Security’s Success is About the Business

In today’s down-sized, right-sized and outsourced business operations, I understand as the security director that true business acumen is very important to success as a security leader. How can I make the security department better known to the rest of the organization?

Business acumen is an essential element for not only the security leader but for everyone on the security team to continually learn about.  One of the first things effective security leaders focus on is ensuring every member of the team has a detailed understanding of both the business’ operating goals and plans and is constantly developing personal business relationships throughout the company. 

Successful security professionals know their role is just as much about knowing the business as it is about having cutting-edge security skills.  If there is a lack of knowledge about what a business does or what goes on throughout the business, then the value and effectiveness of security has been limited.  Learning the business is a constant challenge because businesses today are always changing, growing, and moving into new product lines, markets and environments. 

All this is nice to say, but how do you do it? 

Focus has to be on building business relationships with your leaders.  If there’s a choice between attending a security meeting or a business meeting always attend the business meeting; not necessarily to participate, but to listen, to learn about what goes on and why.  Being present includes coffee breaks, lunches, dinners, and team building activities.  Why is this so important?  Guess what - if they don’t know you - they don’t trust you!  Think about it; good relationships build trust.  If this is not what your group is doing then your “security program” will remain on the shelf. Avoid being viewed as the corporate-cop by building proactive business relationships that leverage your security skills.

There is nothing more exciting than having the privilege of systemically changing the security environment at a company; I know I helped do it at four Fortune 500 companies.  If you remember anything remember this:  It’s not about security -- it's about business! 

Answer provided by J. David Quilter, Security Executive Council Emeritus Faculty member.  

Communicating Risk Avoidance to Management

Q. How can I maintain management’s attention to the risk that hasn’t happened yet without becoming the "Chicken Little" of the corporate governance team?

A. Typically, most successful Chief Security Officers are also good communicators, and this is a classic opportunity to educate management on a variety of perspectives.  First, as security manager you know the kinds of conditions that contribute to risk and loss and the trends in your industry or area.  If you are probing and identifying exploitable vulnerabilities around critical assets and processes, you have a great script to bring to that discussion with management. Your findings will either support the effectiveness of existing internal controls or identify gaps and defects that your probes will have caused to be eliminated.  In both cases, you can talk about deterrence and measurable risk avoidance. 

Secondly, we have a unique lens to view trends and conditions that foretell risk – leading indicators – and just as the Chief Financial Officer will use their dashboard to guide the business, we also can provide a variety of alerts to steer strategy and alter risky behavior. 

The message need not be about the sky falling but rather should be about the fact that you are aware of what security measures work really well to detect and prevent risk events and that you know what preventive measures need to be implemented.  Maintaining these risk mitigation strategies at a high degree of collective competence will consistently demonstrate that you are avoiding many of the risks other companies are experiencing and what is happening elsewhere is not necessarily happening here.

For more information read:
Metrics for Success: Leading Indicators
Metrics for Success: Tracking Leading and Lagging Indicators
Metrics for Success: Create a Security Awareness Dashboard  

Answer provided by George Campbell Security Executive Council Leadership Faculty.

The Next Generation Security Leader

Q. I’ve been at a manager level for a while now and I want to get to the next level. My boss is great but she is busy and doesn’t have time to coach me. What’s my best plan of attack?

A. 12 Steps to Leadership Promotion

1. Act like a leader. Coaching, managing and influencing should go up, down and laterally for maximum benefit. I recently heard one of the world’s most respected security leaders explain that he was “coached up” by a respected subordinate. Your service level agreement to excel should include an agreed developmental plan. If that is not in the cards presently, look elsewhere…but don’t abandon ship without a plan.

2. Anticipate your manager’s needs and their manager’s needs in context. What is their preferred method of communication? Ask. In person, voice, e-mail and text messaging all have adherents. Most of us demonstrate a learning bias. Some are visual. Others like to listen. A few of us may still need to read and re-read for comprehension. I personally benefit from tight blended media with a bulleted executive overview. Trusted administrative support personnel and lieutenants know these preferences. Get to know them. Let them know your intention to be a better helper.

3. Support your organizational culture, values and mission...and enable them. Delivering options relevantly, within the strategic plan, differentiates highly successful leaders. Your 10K acumen should be a given in a publically traded organization. Search online for the 10K for of your favorite company if you are not in the private sector. The discussion of global risk can be a north star for aligned mitigation planning and executive leadership engagement.

4. Start with board-level risk and unified protection. When stakeholders realize you think strategically, and are collaboratively helping them to design risk mitigation for the most consequential people, process and asset risks,  your value perception grows.

