Q. I have been on the job for several years and I sense senior management is not as on board with security as when I started. For example, there was management reorganization and I report to someone who is at a lower level than who I was reporting to before. There have been committees formed that I thought I should sit on and I was not invited. Should I be worried?
A. The short answer is yes, you have reason to be concerned. By recognizing there may be a problem you have taken the first step. Now is the time to consider reinventing or restructuring your security program in a manner that (re)appeals to senior management and reestablishes it as a crucial partner within the organization.
Several questions come to mind. The first is whether there have been any personnel changes at the senior management level. Are any previously supportive people now gone? If this is the case, unfortunately, some of the ground you covered and trust you earned while gaining support for your program may have walked out the door. Hopefully, you already have a metrics program in place that can help you show new senior management an objective view of your program goals and accomplishments. Remember, brief and to-the-point presentations are crucial for this audience.
In regards to the new boss situation:
- What steps have you taken to educate him or her about your program, the value it brings and the results you have achieved?
- Are you able to effectively and quickly communicate the services the organization finds valuable, including the view from your boss' peers?
- Can you clearly articulate who the primary customers are of each security service?
- Can you demonstrate how each area of the company (audit, sales, comptroller, marketing, R&D, etc.,) utilizes security?
- Can you demonstrate the cost, head count and results of each program/service?
- Most importantly, AFTER doing this -- did you discuss with your new boss what he or she feels should be changed or modified?
Another aspect to consider is how well you have been aligning your programs with corporate-level goals. For most corporations this is constantly shifting. Have you tapped into the "state of organizational readiness" your organization has for your security programs? Do they look at them as reducing risk in well-defined areas (e.g., workplace violence or investigations)? Or at the other end of the spectrum, do they view security as a true business partner? Knowing how senior management views security will help you define your programs to meet their current expectations.
It is at this point you are prime for any change in direction you feel will further benefit the organization. But you can't just expect your programs to be accepted (or continually accepted) because they may have worked in the past. You must keep up with the business side and its ongoing transformations.
You must also take a hard look at where you are as a security leader. Have you settled into a "maintenance" stance? While it is clear many security departments are currently understaffed and are working with a meager budget, consider the next stage you want to achieve—for example, keeping the program maintenance at a quality level but also looking toward emerging issues. Plan for this. If your department is thought of as simply a cost center, when the inevitable business shifts loom, you will surely be in the line of fire.
As stated at the start, yes, these are warning signs. Take the time to think through your situation and the organizational structure. Then, plan strategies that will eventually get you back to the position where the current senior management understands security’s role and the importance of including you in decisions that reduce risks of concern to the organization.