Q. I am trying to re-position my organization’s security function to be more aligned with the organization’s mission. What can I do to gain the confidence of my senior management and to show and enhance security’s value to the business?
A. Even the smartest people in the room sometimes get caught up in day-to-day tactics and lose sight of working closely within their businesses. Figuring out what security measures can best support a business or organization makes all the difference as you develop a successful security program. Here are four proven elements to help us maintain a strong business focus.
Build trust. It’s important to meet other business leaders on their turf. Demonstrate your willingness to adjust your agenda and your schedule to build trust with other leaders. Assessing their willingness to open up about security-related issues (theft, workplace harassment, etc.) requires maximum confidentiality, and it takes time. Before they candidly discuss their security issues with you, they have to trust that you will not tell their bosses about what they tell you. This can be very tricky at times.
A standard rule I’ve seen used with great success is to report issues generically—never reporting about a specific leader or location. For example, if the Boston, Cleveland and Syracuse distribution centers have significant shrinkage, I would simply indicate to executive leadership that we have identified very specific shrinkage in the distribution end of the business. If asked about which ones, I would say it’s too early to disclose that information. Some managers might press for such information. In those instances, I would hold my ground, saying that I don’t share preliminary information with the CEO per my agreement with him/her.
Start simple. Business leaders at times have a hard time visualizing how security contributes to the success of their business, division or function. So how do you convince them that what you are doing will help them succeed and improve profits?
Initially it is important to avoid using complex strategies. I say “initially” because security jargon and complex matrixes of vulnerabilities can leave business leaders confused as to what you are doing to make their jobs easier and the business more productive. Once you have gained their trust, you then can introduce them to more sophisticated approaches. However, your initial focus is to deal with those issues that frequently detract from business success, like harassment, workplace violence, theft, embezzlement, and fraud. These and other areas such as information integrity and vendor due diligence have not been a part of most business leaders’ areas of experience. As Leonardo da Vinci said, “Simplicity is the ultimate sophistication.”
Pick and track your security tactics and strategy carefully. Choosing the right approach requires a clear focus on what a particular business needs, not on what you might initially think it needs. You have to know what the business does, how they make money, the environments they operate in, what their operating goals and objectives are. This applies to every function and division, down to the unit level.
Surround yourself with business leaders at all levels by attending their meetings and seeing how they and their direct reports manage their responsibility. Do this without a security agenda and let them know you are there to gain an understanding of them, their goals and the focus of the business. If, and only if, the opportunity presents itself, open up so they gain an understanding of you as well. Then and only then can you determine where to start and what you want to achieve, by making notes on how to measure your goals against their business goals. Note: Not everyone is going to welcome you. Match up with those who buy into what you can do to support their operations. It’s these leaders who later will speak of how you helped them and who will become your strongest proponents across the business.
It is important to hold off on setting a security strategy until you understand the issues business leaders are sharing with you and the culture or cultures of various business units. For instance, distribution parts of an organization often have very different kinds of security issues compared to manufacturing operations. Likewise, the cultures of these disparate parts of the business are also very different from the corporate functions of HR, IT, Finance, Communications, General Counsel and other headquarters elements.
A successful security strategy has to interpret many variable cultures in a harmonious way. Think of an orchestra conductor. He/she brings together competing musical sections to make great music. That’s what a well thought out security strategy does in dynamic and ever-changing business environments. Senior business leaders listen when they sense you are there to help them drive better business results.
Be humble. This means you need to have the confidence to acknowledge your shortcomings and recommit to being an even better security leader and business partner each day. It also means you need to be comfortable recruiting smart, driven professionals onto your team, rather than feeling threatened by them. When you hire, you are not just hiring a person with security skills. Your team also needs to be diplomatic, to have a good sense of humor, and to truly want to be a business partner, just as you do. The smartest security leaders are invariably out there helping others deal with often difficult situations and helping them to succeed.
Answer provided by David Quilter, Security Executive Council Emeritus Faculty.