.  Finding this person, or persons, is the equivalent of having a great FTO (field training officer), supervisor and experienced "rabbi" all rolled into one.  Having worked with and helped several "rookies" to enter corporate security and go on to grow into global security leaders themselves is really something special.  Some of them have themselves built great security teams that deliver real results to the business bottom line.  That said here are a few comments on our four questions.

1.    Are you flexible enough for such a career?  Just like other aspects of business the security function may contract or expand.  Everyone looks forward to the expansion, but what about the contractions?  In the past five to ten years there has been a switch from hiring those with "backgrounds" in law enforcement and the military to hiring those with proven security skills and business know-how.  There are exceptions, but today most businesses are not likely to hire someone right out of a law enforcement agency to be their senior security leader.  In most cases you need to be willing to start off as a supervisor or manager on a corporate security team.  
2.    Do you want to manage or do you want to lead?  Although strong management skills are necessary to be an effective public sector leader, this does not necessarily translate to success in corporate security.  It is essential to determine if a business is looking for a security manager to maintain the status quo -- if that is the case be sure to ask the question: What does managing the security function look like and what are the business’ expectations?  Security leadership takes a lot of creativity and thinking outside of its traditional roles for today’s business environment; that is, are you going to help deliver positive bottom line business results?  Most organizations will say they want leadership – don't be foolish and take that at face value.  Have the business leaders give you examples of what they visualize as security leadership.  Dig behind both their questions and, more importantly, their answers to get a better sense of the direction they foresee security being operationally productive across their enterprise. 
3.    Do you have the stamina to meet the needs of a large or global corporation?  If you are coming from a big department or agency where you have lots of manpower and resources to attack a problem you are likely in for a surprise, if not a shock.   You have to be prepared to work 10-14 hour days and sometimes seven days a week.  Starting over you will likely be dealing with lots of tactical issues (at times its like herding cats) and almost always without the manpower and resources you have come to expect.  This is very wearing if you did not anticipate and prepare for this in advance.
4.    Are you a life-long learner?  What is your personal work ethic and are you smart enough to know what you don't know?  Highly successful leaders in today's businesses are constantly learning.  To stay current in today’s fast moving business environments security leaders have to be learning new material at about 20 to 25% each year or they will find themselves literally obsolete in four to five years.  As a senior security manager or leader are you willing to meet that learning expectation or hopefully exceed it?  Every aspect of what a security professional delivers to the business needs to be right on target.  In building my teams I have always hired people smarter than me, with different skill sets than mine and all had to have a primary focus on being a business partner (not a security geek or security “expert.”)  They all knew they had to be self-starters, pushing themselves intellectually and creatively to foresee and anticipate the legitimate security needs of the business.  As I often say:  in business it's not about security, it's about business! 

The great thing is you are in control of where you spend your resources and time as you ponder the above.  You have to decide what kind of position you are seeking.  It is essential you find a level of support that is meaningful well before you begin to think about interviewing for opportunities you are seriously considering.  To cross the business world threshold without significant preparation is akin to beginning a journey to places unknown. 

The business world offers wonderful opportunities for those seeking a second career from the public sector.  This will require a lot of flexibility on your part as you transform your knowledge, skills and abilities into the marketplace of the entrepreneur. 

Answer provided by J. David, Quilter, Security Executive Council Faculty Emeritus.  David’s new book, "From One Winning Career to the Next," is available for purchase at https://www.securityexecutivecouncil.com/secstore/index.php?main_page=product_info&cPath=77_65&products_id=320

Enterprise-Wide Collaboration to Minimize Impact of Activist Events

Q. One of my areas of responsibility is developing an action plan for dealing with activists groups.  With the intent of minimizing the risks that these groups could potentially pose with regard to disruption, can you give me some pointers on evaluating and disseminating strategies that would minimize disruption and promote a safe environment during this type of activity or event?  From an information security standpoint, what are the potential risks of monitoring these groups on the Internet?

A. Consider classifying potential activists as “groups or individuals with interest.” Agendas may vary from influencing your organization to stopping it in its tracks. Tactics can range from socially acceptable civil intercourse to criminal intimidation. It is important to approach any potential contest objectively. Any issue that rises to the interest of a public forum should demonstrate principled conduct that is informed by your organizational mission and values.

