Making the CSO the Next Enterprise Leader
Congratulations, security executives, soon you will officially be the “corporate rock-star.”
That’s according to one industry analyst, Ted Schlein, who is also a general partner at Kleiner Perkins Caufield & Byers. In the article, “The Rise of the Chief Security Officer: What It Means for Corporations and Customers,” published by Forbes, Schlein wrote: “For business leaders today, no task is more important than ensuring confidence and trust in the organizations they lead. The boardroom has woken up to the importance of security – and to the enormity of what it will take to protect company and consumer data from attacks.”
What that means, Schlein says, is: “At the urging of the board, CEOs are putting a premium on hiring a first-rate Chief Security Officer (CSO) to lead the charge to protect company and consumer data. I often say that the CSO is the ‘corporate rock-star of the future’ because exceptional ones possess a combination of skills that rarely appear in one person.”
In the Forbes article, Schlein outlines several skills that a CSO must have, including being technically adept; technically curious; a Chief Politician, Communicator and Crisis Manager; and must inspire confidence when speaking with reporters and to the public when the inevitable breach occurs.
“The good news,” Schlein wrote in the Forbesarticle, “is that there is no single set of experiences that a great CSO must have. Just as the role of data scientist barely existed a few years ago, the CSO role is evolving. I’ve seen successful candidates from a number of backgrounds. So focus less on whether CSO candidates fit a specified checklist and more on how they combine a security background with the attributes needed to push change in the organization.”
Jerry Brennan of Security Management Resources (SMR) Group recently conducted a study to determine specific qualities, perhaps “rock star” qualities – or competencies – of CSOs. “Our results indicate that an outstanding CSO excels in the areas of strategic skills, organizational positioning and personal/interpersonal skills.”
SMR partnered with Premier Profiling, and it employed Lominger Leadership Architecture, a model that defines 67 competencies. They asked senior executives at 39 firms to review all 67 and then pinpoint the top 20 that they believe define exceptional performance in security and risk management. Listed here in order from most to least cited are those critical competencies:
- Ethics and values
- Business acumen
- Integrity and trust
- Comfort around higher management
- Strategic agility
- Written communications
- Customer focus
- Decision quality
- Dealing with ambiguity
- Organizational agility
- Building effective teams
- Managing vision and purpose
- Presentation skills
- Managerial courage
- Motivating others
- Problem solving
- Interpersonal savvy
- Political savvy
- Developing direct reports and others
“First, perhaps not surprising is that two of the top three competencies relate to integrity and ethics. After all, security is by definition a highly sensitive sector that demands discretion and trustworthiness at all times, in all roles. It takes just one security breach to create a global PR nightmare for an organization today,” the authors say. “Also striking to us among these core security competencies is the importance of interpersonal effectiveness – at various levels, with different groups, and internally and externally: bosses, direct reports and customers/clients. Communication skills – both written and oral – are critical in these contexts, as are strong listening skills and composure, a key factor of emotional intelligence. Time and time again, we find in our assessment work across sectors and functions that these ‘soft’ skills are the ones that are going to make or break an executive’s career.”
Now that you know the top competencies for a security executive and leader, what can you do? According to Brennan, you can “evaluate the security team you have in place now to determine how they measure up against these qualities. Then you can create training and performance reviews to specifically address any areas for development.”
I presented these competencies to several CSOs, including John Turey of TE Connectivity; Bryan Warren of Carolinas HealthCare System; Claude J. Nebel of Cargill; and Ken Senser of Walmart and asked them what they are specifically doing in their enterprises to lead. What do they believe are essential competencies for a successful security executive? Who mentored them in their careers?
Bryan Warren, MBA, CHPA, CPO-I, Director of Corporate Security for Carolinas HealthCare System, believes that an enterprise security executive should not only have traditional leadership qualities and good business acumen, but that they also understand exactly what their role is in the organization and be willing to invest the time and energy into educating themselves to the specifics of their profession.
“Change management, solid communications, innovative problem solving, setting vision and strategy, these attributes are all great, but only if you can consolidate them with enhancing your own skills and knowledge about your industry and understanding and navigating the politics of the private sector,” Warren says. “Many business executives are too prescriptive in their approach to security-related issues, and we have to educate them that irrational situations cannot always be resolved through rational formulaic processes. As a successful security executive, you have to able to fuse your experience and industry knowledge, which is an art, along with metrics and return of investment strategies, which is a science and produce the craft of effective security.
