Security Leadership and Management

Is the Knowledge Transfer Gap Hurting Security?

Adding business value. Getting a seat at the table. Running security like a business. Aligning security with the organization. These are the contents of the Holy Grail of security leadership. Everybody talks about them. Everybody wants them. But most security leaders view them as the stuff of legend – great for motivation, but unattainable in reality.

The industry as a whole has a grasp on the issues and many organizations have worked in recent years to help security leaders develop individual skills that get them closer to these goals, step by step. There is an abundance of magazine articles, certifications and seminars with that aim, and industry associations continue to partner with business schools to help security leaders better understand business. Still, few manage to capture the designations of “business enabler,” “executive influencer,” “security aligner.” What’s missing?

Business schools and industry business programs are perhaps the most useful existing resources pointing security leaders in the direction of success, yet they leave out an important element. Taught by business professors, they focus on helping security leaders understand business practices and speak the business language. But these programs fail to continue to the next stage: How do they marry business processes with the job of risk mitigation? How does security become a business unit in its own right?

Knowing how to talk business doesn’t equate to an automatic understanding of how security adds value. It doesn’t give security professionals the practical programs to implement to support the business. Like any other business unit, security must follow a process to attain true management support and align with business. This process includes documenting work efforts to show what security is actually doing on a day-to-day basis. It includes the often arduous task of meeting with all key executives of the business units to find out their plans and to discover the role security can play in their goals. It also entails holding business unit leaders accountable for their decisions on what risks are important to mitigate and at what level. This is the type of knowledge that has allowed the few truly aligned security leaders – people like those who will appear in this magazine’s Most Influential list next month – to reach their level of influence and success. But where do you learn how to do this?

Research conducted by the Security Executive Council has identified seven personas that most security leaders generally fall into. One of the first steps to learning how to move up this continuum is finding out which category you’re in.

  • Those new to security or new to their industry
  • Those interested in learning the other side (an IT leader learning corporate security or vice versa)
  • Program creators/validators, who are creating or recreating programs due to changes in corporate leadership or strategy
  • Program facilitators, who have established security programs at a maintenance level, generally with limited resources
  • Urgent innovators/expanders, who have established programs and are responding to significant situations, yet looking toward emerging issues
  • Program expanders, who are expanding on existing boundaries and roles of security, thus advancing internal business alignment
  • Next-Generation Leaders, who are working at an industry or national level. These individuals are rare. They are future oriented and work across many domains. They are aligned and are influencers in their organizations.


Many of the elite individuals who have reached Next Generation status are Tier 1 Security Leaders™ in the Council, but they make up a very small segment of current security leaders. We’ve spoken with them about how they reached their level of success, and in most cases it comes from a combination of understanding the corporate culture, organizational readiness, personal ingenuity and motivation, mentorship, strategic thinking and great timing. Yet one of the questions we frequently hear from even these top-tier individuals is, “How do I teach my people to be more strategic?” Reaching a state of influence and alignment doesn’t in itself give a person the ability to show someone else how to do so, and often at this level there is little time to show others how to get there.

Thus, there is a wide gap in the transfer of valuable knowledge to security leaders, and this gap is dangerous. It means that the rare organization that now has a Next Generation Security Leader in place may have to begin nearly from scratch once that individual retires, because no successor has been able to grasp the secrets to his or her success. It means that when the industry loses one of these few, it has to start over every time and simply wait for the next visionary to show up. It means our industry will never move forward.

The Security Executive Council has a roadmap that will help us fill this knowledge transfer gap. Next month in this space we’ll start discussing what the industry can do.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bob Hayes

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security June 2015 issue cover

2015 June

In this June 2015 issue of SecurityIs the security director business’s new “corporate rock star?” Find out how CSOs can become the new leaders of their enterprises through mentorships, partnerships and creatively adding business value. Also, learn how security professionals are training employees in cyber security through games. And why are deterrence and detection so important when it comes to thwarting metal thieves? Find out in this issue.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.