5. Help build cross-functional programs, not territory. Unified risk protection requires collective knowledge, resource and will. Our ability to influence peer risk mitigation groups before, during and after a critical incident is consequential to collective performance.

6. Tell, show, do, and measure. Differentiate with metrics and operational excellence. Early anomaly detection and response for evolving risk is not likely without having a data centric view of your landscape. Expectations must be shared solution providers and services. Program and personnel development investment and re-investment are unlikely without the persuasive business case or ROI story.

7. Communicate persuasively without hyperbole or exclamation marks. Share your data. Take the emotion out and build in confidence. Resist promoting a critical event to a crisis if it is not absolutely necessary. Frame your answers in the form of questions. Probe. Begin with YES and qualify responsibly. Credit and promote others whenever possible and be accountable for shortfalls.

8. Understand the duties and differences of a First Responder and a Valued Partner. Take care of yourself so that you can care for others. Develop your replacement. Mentor. Force multiply. Look for a manager that cares about you. Know your monetized net contribution and teach others how to calculate theirs.

9. Be prepared to move or accept a new assignment.

10. If you have not done so, explore your options as a Next Generation Security Leader.

11. If you are already on the path, look for Advanced Next Generation Security Leader and join us at the University of South Carolina in the spring of 2013.TBD

12. If we can help you personally, be a squeaky wheel. If you can improve our collective thinking,contact me at: contact@secleader.com

Additional Resources to Consider:

Board Level Risk Differentiating with Metrics Cross-functional Programs

Differentiating with Metrics

Cross-Functional Programs

Communicating the Persuasive Case

Acting Like a Leader

Anticipating Your Manager's Needs and Their Manager's Needs

 

Answer provided by Francis D'Addario, Security Executive Council Emeritus Faculty member.

 

Tis the Season - Compliant Gifting

Q. The holiday season always brings with it the well-intended holiday gifts to our employees and, in some cases, to our clients, vendors and suppliers.  How do I address the appropriateness and potential abuse of these gifts without being viewed as Scrooge?

A. The answer to this question lies within your company culture and policies, industry regulations and governmental laws, e.g., the Foreign Corrupt Practices Act (FCPA), which impacts the way U.S. companies do business at home and abroad by ensuring that proper controls are in place to address potential bribery and unfair business practices. If your company is based and/or operates internationally, other governmental regulations may apply.   Ensure you have a company policy that is supported by HR, Business Operations, Security, and Legal for guidance and support.  Regardless of what rules govern your company, there are some things you can do help ensure compliance while supporting the spirit of giving. Your Code of Business Conduct or Rules of Conduct should serve as good resources for most of the questions that will arise.

Consider the following:

Be sure to take the time to inform your employees of the dos and don’ts of gift receiving and giving.  Use your company intranet and/or newsletter to help explain why compliance is so important. Give them direction on where and how to address any conflicts that may arise, Be preemptive and send your vendors and suppliers (in some cases your clients) a company approved letter stating your company’s position as it relates to the giving and receiving of gifts. Be sure to provide them an unbiased vehicle to address their questions or concerns. 

Be prepared to consistently address the questions that are most common; such as:  Is it okay to send and/or accept special occasion (holiday, birthday or anniversary) cards? How about trinkets (pens, mugs, notebooks)?  Can I receive or give lunch from or to a vendor or client?  Is it acceptable to take my client out for dinner; can I invite the spouse, what if I include some entertainment?  How about if I sponsor a party for my largest client or if I throw a party for all my clients?  What if one of my vendors offers to sponsor a party or event for me and/or my staff?  The questions and answers go on and many are dependent upon your business type and governing rules. 

So what to do if after all this, someone still receives a work related gift?  Take the time to develop and have a process in place to address these situations.  Make it easy for your employees to be compliant.  Arrange for a process to return gifts to the giver to include shipping and an approved letter from the company explaining the process and thanking them for their thoughtfulness and understanding.  Make arrangements with local charities to pick up gifts that are not within guidelines and are not amenable to return (for example, food); be sure to send a company approved letter to the giver.

Enforcement of rules is tough enough without dissention in the ranks because of perceived or real inconsistencies in rule application.  While there will always be special circumstances, do your best to apply consistency.  Thank all those who come forward and make the effort to be compliant.

Answer provided by Ken Kasten, Security Executive Council Emeritus Faculty member.

 

Corporate Security Strategic Planning

Q. My company has a strategic plan process that lasts about two weeks every other year. However, it doesn’t translate to developing a real useable plan for corporate security. Do you have any ideas on creating one that does not involve a huge extra amount of time?

