Getting Beyond Guards and Gates

Q: My security team and I have so much to offer our company, but I can’t seem to get my management to give me the opportunity to show what we can bring to the table.  Any ideas or advice on how to advance my security program beyond “guards and gates?”

A: First, let me say if it’s guards and gates they want, then be sure to deliver beyond expectations. All too often, in the hurry to get a chair at the big table it is forgotten why one may have been hired in the first place.  While it may not be perceived to be as glamorous as some of the other components of a successful corporate security program, do not minimize the importance of a solid program foundation and how guards and gates not only support the efforts of those more glamorous components but are often the pillars that hold everything up. 

Consider these questions.  Who in your security organization interfaces with your employee population more than your guard’s?  What more than gates, fences and doors form the first line of defense to your facilities, assets and personnel?   Who operates all those glamorous high tech Security Operations Centers?  Who responds to emergency and life threatening situations? Who responds to the request for assistance when the office door won’t work? Who is there when that long dark walk to the car is made a little easier with a friendly escort?  Who is often the first person a visitor or a perspective client interacts with upon arrival, providing that everlasting initial impression?  Who helps the lost child when he or she can’t remember what floor dad’s office is on during “bring your child to work day?"  What or who keeps the bad guys out when the local police have issued a locked down order? The list goes on and if it doesn’t, it should.  Talk about opportunities to show what you and your team have to offer. 

So, how do you get “past guards and gates"? Foremost, ensure you and your company are ready to move beyond guards and gates.  If so, make sure you have established a strong foundation from which to build upon and then use that foundation to bring those “much more” offerings to the table.  Show how the existing security program foundation is ready to offer more to the overall success of the company and its people.  Show how you can leverage your existing activities, programs and resources to align with and support company goals and objectives.  Show how you and your proven team can (and probably already do) support numerous risk mitigation efforts around brand, ethics, human capital, legal, business continuity, due diligence, compliance, crisis management, data protection and physical security.

You can get the ball rolling by ensuring you understand why you are there and delivering on it day in and day out. By meeting and exceeding the expectations of those you and your staff support and interface with every day. By making the best of guards and gates and moving it beyond the stereotype. By educating management to the added value that security can bring.  Soon your efforts will be recognized and not only will the opportunity arise to show what more you can bring to the table, but maybe even an invite to bring it. 

Answer provided by Ken Kasten, Security Executive Council Emeritus Faculty member.

Editor’s Note: The SEC has numerous articles and resources that can assist the security professional in developing and presenting a value add proposition to company management.   See:

The Nine Practices of the Successful Security Leader
Running Security Like a Business
Is the Knowledge Transfer Gap Hurting Security?
Like Risk, Security Leadership Success is a Moving Target
Managing Enterprise-Wide Board Risk

Preparing for Crises Beforehand

Q. My company has gone through a couple of damaging incidents recently and we were not well prepared. What are some tips on making sure we’re prepared better next time?

A. As a business continuity professional for several large companies, I have witnessed countless incidents where we could have been better prepared. Before each crisis, the companies that I was with had a decent plan in place. After the incident recovery phase, we had a better plan. Regardless of the maturity of your security department, there are always key learning opportunities that come from managing an incident (for example, supply chain disruption, natural disasters, loss of proprietary information, workplace violence, product contamination).

These are some important questions to ask ahead of time. Is your organization ready to handle a specific crisis? Do you have different teams set up to manage all facets of response and recovery? I’ve always been a fan of the crawl, walk, run philosophy. Start small. Talk to colleagues and benchmark your program against theirs – What does their internal training look like? What are they outsourcing? Evaluate your top risks. Garner buy-in from your “C” suite by meeting with them and explaining the soft and hard benefits of having a robust, wholistic business continuity program. Educate stakeholders. Get your phone lists together. Establish a primary and secondary crisis meeting room. Run a table top exercise.

Don’t assume that someone on the crisis management team will handle the event well due to their title or experience. The leadership required to manage each crisis is unique and truly situational. Look for opportunities to partner with other companies that share best practices across industries and to elevate your current program and mitigate future risks. Collaborate with colleagues on proven solutions that they’ve utilized to prevent, respond to, and recover from an incident. Some of these may include notification systems, public/private partnerships, and/or physical security measures.

Answer provided by Dean Correia, Security Executive Council Tier 1 Emeritus Faculty Member.

How to Really Connect with Your Business Leaders

Q. As Chief Security Officer I have been asked by business leaders, What does “security” really do for our business?  I understand that the way I think about and respond to this question will impact the success of my security program and, most importantly, the success of the business.  

