Security Leadership and Management

Six Things about Business Every Security Manager Needs to Know

March 22, 2011

1. The importance of supporting the business strategy.
2. Managing is as important as leading.
3. Decision making is a process.
4. Competitive forces that affect companies.
5. Key financial measures.
6. Balancing risk is a business reality (terrorism is only one of many risks).

There they are; half-dozen things that all managers need to better understand to be effective. Notice, I said, all managers. We get caught up in thinking that, as security managers, we are different somehow; since we deal with matters of life and death, protect the assets of the company, its employees, the customers, and anyone coming onto our premises.

This narrow thinking is why business executives wonder about the ability of security to deal with the depth and breadth of the business they are to serve. And, it is service. No, not protect and serve. Rather, it is about enabling the business that employs you to be successful. So, whether you are perceived as a cost center or think you are able to impact the bottom line, you need to make sure you are being listened to. And, I do not mean that you think you are being listened to. I mean receiving a level of respect for what you bring to the discussion table. While it ultimately is about delivering results, the fact is, failing to understand these key points prevents security from delivering on the promise. Although there is much that can be said about each of these points, constraints of time and space require brevity. So, here they are:

 

1. The importance of supporting the business strategy.

Let’s cut to the chase. Please allow me to provide a real world example. A global retail firm has decided to expand into a new geographic market. The various heads of the business functions have been asked how they might align their efforts with this growth strategy. After everyone provided their strategic perspective that would enable this growth, the head of security weighed in and suggested the need to install RFID systems in all the new locations. Heads turned. Wrong problem solved. The use of RFID has nothing to do with moving into a new market. Rather, to align security with the business strategy, the security manager should have offered to conduct a risk analysis of the threats and opportunities the business may face in the new market and suggest ways to ameliorate or mitigate the problems discovered; so as to enable the market expansion to occur with less risk and, potentially, more profitably.

 

2. Managing is as important as leading.

It has famously been said that leadership is doing the right things and management is doing things right. It has also been said that leaders transform organizations; while managers merely take care of it. Consequently, is it any wonder why everyone wants to be known as a leader? Or, as noted in the Dilbert comic strip, managers are often viewed as impediments to business success? Misunderstanding the value of managing has, in part, been promulgated by academics talking and writing about Transformational Leadership as an essential ingredient for success; relegating the concept of Transactional Leadership (i.e., management) to the back shelf. Well, the reality is that most managers are hired to go just that – manage. And, failing to manage effectively will result in the company finding someone else who can. Effectively managing a budget or executing a program is not about leadership. It requires a clear understanding of processes and systems and attentiveness to detail. Delivering results is as much about managing things effectively as it is about leading. As the old saying goes; you can lead a horse to water, but you cannot make it drink. That requires a level of management.

 

3. Decision making is a process.

I can and have conducted presentations and executive development sessions solely on the process of decision making. So, brevity on this point will be difficult. But, here it is. Decisions are never best made when hearing the first thing that agrees with your thinking. Such actions fail to value the process necessary for effective decisions. Even when done in crises or at a critical moment, there is a process. Everyone from hostage negotiators to bond traders to healthcare workers to senior executives have their minds run through a process for making certain decisions. And, it begins with being clear on the problem. Many decisions fail because they solve the wrong problem. Further, decisions require information, not all of which is of equal value nor should be treated the same. It is from that information that different alternatives arise and from these alternatives a choice will be made; which must be communicated to those responsible for carrying it out. But, effective decisions do not stop there. The final aspects of the process involves follow-up to determine if the problem has been solved. If not, the process may need to circle back to a specific step from which the process needs to be repeated. Rushing to decisions without determining if you have sufficient information to solve the right problem will lead to poor decisions; which is not in your best interest, because consistently making effective decisions are what helps deliver valued results and that is what keeps managers employed.

 

4. Competitive forces.

This is not easy to describe in a brief manner because it involves a number of moving pieces. So, let’s keep it simple and allow the reader an opportunity at self-discovery.