A. Strategic planning determines where an organization is going over the next several years, how it’s going to get there and how it will know if it arrived or not.  For the corporate security (CS) organization to be fully effective and proactively support the overall goals of the company, its goals and objectives must be reflective of and inextricably interwoven with the company’s goals.  As you’ve seen, this is not always easily achieved but it is possible, and it is imperative.  Without this meshing of goals corporate security could easily find itself marching happily along but failing to deliver the level or type of security the company needs.

The first step in developing a CS strategic plan that mirrors the company plan is to fully understand the company plan.  For example, if one aspect of the company’s strategic plan is to reduce total delivered product costs, what exactly does that mean?  Does company management feel they are bleeding dollars in the product supply area of their operations and it needs to be tightened?  This may not immediately feel like a corporate security problem, but it does present an opportunity for the CS strategic plan.  Perhaps the CS plan can include enhancing or instituting a process for reducing theft in transit.  Or initiating a more collaborative alignment with transportation companies to reduce losses is in orders.  Maybe deploying a stronger, more efficient physical security review of distribution centers will reduce losses, and as a result, contribute to the company’s strategic plan to reduce total delivered costs.  Above all, don’t assume because the company’s strategic plan doesn’t seem to speak to security issues that there is nothing on which to build a sustainable, actionable corporate security strategic plan. 

There should always be a substantive and vibrant relationship between corporate security and corporate management both at the senior manager, strategic level and with line management tasked with carrying out the strategic direction of leadership.  Without these relationships, (which should be nourished by regular meetings and mutual understanding of priorities), corporate security will be incapable of achieving the needs of the business as they will be unaware of what the needs truly are. 

In addition, these relationships provide corporate management with a clearer understanding of what CS does and, more importantly, how corporate security brings value and adds to the bottom line; in contrast to a drain on resources and performing work that is often difficult to measure in terms understood by business leaders.  If such relationships don’t currently exist in your company, make them happen.  Get time on the calendar of senior corporate leaders, and be prepared to “sell your case” in five minutes or less as you may not get much time until relationships are established.  Explain to senior managers and line managers that CS exists to meet the security needs of the business and that a greater understanding of the business means more efficient, effective, and appropriately directed security services.  Don’t be afraid to say you are not certain how, for example, the company’s coupon redemption process operates. 

Once you have this information, you can design security processes to reduce losses in a specific area.  Ask open questions that elicit explanations, noting that you intend to develop corporate security’s strategic plan to mirror the corporate plan.  In time your meetings will become expected by senior managers and they will begin to invite corporate security to the table earlier in the strategic planning process.  A word of caution:  Never approach senior corporate managers from the perspective of “We’re Corporate Security -  what do you want us to do? What can we do for you?”  You are quite likely to get a response that sounds like “How should I know?  That’s what I pay you for!”  Instead, be confident that you are the security expert, you know what the best strategic approach for security is; you just want to ensure you fully understand all aspects of the business so you can design the most effective and efficient strategic plan possible for security.

Answer provided by Walter Clements, Associate Director, Global Security, Procter & Gamble.

What is the Impact of Product Loss?

Q. What does it really cost when you have a product attack?

A. It is difficult to determine precisely what it costs a company when a counterfeit product is found in the market, when grey market goods appear, or when intellectual property is stolen or infringed upon. What can be identified are the categories of issues that arise from each type of attack and what the financial impact of each one of them is most likely to be for the company. These impacts include direct financial loss associated with products near term and long terms revenues, indirect losses such as customer loyalty, brand reputation and internal costs associated with managing the incident. All of these costs need to be aggregated to accurately estimate the true impact on company profitability.

Direct Loss
The direct losses include: lower than anticipated revenues or margins from grey market products, copy products being introduced from stolen or infringed technology or counterfeit products flooding a market lowering sales of legitimate ones. Each of these attacks can be quantified and associated with a specific product attack to calculate the loss.

Indirect Loss
A more complicated but manageable calculation is determining the value of a loss in brand reputation when counterfeit goods are sold in a market. If brand reputation has already been valued then a diminution in it can be calculated.  The same holds true for consumer loyalty. If an index of consumer loyalty has been previously calculated, any lowering from a product attack, recall or negative press can likewise be determined and quantified financially. Costs associated with public and press relations, legal advice, and investigative costs needs to be collected as well.

Calculating indirect loss becomes more complicated (but doable) when theft of intellectual property is involved and variables include market share loss, reduced anticipated revenue and market leadership reduction.

Internal Costs
Personnel and out-of-pocket costs for management time, legal involvement, brand management and product protection to manage the effects of a single product attack must be collected. Changes to product design, packaging, supply chain and manufacturing controls all need to be identified, calculated and included in making the final loss determination.