So, what do I say when these kinds of questions are asked?   

A. This question and others like it are always on the minds of “the bosses.” If you establish yourself as a hyper-connected leader in your business you will answer these questions with ease.  So what the heck is a hyper-connected leader or how do you become one?  
An essential element in answering this question is how well you know “the business” of your business.  This translates to how your business makes its profits.  One of your key responsibilities as a successful security leader is to know the security environments – such as the locations, business compliance and regulatory factors – that may negatively impact on business success.  

“From the first assessments which are undertaken, we attempt to engage every employee as an ally on the “extended security team.” Absolutely nothing counts as much as being a walk-around-security leader as you establish yourself and this approach.  You cannot ask others to do it; you must walk the enterprise from executive offices across call centers, onto distribution and manufacturing floors, and into IT data centers.  Do not limit yourself to hearing about security concerns from other managers or reading policies and procedures. It is in “walking the walk” that you get to see what is really going on and also will find some genuine allies.”

“Realize that you are on a business team. Like other senior leaders–Operations, HR, Legal, Marketing, Sales, etc.–you are also there to drive business results.  Show up every day. This really means “be all there” with every bit of you focused on contributing your best. Care about those with whom you work and treat them as you want to be treated. Learn the business from top to bottom.  Be honest.  Keep an eye on the bottom line.  And work hard, because you love making a contribution. These behaviors are basic. These are solid foundations of every successful business.”

This might sound too basic for some of you but it’s often overlooked. It has been my experience that nothing, and I mean nothing, frustrates “the bosses” more than if they get a surprise from any of their business leaders.  Among the most critical responsibilities of smart security leaders is to ensure your business leaders – from top to bottom – fully understand how security makes their jobs easier and more productive.

This is where being hyper-connected across your business comes into play.  And how do you do that?  I have found an easy way is to fully utilize and engage existing functions found in every business. Creatively find ways to engage Corporate Communications, HR, IT, Audit, Finance, and others with cross-functional security themes that support both the operating and strategic objectives of your business. By using this approach my security teams have turned security into net income generators!  Nothing makes the bosses happier than improving the business bottom line.  Give it a try and see what I mean.  

Answer provided by J. David Quilter, Security Executive Council Faculty Emeritus.  The two paragraphs in quotation and italics above are from David’s book, "From One Winning Career to the Next," which is available for purchase at the Security Executive Council's Leadership Store.

A Missed Opportunity… Selling Your Program and Yourself at a Moment’s Notice

Q: I missed a perfect opportunity the other day to sell my department’s security program and myself.  I was in line at the company cafeteria when the new Chief Operating Officer got in line behind me and asked who I was and what I did.   Unfortunately, it didn’t go as well as I would have liked and now I’m determined to ensure it doesn’t happen again.   Any advice?

A: Sad to hear you missed an opportunity.  Happy to hear you recognize it was a missed opportunity and even happier to hear you are taking steps to minimize the chance of it happening again. You never know when or where the opportunity or need to sell yourself or your programs will come to be, so be prepared.  Be prepared on different levels.   Have a two minute “elevator speech” ready at all times; have a written marketing document ready for distribution at a moment’s notice; have a management document ready upon request; and have your business “dashboard” with all supporting metrics just a click away.    Here are a few things to consider when getting prepared.

• Elevator Speech. This is for anybody that will listen.  As the name implies you have a few short moments to sell your wares, so make them count. The elevator speech should be concise (30 seconds to two minutes), well planned, and easily understandable. It should be well-practiced for on the spot delivery.   If more information is desired or needed, you can follow-up with the appropriately enhanced detail.   

• Marketing Document. This is the story of what it is you (and your department) do.  Information that you would be willing to share with the general employee population. Perhaps this is a written document, an illustrated brochure, or even a web page on the company intranet.  Something that you could use for new employee orientation or a handout that you would be willing to share with other companies or professional organizations.   Try a little bit of visual glitz to get a touch of the WOW.  

• Management Document. This is the next step in the selling process.  A document that contains a little more detail. Details that you might classify as “business confidential” and would only share with members of company management or those bound by some form of non-disclosure.  A business document is distributed primarily with cause and is generally followed by a personal appearance.

• Dashboard. Not only is this what you do, but how often, how important and how well it is you do it; all supported with clear and verifiable metrics. This is a document that most likely requires some form of presentation and is probably reserved for management and department personnel only.  This is a document that can be used for self, staff and department performance measurement and is updated monthly, quarterly or annually. 