What industry are you in? Where are your businesses located? What do you sell and to whom? What external factors affect your business? What internal factors affect your business? What is the company’s generic strategy?

As you can see, depending upon where a company competes and how, competitive forces affect each business differently. Understanding these forces enables companies to develop their various strategies. For security, aligning their functional strategies with those of the larger business is critical to enabling business success.

 

5. Key financial measures.

I know what you are thinking, I understand ROI. Good start. What about liquidity ratios; financial leverage ratios; asset utilization; profitability ratios; and market value ratios? Not so much? Join the club; most security managers (and all too many, non-financial managers) fail this litmus test. And, it is a litmus test. These metrics are important because they provide the means to compare your business with itself and with others from a performance perspective. Does it matter that your company’s current ratio is 0.48, while it is 2.12 for the industry? Yes; because the higher the ratio the better the financial performance and there is often a threshold of success for the industry. Where does your company fit? Does it matter? Sure. Try to get an increase in budget or capital funds when your company is 0.48 and others are 2.12.

 

6. Balancing risk is a business reality (and terrorism is only one of many risks).

Just to be clear, companies that do not grow are five times more likely to be acquired or go out of business. Even a disaster like the terrorist attacks of September 11, 2001, while severely damaging the financial industry, aviation, and many other ancillary businesses, did not cause them to fail. However, poor decisions leading to poorer results led to the demise of Circuit City, Lehman Brothers, DeLorean Motor Company, Wang Laboratories (computers), Orion Pictures, Long Term Capital Management (run by two Nobel laureates), not to mention a number of railroads, airlines, retail stores, restaurants and nearly 250 different US banks since 2007 (and still counting). You get the picture. So, what else might prove more problematic than terrorism? Depends on the business; but here is a short list that might keep the CEO awake at night: Natural disasters, supply chain disruption, class action lawsuits, product tampering or recall, failed product rollouts, industrial accidents, labor unrest, new governmental regulations, threat of acquisition and, the one we all know can have a material impact on a company, economic recession. By the way, this did not include the “normal” threats that come from strong competition.

 

So, when considering the risks facing your company, understand that there is a greater chance you will be hit by lightening than your business will be victimized by terrorism. So, keep perspective. A risk is not simply a risk, some are truly more likely to occur than others and balancing risk is what senior executives are expected to do. Arguing for spending large amounts of money or creating conditions that impair rather than promote the business fails at understanding how security needs to position the business for success. To use the words of a restaurant manager, “We can stop all threats by simply locking our doors and not letting customers inside. But, we cannot make money that way.” Exactly!

Clearly, the job of a security manager has become far more complex than it was twenty years ago. The availability of information made easier by the Internet and the nature of competition made more complex by globalization have created greater management challenges. You cannot afford to be viewed as the corporate cop (if anyone ever really subscribed to that role). A business manager responsible for security must truly understand and support business growth in a tangible manner. For some, this may seem a blinding grasp of the obvious. Perhaps it is. But, then why is it that security managers often speak about not having as much influence as other business functions? Or why, as a fairly recent survey pointed out, is security asked to do more with less (implying that others are not)? The answer may be surprisingly simple. While you might understand business, perhaps it is not well enough.

To be clear, the six points mentioned are not meant to be an exhaustive list of what will make you successful. Rather, they are just a beginning to what should be a new level of inquiry and learning.


Christopher A. Walker, D.B.A., is the lead developer and faculty director for the Northeastern and IE Business School Executive Education programs developed in partnership with ASIS. Walker gained a firm understanding of the need to valuate security in terms of the organization’s bottom line during his career in law enforcement and in the eight years he served as CSO for a Fortune 50 company. For senior corporate executives, the security department is one of many support functions within the organization’s value chain—all of which contribute to the primary objective of the business, which is making money. “When I entered the world of business, I quickly realized that I needed some form of education that enabled me to speak the language of business. I based the development of these programs on my own experience as a tool for security practitioners to further their own success,” observed Walker. For more information on ASIS Executive Education programs, please visit www.asisonline.org. Registration for June programs is now open.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+