Once all these factors have been identified for the loss the true impact of a single attack will be evident. It will be far more than “it’s just another counterfeit product” that was found in the market.

Let’s hope that magnitude of the true cost of a single product attack will force executive management action to prevent it from even occurring.

Answer provided by Richard Post, Ph.D., CPP, Security Executive Council Emeritus Faculty member and leader of Brand Integrity Working Group.

How Some Organizations Approach Information Assurance

Q. Have you observed any changes or shifts in the way leading organizations are approaching IT and information assurance?

A. Most would agree that information systems and information technology are critical elements of most organizations’ infrastructure and that the security of the information and technology assets are critically important. Many have recognized that good governance is the most effective way to effect change in an organization. By governance we mean the policy environment, the placement and organization of the human resources needed to manage the information security function, and executive oversight of security operations. It is the responsibility of senior management to implement governance options that assure the secure use and operation of information assets, although this is often relegated to IT staff.

A shift we have seen is a wider acceptance of the need for formal governance in the security functions across a broader range of organizations. In the past, larger organizations were more likely to adopt formal governance solutions. Now, many small and medium sized organizations are taking the time and effort as well as financial resources needed to make information security governance an effective control mechanism.

The primary objective of governance can be achieved when the members of an organization know what to do, how it should be done, who should do it, and executive management ensures that it gets done. It is incumbent on everyone in the areas of information security, information systems, and risk management to understand the critical nature of effective governance and how it applies to protecting information assets.

The Corporate Governance Task Force at the IT Governance Institute has prepared a report titled Guidance for Boards of Directors and Executive Management, which is in its second edition. This report, available at www.itgi.org, can help communicate the responsibility of the senior executives and Board-level decision makers. The organization also offers advice to security managers in the companion report, Information Security Governance: Guidance for Information Security Managers. Taken together, these documents outline the recommended approach for governance in many types and sizes of organizations.

Answer provided by Herbert J. Mattord, Content Faculty Expert: Information Security and Assurance, Security Executive Council; and Dr. Mike Whitman, Professor of Information Security and Director, KSU Center for Information Security Education at the Michael J. Coles College of Business.

 

Getting Beyond Guards and Gates

Q: My security team and I have so much to offer our company, but I can’t seem to get my management to give me the opportunity to show what we can bring to the table.  Any ideas or advice on how to advance my security program beyond “guards and gates?”

A: First, let me say if it’s guards and gates they want, then be sure to deliver beyond expectations. All too often, in the hurry to get a chair at the big table it is forgotten why one may have been hired in the first place.  While it may not be perceived to be as glamorous as some of the other components of a successful corporate security program, do not minimize the importance of a solid program foundation and how guards and gates not only support the efforts of those more glamorous components but are often the pillars that hold everything up. 

Consider these questions.  Who in your security organization interfaces with your employee population more than your guard’s?  What more than gates, fences and doors form the first line of defense to your facilities, assets and personnel?   Who operates all those glamorous high tech Security Operations Centers?  Who responds to emergency and life threatening situations? Who responds to the request for assistance when the office door won’t work? Who is there when that long dark walk to the car is made a little easier with a friendly escort?  Who is often the first person a visitor or a perspective client interacts with upon arrival, providing that everlasting initial impression?  Who helps the lost child when he or she can’t remember what floor dad’s office is on during “bring your child to work day?"  What or who keeps the bad guys out when the local police have issued a locked down order? The list goes on and if it doesn’t, it should.  Talk about opportunities to show what you and your team have to offer. 

So, how do you get “past guards and gates"? Foremost, ensure you and your company are ready to move beyond guards and gates.  If so, make sure you have established a strong foundation from which to build upon and then use that foundation to bring those “much more” offerings to the table.  Show how the existing security program foundation is ready to offer more to the overall success of the company and its people.  Show how you can leverage your existing activities, programs and resources to align with and support company goals and objectives.  Show how you and your proven team can (and probably already do) support numerous risk mitigation efforts around brand, ethics, human capital, legal, business continuity, due diligence, compliance, crisis management, data protection and physical security.

You can get the ball rolling by ensuring you understand why you are there and delivering on it day in and day out. By meeting and exceeding the expectations of those you and your staff support and interface with every day. By making the best of guards and gates and moving it beyond the stereotype. By educating management to the added value that security can bring.  Soon your efforts will be recognized and not only will the opportunity arise to show what more you can bring to the table, but maybe even an invite to bring it. 

Answer provided by Ken Kasten, Security Executive Council Emeritus Faculty member.