A security leader’s job demands readiness; the ability to deal with the unexpected at a moment’s notice, and this should be no different.  Be prepared, keep all your information current, solicit the help of others when preparing your materials for both content and style, and practice. The better prepared you are, the more comfortable you will be and the better your presentation.  Even consider a little softer, more personal document about yourself for those times when getting to know YOU is important.  Regardless of how and what you do, be ready to answer when opportunity knocks.

Answer provided by Kenneth Kasten, Security Executive Council Emeritus Faculty member.  

Editor’s Note:  For more information regarding the selection and use of security industry metrics along with the development of a security industry related business dashboard, see the Measures and Metrics in Corporate Security series on the Security Executive Council’s web site, which also contains many other security related metrics and dashboards.

Getting to Know the New Boss

Q. It has been announced that security will report to a new boss within a month. Although this is an internal promotion, I have not worked closely with this person in the past. My relationship with my previous boss was excellent. Can you recommend some successful strategies for getting my new executive management to be supportive of the security function?

A. Our research shows that a change of boss is one of the top reasons that security leaders lose their jobs (for example, see this Security Barometer). Getting to know each other and establishing a relationship based on mutual respect is a process that will occur over time, so my first advice is to not push it by trying too hard out the gate. Take the time to do your research and learn as much as you can about your new boss. Request a face-to-face meeting where you both have an opportunity to get to know each other and gain an understanding of each other’s vision and talk about department goals and strategies.  You will want to know certain things about his management style. For instance, does he prefer to communicate in writing, by phone or in person? Is he detail oriented wanting to know specific details or does he prefer a brief overview? Questions like these.

You can almost surely expect change. State your vision and directional goals and make it obvious that you are open to discuss constructive feedback. Be prepared to explain and justify, if necessary, current and/or anticipated staffing needs.

Make sure that he understands and gets comfortable with your level of experience and ability to handle issues. Plan to talk about how you see security fitting into the corporate culture and your plan to ensure convergence with the rest of the company’s risk management strategy. Also, be sure to let him know that you are well versed in the issues and laws surrounding compliance.

Keep in mind that your new boss is the new kid on the block and may have zero experience with or knowledge about the security function so take this opportunity to educate and influence him.  Now may be the time to use those soft salesmanship skills. Be prepared to give a brief overview and explain the current state of your security organization.  Discuss your view of the direction you would like to see and why.

Answer provided by Bob Hayes, Managing Director, Security Executive Council.

Contingent Workforce – Screening & Clearance

Q.  My company takes painstaking efforts to ensure that all of our employees are properly background screened and vetted to help ensure the safety and security of company personnel and assets. However, I can’t say with confidence that the same is true for the rest of our modern day workforce of temporary help, contract workers, on-site suppliers and vendor personnel.  How do I ensure that the same level of diligence is put forth in vetting these “outside” workers who have similar access privileges to company facilities, personnel and information? 

A.  Good question!  Many companies do not insist that their selected vendors, suppliers and contractors screen their workforce with the same diligence that the company screens their own employees;  often times giving these “outside” workers the “keys to the store,” granting them open access to people, facilities, property and information.  Not only is it a good business practice to vet your suppliers, vendors and contract workers but you may be contractually and/or legally obligated to do so.  So what can you do to help ensure your contingent/outside workforce is vetted to your required level of clearance?  Consider the following suggestions:

• Develop a company policy that requires contingent worker background checks to be conducted; a policy that addresses who, what, when, where and how.

• Develop and implement contractual agreements with suppliers of contingent personnel to vet their representatives to a specified level, conducting the required background checks to help ensure a mandated level of clearance. Be sure that your contractual requirements do not run afoul of local law, industry regulations or company culture. 

• Determine what your company's contractual, regulatory or legal obligations are related to the background screening of your contingent workforce.

• Define your screening objectives by outlining both the overall and specific purposes and results.

• Determine what, if any, process differences are necessary to address different jobs, workers, suppliers, contractors or vendors.

• Determine what level of involvement you and/or your company needs to have in the actual background screening and clearance process.

• Determine who and how background checks and clearances will be communicated from the contingent workforce to your company.

• Develop and distribute subject related communications to all parties involved; outlining rules, roles, responsibilities and expectations.

• Determine who or how the costs associated with these background screenings will be addressed.

• Determine a conflict resolution process; identify how and who will address debatable screening results and issues.

Developing a process to accomplish your contingent workforce due diligence objectives should be specific to your industry, business structure and company culture; something that helps to ensure proper screening without impeding workflow, business operations or being detrimental to company culture. Be sure to include partners, e.g., Human Resources, Business Operations and Legal that are critical to implementing and maintaining an effective contingent workforce due diligence program.  Help your vendors, suppliers and contractors understand how important due diligence is to your company and what the benefits are to them of having a vetted workforce.