Activist entities often consider themselves as “change agents.” Their appeal for an audience will cover a wide range of potential stakeholders from your customers, employees, management and the Board of Directors. Typically activists demand action based on perceived moral or ethical grounds. Demands for action, including amending or abandoning existing processes, may be outlined based on fact, misinformation or a combination of both.

Anticipate a public relations opportunity by assessing the demand with a cross-functional team comprised of communications, legal, operational and security representatives. Drafting a position document that analyzes the activist group’s request for change on merit puts management on the same page. Communications may be privileged. Risks and benefits should be surmised for options. Security's role is commonly diligence and risk mitigation.

Do Your Homework:

1. Assess the demand. Consult with law enforcement if demands are perceived as criminal threats implying harm to individuals, assets, business dependent processes or reputation. In the United States interstate restraint of trade will typically be in the domain of the Federal Bureau of Investigation. Collect all communications from or to the group or individual, including customer service contacts.

2. Assess the group. Groups and individuals that have an interest in your organization typically have a history. The Internet has a wealth of resource material from organizational and personal site listings replete with photos, friends and associates. Caution should be exercised by only employing an ethical, licensed and insured investigative entity that can gather legal information without attribution. Proprietary investigators may undertake the same objective course of action. Site interest translates to encouraging rather than discouraging interested parties. Searches of subjects including suit, arrest, disruption, protest, harassment or trespass may yield a quantity of publicly available information. Stakeholders should refrain from investigating groups or individuals of interest within the organization's IT network.

3. Attempt to follow activists’ communications and action solicitations. Action planning by adversarial groups is often a membership draw for similarly inclined individuals. Meetings sometimes outline tactics for business disruptions ranging from boycott action to pamphleteering and street theater including provocation of management representatives or law enforcement for arrest publicity.

4. Consult peer organizations and law enforcement for factual intelligence that may not be publicly available. Benchmark the experience of other organizations including best practices. Risk mitigation tactics will be formed by event history. For instance, action history may range from inundating the head office with pre-paid customer comment cards to denial of service attacks on servers and telecommunications. Operational disruptions can include impeding opening and closing offices by malicious destruction (from window smashing to graffiti message tagging and intimidation of personnel) to “street theater” that precludes service offerings.

5. Design or revisit existing countermeasures that address the known risks. Access control and exceptional suspicion or risk reporting are valuable capabilities. Increased preventive patrol by security services or local law enforcement is recommended before, during and after planned events. Public meeting precautions may include counter-surveillance and credential, bag and coat checks. Management briefs on potential conflict issues and countermeasures should include meeting decorum requirements to allow dissenters to civilly express a view, the company’s preparation to address it on point and advise the person of follow-up. Contingencies to have personnel close by to take an issue off-line, warn for trespass or lawfully remove obstructionists under the color of authority are recommended.  Public microphones and address systems should be secured to prevent misuse. First responder personnel may be pre-staged to assure medical and public safety intervention if required.

6. Apprise potentially affected personnel of threats with relevant precautionary security measures. Brief need-to–know information to stakeholders on the range of action employed by known groups. Personal and family security of key personnel including board members may be advisable with the ready availability of household information. Mail, package and service delivery security scrutiny at the office and home may be required with the usual access control capabilities. Protective personnel for public engagements may be considered to ensure uninterrupted transportation and avoidance of public embarrassment or injury. Coordinate public and private investigative resources and countermeasures that will document any criminal action for prosecutorial accountability.

7. Don't assume that groups or individuals with interest are unsupported by your stakeholders. Adversaries of record may also be your shareholders. Inaction for responding to unreasonable demands may allow groups with interest to frame the issue. Interests from animal welfare to environmental and other perceived social responsibilities may be shared by clients, employees and other stakeholders. Relevant communications must be above board, factual and tempered for unintended disclosure to the public. Authorized use and dissemination of information should be clearly embedded in policy with known accountabilities for violations.