Editor’s Note: The SEC has numerous articles and resources that can assist the security professional in developing and presenting a value add proposition to company management.   See:

The Nine Practices of the Successful Security Leader
Running Security Like a Business
Is the Knowledge Transfer Gap Hurting Security?
Like Risk, Security Leadership Success is a Moving Target
Managing Enterprise-Wide Board Risk

Preparing for Crises Beforehand

Q. My company has gone through a couple of damaging incidents recently and we were not well prepared. What are some tips on making sure we’re prepared better next time?

A. As a business continuity professional for several large companies, I have witnessed countless incidents where we could have been better prepared. Before each crisis, the companies that I was with had a decent plan in place. After the incident recovery phase, we had a better plan. Regardless of the maturity of your security department, there are always key learning opportunities that come from managing an incident (for example, supply chain disruption, natural disasters, loss of proprietary information, workplace violence, product contamination).

These are some important questions to ask ahead of time. Is your organization ready to handle a specific crisis? Do you have different teams set up to manage all facets of response and recovery? I’ve always been a fan of the crawl, walk, run philosophy. Start small. Talk to colleagues and benchmark your program against theirs – What does their internal training look like? What are they outsourcing? Evaluate your top risks. Garner buy-in from your “C” suite by meeting with them and explaining the soft and hard benefits of having a robust, wholistic business continuity program. Educate stakeholders. Get your phone lists together. Establish a primary and secondary crisis meeting room. Run a table top exercise.

Don’t assume that someone on the crisis management team will handle the event well due to their title or experience. The leadership required to manage each crisis is unique and truly situational. Look for opportunities to partner with other companies that share best practices across industries and to elevate your current program and mitigate future risks. Collaborate with colleagues on proven solutions that they’ve utilized to prevent, respond to, and recover from an incident. Some of these may include notification systems, public/private partnerships, and/or physical security measures.

Answer provided by Dean Correia, Security Executive Council Tier 1 Emeritus Faculty Member.

How to Really Connect with Your Business Leaders

Q. As Chief Security Officer I have been asked by business leaders, What does “security” really do for our business?  I understand that the way I think about and respond to this question will impact the success of my security program and, most importantly, the success of the business.  

So, what do I say when these kinds of questions are asked?   

A. This question and others like it are always on the minds of “the bosses.” If you establish yourself as a hyper-connected leader in your business you will answer these questions with ease.  So what the heck is a hyper-connected leader or how do you become one?  
An essential element in answering this question is how well you know “the business” of your business.  This translates to how your business makes its profits.  One of your key responsibilities as a successful security leader is to know the security environments – such as the locations, business compliance and regulatory factors – that may negatively impact on business success.  

“From the first assessments which are undertaken, we attempt to engage every employee as an ally on the “extended security team.” Absolutely nothing counts as much as being a walk-around-security leader as you establish yourself and this approach.  You cannot ask others to do it; you must walk the enterprise from executive offices across call centers, onto distribution and manufacturing floors, and into IT data centers.  Do not limit yourself to hearing about security concerns from other managers or reading policies and procedures. It is in “walking the walk” that you get to see what is really going on and also will find some genuine allies.”

“Realize that you are on a business team. Like other senior leaders–Operations, HR, Legal, Marketing, Sales, etc.–you are also there to drive business results.  Show up every day. This really means “be all there” with every bit of you focused on contributing your best. Care about those with whom you work and treat them as you want to be treated. Learn the business from top to bottom.  Be honest.  Keep an eye on the bottom line.  And work hard, because you love making a contribution. These behaviors are basic. These are solid foundations of every successful business.”

This might sound too basic for some of you but it’s often overlooked. It has been my experience that nothing, and I mean nothing, frustrates “the bosses” more than if they get a surprise from any of their business leaders.  Among the most critical responsibilities of smart security leaders is to ensure your business leaders – from top to bottom – fully understand how security makes their jobs easier and more productive.

This is where being hyper-connected across your business comes into play.  And how do you do that?  I have found an easy way is to fully utilize and engage existing functions found in every business. Creatively find ways to engage Corporate Communications, HR, IT, Audit, Finance, and others with cross-functional security themes that support both the operating and strategic objectives of your business. By using this approach my security teams have turned security into net income generators!  Nothing makes the bosses happier than improving the business bottom line.  Give it a try and see what I mean.  

Answer provided by J. David Quilter, Security Executive Council Faculty Emeritus.  The two paragraphs in quotation and italics above are from David’s book, "From One Winning Career to the Next," which is available for purchase at the Security Executive Council's Leadership Store.