While nothing is fool proof and even with the best of due diligence programs someone or something can slip through the cracks, a properly designed and executed contingent workforce screening program is one more component of a safe and secure workplace.  It’s your business at risk, including your operations, brand, customers and employees.   It does not matter that the person responsible for a data breach is a vendor with false credentials. It does not matter that the person who suddenly becomes violent in your workplace is an on-site supplier with a history of violence. It does not matter that the person who fails to comply with check and balance procedures enables a million dollar fraud to occur is a contractor with a criminal record.  It is your reputation, your customers, your employees and your operations that are at risk.   Know who has the “keys to your store.”

Answer provided by Kenneth Kasten, Security Executive Council Emeritus Faculty.

 

Mitigating Security Related 10-K Risks

Q. My Board of Directors is asking what the security department is doing to mitigate security-related risks outlined in our 10-K report. How do I respond?

A. Even though you may not have an immediate answer, there’s good news in them asking the question.  Boards have become more educated on and in tune with enterprise risk management.  The 10-K form is an annual report required by the Securities and Exchange Commission for publically traded companies that provides a comprehensive summary of company performance well beyond the high gloss “tabletop” books that we associate with a company’s annual report.  Within the 10-K report is a section on risk factors.  It’s here that the company will lay out anything that could go wrong, likely external effects, possible future failures to meet obligations, and other risks disclosed to adequately warn investors and potential investors.  A number of these risks are directly related to the Chief Security Officer’s (CSO) charter and responsibility.  There’s nothing hidden here – your company’s 10-K report and risk factors can be found in the Investor’s Relations section on your corporate website.  CSO’s and their staffs need to understand their company’s 10-K risks and, ideally, the CSO will align his or her personal and program goals against these risk factors, creating what I call the “10-K Security Quotient.”  CSOs with lower 10-K quotients are typically more aligned with executive management’s view of risk and what is important.  Higher quotients indicate misalignment and may raise questions on whether the CSO is addressing the appropriate risks.  A CSO can establish an aligned approach and lower 10-K quotients through research and thoughtful planning.

Answer provided by Mark Lex, Security Executive Council Emeritus Faculty member and author of the upcoming book, “The 10-K Security Quotient.”

 

Measures and Metrics in Security

Q. What metrics system might an executive use to monitor the strategies of a business?

A. I will assume you are asking specifically about security executives given this Q&A's topic area. There are many metrics that can be used (in fact we have identified 375. See the description of our book we published, Measures and Metrics in Corporate Security. However, the issue many security practitioners incur is a) not measuring at all or b) measuring things by simply counting them (e.g., workplace violence incidents or lost laptops), rather than demonstrating the value Security brings to the business. By way of example, convey savings to the company by your program's reduction of workplace violence issues (the cost of managing an event and lost employee time; or cost savings by reducing any potential acts because of your background due diligence program).

Unfortunately, there are no measures and metrics standards in security because factors vary widely; for example, type of industry, size of company, corporate culture, level of regulatory pressure, etc. However, the Security Executive Council created a tool to help security executives understand and communicate what they are doing in terms of what risks are of concern to the Board. The Board Level Risk image and presentation shows the main categories of risk concerns based on our research of many companies’ enterprise risk assessment results to find "commonalities." These categories are matched to security program mitigation efforts. Using this tool security practitioners are now "talking in the terms of the business," which helps brief senior management on how security fits into the organization's overall risk management program. For more information see the article:  Managing Enterprise-Wide Board Risk; also view the Council's Solution Snapshot video: Board Level Risk Categories & Security Program Elements (v.3).

Answer provided by Kathleen Kotwica, PhD, Security Executive Council EVP and Chief Knowledge Strategist and Bob Hayes, Security Executive Council Managing Director

Environmental Health & Safety Risk Assessments

Q. As CSO, I recently had a meeting with the head of our Environmental Health & Safety group regarding a security risk assessment that we recently completed for them. They do not think that the validity and sophistication of our risk assessment is on par with what they are doing in EH&S. Where might I be missing the boat?

A. Although some older security risk assessment models are not on par with EH&S standards, many EH&S programs use the identical qualitative models as security.