8. Do not act unilaterally without cross-functional consultation. Ethical organizations cannot afford the appearance of an overzealous security group. Your service level agreement should automatically enable precautionary diligence and security risk mitigation reminders that reasonably protect people, assets and dependent processes.

Bottom line, coming together before an event to identify roles and responsibilities will serve your organization well.

Answer provided by Francis D’Addario, Security Executive Council Member Board of Advisors.  Sign up for notification when his new book, "Not A Moment To Lose... Influencing Global Security One Community at a Time," is available to purchase at https://www.securityexecutivecouncil.com/sec/fdbook/

Who Should Security Executives Report to?

Over the past several years, I’ve had the opportunity to observe various companies approach the considerations in hiring a Chief Security Officer. If you were a fly on the wall when top management is considering upgrading their security program, it’s possible the conversation might go something like this. At the end, we would appreciate your
feedback -- who should the CSO report to?

The company and the names in this debate are purely fictitious but based on real experiences.  Assume the company is a large-cap publicly traded Fortune 250, in a business where sensitive customer data is processed; they are extensively outsourcing non-core business processes and their Board of Directors is concerned about the unaddressed risks in the security program.
_______________________________________________________________
 
The COO walks into the CEO’s office for their weekly lunch meeting and the first thing out of his mouth is “so, I’ve considered it and I’m convinced that we need to significantly upgrade our security program.  How would you propose we proceed to fill its leadership?”

COO: “I anticipated your buy-in and I think we should let Marilyn (SVP Human Resources) and Bill (Chief Information Officer) provide us with their rationale for having this responsibility in their portfolio. They both have some real skin in this game.”

CEO: “Why not you?”

COO: “I’ve already got too much on my plate with our international initiatives.  Marilyn and Bill are both on the Executive Committee and I think either of these elevate security closer to you and the Board.” 

CEO:  “The Board and the Audit Committee have made their concerns very clear on our current shortcomings with regard to a variety of security issues.  What we have to resolve between these two is whether this job is going to have real access and be more fundamental to our global risk management strategy or is it more of a day-to-day tactical job?”

COO: “I agree.  Based on our audit reports over the last several quarters coupled with our global initiatives, there’s just too much going on in the security-related area of risk that we don’t know and that makes me nervous.  Let’s get somebody in that job that can really scope out our security risks and get the business unit managers on board with solutions.”

CEO:  “Set up a meeting for you and me with these two and lets see who has the best vision for this function?”

The COO calls Marilyn, the SVP of HR, and Bill, the CIO, and lays out the challenge:  “We are moving ahead with a more senior hire for Corporate Security.  We think this involves moving the current function out of Facilities and into either of your portfolios to give it greater visibility and reach.  Prepare your position descriptions and we will meet with the CEO late next week.”

At the appointed hour, Marilyn and Bill enter the boardroom.  The CEO welcomes them and says “I’ve taken the liberty of asking our Chief Counsel to join us as I think there may be a number of issues of concern to him in this position. Marilyn, why don’t you start?”

HR: “I see security as a support function to the business, perhaps even decentralized across our business functions. Anyone who approaches this job as the be all and end all of security misses the point that every manager in this company has an obligation to protect our shareholders and our assets.  While it’s clear that this position requires a leader who understands risk, I think a critical success factor will be in their ability as a relationship manager, somebody who can build trust so that our business unit managers will come to him or her with their issues before they boil over. At the end of the day, that approach is at the core of HR’s service focus”

CIO:  “I think Marilyn is right about this position focusing in the business units. Our whole IT strategy is built around the notion of us providing security policy that holds every employee accountable for protecting our infrastructure and our private data. At the corporate level, we provide the tools and the intellectual leadership to a cadre of trained information security specialists in every business function.  The same philosophy is applied in our business continuity program that resides in my office.  Facilities already provides an in depth physical security program around our data centers and other critical spaces that IT has mandated and much of our emphasis there has been in technology rather than guards.  It seems to me it would be relatively simple to add a few complimentary programs to what we already have and limit our costs.”

HR: I’d be interested in hearing what our Chief Counsel has to say about the services and competencies this position has to bring to the table.”

