Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Security Leadership and Management

Coping with Changes to Company Leadership

Though we deal with risk everyday, there is one risk that rarely makes it into our risk management plans – a change in organizational leadership. Whether the result of an internal structural shift, an external hiring decision or a merger/acquisition, a change in leadership and reporting can signal a challenging time for security.

The new leader will have his or her own agenda, goals and view of what security does and what security’s role should be. If this does not mesh with your view or your existing strategies and operations, some meeting of the minds will be necessary.

You could choose to accept this risk, essentially ignoring it and dealing with the fallout as it arrives. However, a better choice would be to mitigate the risk by preparing for it and making the transition to new management as smooth and productive as possible.


What You Need to Consider

New leadership tends to fall into one of three categories.  

1.         The Advocate.  This is someone whose security goals align with yours and who is prepared to defend you and the security team in conflicts with other management. You can tilt this option in your direction by being armed with documentation of what security has accomplished to date, what your function does on a day-to-day basis and how successful it has been.

2.         The Associate.  At some level your goals likely align with this leader’s, but this is someone who can be best be described as a significant customer. You may disagree on the details of how to achieve security’s goals, but you will have to accept that in this case, “the customer is always right.” In this situation you want him or her to understand the value security brings to the organization. You need to be prepared to present a convincing case to ensure the boss ends up a satisfied customer.

3.         The Assassin.  This leader likely does not understand security’s role in or value to the organization. He or she may have a mandate that is at odds with your understanding of risk management within the organization. This situation may require a damage control approach, but in any case it necessitates preparation and a thorough understanding of your adversary and your current operating environment, because you may need to defend previous actions. If you can show that existing customers of security value your services, it will go a long way toward discouraging adversarial action.


What to Do

A proactive approach to new management is the best recourse; views are easier to change before they become entrenched. If a new leader is making statements to others about what he or she is going to do to “fix security,” then pride may prevent them from recanting or modifying their initial position. A preemptory strike may be required, and if you are not prepared to execute on it wisely, you may do yourself more harm than good.

Do some thoughtful investigation of why new management is being brought in and what the new leader’s background is. Ask yourself hard questions, take the viewpoint of the new management and be brutally honest with yourself. Is this new management likely to start up a new security program? Has he or she been brought in to help turn around risk-related failures, to realign functions or to sustain success? What led the organization to this point?

Next, do some research on the new leader’s career history. Identify the most likely security issues and risks they have faced in previous organizations. What industry-specific issues or regulations did they have to address? Be prepared to answer questions related to these issues.

If the new leader is an internal reassignment, identify the security services they would have used. How much have you spent on their previous business group? What experiences have they had previously in dealing with security, and were those experiences helpful or problematic? Understanding how your customers feel about security will help you understand how best to approach them.

Whether the new leader is an advocate, associate or assassin, you will need to educate them on what your department does. You will need to show the value of security and demonstrate how others see value in security. You will need to have documented results.

If you do not currently have this information, you need to develop it internally or with the help of a third party. It will help you immensely in the leadership transition and beyond.  



Read moreLeadership & Management online at

This article was previously published in the print magazine as "Facing a Change in Leadership."

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bob Hayes

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.