Q. Our security department is a well-oiled wheel. We have our processes in place, a knowledgeable and diverse team and get the job done. All well and good, but what I’d like is your advice to get to the “next level.”
A. We appreciate the fact that things are going well but that you also want to stretch yourself and the department. Some of the elements that provide growth opportunities may be beyond your control, but if you can influence these they will help your stand in the organization. This includes:
- The security leader reporting structure is typically no more than 2 to 3 layers removed from the top executive of the organization (e.g., the CEO).
- Access to executive management and the board of directors when necessary.
- Measuring and communicating the impact and value of services to the senior executive level of the organization.
- Effectively communicating to executive management/business unit leaders the level of risk they are accepting if the risks are not mitigated or transferred; and the potential for residual risk left after mitigation.
- Achieving understanding and continual support from business unit heads.
Things that are more in your control include:
- Being subject matter experts and developing skills that go beyond the capabilities of traditional security.
- Monitoring and identifying emerging security-related issues that can significantly impact the organization; creating and developing strategies to mitigate the impact.
- Consistent focus on services that positively impact the business’ financial performance.
- Program validating that is done periodically and reviewed with other successful peer programs
- Strive for operational excellence in all markets, business units, and functions.
One of the ways to think of advancing the security department is something the Security Executive Council (SEC) calls “running security like a business.” First off, know your customers. Are you gathering evaluation data from them? Do you understand what they want and why? Calculate the capacity the security function has and any gaps that need to be addressed. Define, demonstrate and communicate the value of your security programs. What are you “selling?” Does it make sense in your “market” (e.g., does your security strategy align with your organization’s corporate culture)? Measure the effectiveness of your programs and keep pushing towards the next iteration of what you are offering. Create a brand for Security (or re-brand if necessary).
There is no single best way to reach the next level (and “next level” is in itself relative); it can depend on the security leader’s style or fit for the organization, the maturity of your current program, senior management drivers within your organization and more. But we hope our advice is food for thought and gets you started on your path.