Chief Counsel: “Look at the expanded job description for a Chief Security Officer that has emerged since 911: internal and external investigations, threat analysis, intelligence, physical security, personnel security, information protection, emergency preparedness and response management. I’d add to that a global network of contacts, a far more comprehensive background vetting program and significantly greater risk assessment around our expanding domestic and global business partners.”

CEO: “That sounds significantly broader than what each of you are talking about.  How would you approach these capabilities?”

HR: “Our HR Employee Relations team is highly competent in fact finding around allegations of misconduct and we’ve contracted for a confidential hotline to comply with new regulations.  Moreover, we have very few reported instances of internal misconduct. I would assume we would continue to use outside contractors for fraud investigations. We seem to be in line with our peers on just vetting a select few in management and risk prone positions.”

COO: “Marilyn, you are the employee’s advocate.  And Bill, your people are highly limited in non-technical or operational security issues.  It doesn’t seem to me that either of your teams is trained to comprehensively probe suspected instances of employee fraud or trade secret theft.  These have potentially serious consequences for the company.”

CIO: “With all respect, having HR responsible for background and internal investigations presents a potential conflict of interest in my view. We are increasingly empowering a broader and deeper base of employees and contractors with sensitive logical and physical access.  I think expanding both our background vetting and security-related due diligence makes a lot of sense.  I’d look for a highly qualified security generalist to manage much of the work Counsel has outlined.  A properly staffed security team, backed by a clear set of policy expectations and a mandate to work collaboratively with their HR and business colleagues and business managers is the course I’d take in this initiative.”

HR: “Bill has mentioned ‘policy’ twice.  The culture we have here does not respond well to policies and an appearance of a control-centered enforcement philosophy. IT is wholly focused on technical risk and many of the issues Counsel refers to are human threats which require a totally different mind set on internal controls.  He speaks of a concern for having certain security programs in HR while at the same time his CISO lives within the IT department!  I do agree with Bill on hiring a highly qualified security generalist but I’d focus the search on someone with several years of corporate experience rather than the law enforcement backgrounds that seem to be prevalent in the field.  Finally, I think it’s important to note HR’s record on the application of best practices. I’d bring that sort of leadership to the development of best practices in security risk management.”

CEO: “You both seem to feel that this is a take it or leave it choice, that somehow your leadership and unique environments will result in a better security program.  Fair enough. Both HR and IT bring assets and liabilities to the table. But I’m concerned that neither of you have spoken about the range of threats confronting the company as we adapt to our markets and competition. What sort of security leadership competencies and experience will add value in those critical areas?”

COO: “I share our CEO’s concerns.  I think it underscores the need for this individual’s ability to connect the dots, to see across the interdependencies and seek out the weaknesses in our internal controls.  Many of those controls are either owned or heavily influenced by your organizations.”

CIO: “As we have gone around the table, I have to admit that I’m coming to the conclusion that this function should be independent.  What about you Marilyn?”

HR: “I’d share that with the assurance that this job be filled by a proven professional who can develop respect for the function and influence our managers on stewardship and commitment to doing the right thing.”

CIO: “I’d echo that with the suggestion that we form some sort of multi-disciplinary security committee chaired by security.  It seems to me that this would provide some assurance that we are all working on the same agenda with regard to risk management.”

CEO: “How would Counsel summarize this debate?”

Chief Counsel: “I agree. I would also add that we need to bring Facilities into the solution inasmuch as the physical security elements are key to an integrated corporate security program.  I think we all accept the need for a Chief Security Officer position.  The question on the table now is to whom should this CSO position report?”

COO:  “Right, and what functions should report to the CSO?”

_______________________________________________________________

What do you think? We encourage readers of Faculty Advisor to send their feedback.

Food for thought:

What important points on their behalf did either HR or IT fail to make?
Are there any important competencies for this position that were not mentioned?
Would you recommend that the information security program remain under the CIO or should it be converged within the new security department?
If you were the CEO, what was the most compelling point to influence your decision?

To whom do you think the security executive position should report and why?
• Admin
• Executive
• Facilities / Real Estate
• Finance
• HR
• Info / IT / Technology
• Legal
• Shared Services
• Other

Scenario compiled and written by George Campbell, Security Executive Council Emeritus Faculty