The Nuclear Regulatory Commission (NRC) and Department of Energy (DOE) national laboratories advise against using formal quantitative risk assessment processes – widely termed probabilistic risk assessments (PRAs) – for security because it is virtually impossible to predict the frequency of malevolent initiating events, e.g., cyber attacks such as Stuxnet, terrorist attacks or insider disruptions. The best practice is to conduct a qualitative risk assessment that relies on expert judgment, with a "light touch" of quantitative analysis.  EH&S has the flexibility to use models that are more quantitative in nature because they have quantitative data on potential initiating events and their consequences; for example, the mean time between failures, pressure capacity, heat factors, feedstock dynamics, maintenance dynamics, etc.

The models in use now troughout the US and in many foreign countries for security and safeguards risk assessments (including cyber security risk assessments) are derived from expert agencies such as the American Petroleum Institute, American Chemistry Council, National Petroleum Refiners Association, Sandia National Laboratory, Argonne National Laboratory, National Petroleum Refiners Association, DOE laboratories and the NRC. The European Union has recently issued an energy sector security risk assessment model that is qualitative in approach.

From a historical perspective, in 1990, DOE tasked the National Institute of Standards and Technology (NIST) to analyze options other than quantitative risk assessment in the security arena because quantitative assessments were perceived as being too costly, too time consuming and the results deemed unnecessarily complex.  NIST concluded that qualitative risk assessment, if properly executed, yielded virtually the same result with significantly lower expenditure of resources.  A more recent example of this shift was the 2005 Department of Homeland Security (DHS) RAMCAP model.  This highly quantitative model – written by the American Society of Mechanical Engineers (ASME)—was discarded by DHS and the critical infrastructure community in favor of CCPS-equivalent qualitative methodologies for the same reasons.

I highly recommend that you visit the websites of the organizations identified above and do your research prior to conducting EH&S or security risk assessments. Then, take the time to communicate with the EH&S staff and management to get a thorough understanding of their risk management expectations and why they take exception to qualitative approaches.  You may find that they, in fact, use qualitative tools—such as HAZOPS, FMEA, scenario analysis, etc. You may also be able to format your security qualitative model to more closely align with other organizational qualitative models so that your process virtually mirrors theirs. This can be critical to achieving organizational buy-in.

Answer provided by John Piper, Security Executive Council Subject Matter Expert Faculty Member.

 

Reductions in Force (RIF)/Lay-Offs Guidelines

Q:  Reductions in force (RIF) /lay-offs seem to be a regular part of today’s business world.  I would like to develop a checklist/guideline to help consistently and appropriately address security items and concerns generally associated with these types of events.

A:  It does seem that there are more employment reductions in force than ever before, thus enhancing the opportunity for a potential security issue to surface during an involuntary separation of employment. I would encourage you to develop a checklist/guideline that addresses all employment separations -- both involuntary and voluntary.  While there are common recommendations for these situations, your specific guideline and process should be unique to your company. Local law, contractual agreements, industry regulations, and company posture will all impact what your security guidelines should contain.

First and foremost, whatever guideline that is developed must support your company's policies and procedures regarding this topic; it is very important to have the support of Business Operations, Human Resource and Legal departments.  Your objective is to support and facilitate a safe and secure transition for the company, the soon to be terminated employee(s) and the employees who remain.  

Consider implementing the following processes:
  
• Collect and cancel all company issued credit cards.
• Collect company owned equipment to include computers.
• Collect, cancel or change all access privileges.
• Collect all company owned/leased vehicles and related accessories.
• Upon notice of the voluntary separation of an employee, immediately assess whether the individual poses a business risk.
• Notify security or senior management if the employee being involuntarily separated poses a potential physical threat or business risk.
• Offer Employee Assistance Program benefits, if appropriate.
• Address any outstanding compensation or debts.
• Have a clear understanding of how a separated employee's personal belongings are to be handled.
• Develop a company position and standard policy regarding exiting employees from company facilities.
• Develop a standard announcement for changes in personnel after voluntary or involuntary separations.

A well thought out and company supported employee separation security guideline/checklist will benefit all involved; helping to provide the training and direction to whomever the duties of notification and separation fall upon.   While a checklist is not fool proof and may not prevent or address all potential security concerns associated with these types of events, it should certainly aid with consistency of process and program application.   However or whatever you do; remember the phrase “Discharge with dignity.”  It will serve you well.  

Answer provided by Ken Kasten, Security Executive Council Emeritus Faculty member.

Editor’s Note: Guidelines provided by Council Faculty should not be construed as a means to establish any legal standard of care or identify what reasonably prudent security precautions should be taken in any specific situation.  The actions to be taken for individual situations will vary depending on the corporate culture and individual circumstances at the time.

Please visit the Security Executive Council's website to see additional details on the processes mentioned above.