Part of a growing trend, John Turey, Senior Director, Enterprise Risk & Security for TE Connectivity, attended college with the goal of being an enterprise security executive. He graduated college with a focus on private security management and quickly became involved in trade associations such as ASIS and ISMA, and received his CPP. He’s currently on the Education committee at ISMA, an experience that gives him “a network of peers to help drive improvement in the industry and help me with my leadership growth.”
His leadership skills, he says, include “being a visionary and having a good perspective of the future of the company, in addition to taking a long-term view of the business, the market where your company operates, and having a customer focus. A CSO needs to spot emerging trends as the world is changing faster now than ever before, and to work to foster an environment of innovation, as well. I also believe that you need strong communication skills. It sounds so fundamental, but it’s about communicating our goals effectively to our team members, and listening to our customers.”
Turey says that he is always “challenging myself to think about what’s next, where we will be in the next three, five, seven years, and holding myself accountable for what I do, while being humble in recognizing that someone may have a better approach. One thing that I'm emphasizing with my team is innovation – being innovative in our approach to succeed our customer’s expectations. There’s always some innovative approaches that can be applied to investigations or project management, but I've found by having innovative discussions with our customers early on, we are becoming better business partners.”
Claude J. Nebel, Vice President and CSO for Cargill, came from a successful career with the Bureau of Diplomatic Security, U.S. Department of State to his current role with privately-held Cargill. Now in the private sector for the past eight years, he says, “One of the most significant developments in today’s business world is the way that multinational companies are structured along with their truly global footprint, so you have to adapt how you work in a multi business environment. It can be daunting at first. When I was with the federal government it was structured down, but now, business units almost operate independently. You need the ability to be collaborative, to deal across the breadth of various business units and work with each individual group to find their security needs, as one size does not fit all.”
Mentors and CEOs
Have you been blessed with a mentor who showed you by example? Turey says that he has been blessed to have a number of leaders who have invested in his development and have taught him about leadership and risk-based decisions. Robert Littlejohn, Principal of RFL Associates, a global security consulting firm and a Professor at Pace University Graduate School, he says taught him early on in his career that if you make a mistake, you can learn from it and become a better leader. “The common themes I see in those leaders who have invested in me is that they are innovative, they inspire teams, and they make smart risk based decisions,” Turey says.
Being blessed with a CEO who allows you the freedom to lead is what Warren says helps in his role. “The primary step is earning a level of trust so that when adverse events occur, your C-Suite knows that you will address the situation appropriately so long as you have the requisite support when it is needed. This requires a lot of time and a proven track record of success, which can be difficult to obtain, especially if you have routine turnover in your administrative oversight. Many business leaders are accustomed to dealing with reasonable people and rational issues. Security, as we know, rarely provides such situations. The very reason that you need a security leader is for the unknown and unexpected events that occur and to be able to manage them quickly with minimal impact to your customers and assets. The three questions that many executives typically ask when a security leader requests resources are ‘What is the cost,’ ‘What is everyone else doing’ and ‘What happens if we do not do this.’ We as security executives needs to create a culture so that the questions become ‘What is the initial investment and ROI,’ ‘How will this investment further our strategic goals’ and ‘Why will doing this make us a market leader that others can learn from.’
“One should never use scare tactics to get what they need, as this may result in short-term gains, but ultimately it results in long-term loss of credibility and respect, and that is what erodes the trust that we all work so hard to build. Security is a complex and dynamic field, and the threats are constantly evolving, but through maintaining open channels of communication, maintaining a high level of integrity and being a ‘loyal critic’ with our administrations, we can turn these risks into opportunities to better ourselves and others. Remember, we never really lose; we win or we learn.”
Ken Senser, Senior Vice President for Global Investigations, Security, Aviation, and Travel for Walmart, came from a career in the public sector with more than 20 years working with the CIA and the FBI as assistant director for security. He was influential in the creation of the FBI security division, leading it through the events of 9/11. He adds, “One difference between the public and private sector is the speed of the business, especially with retail, which moves so fast and requires continual change to effectively serve customers. The whole shopping experience is evolving quickly. Security has to support the business and provide security solutions quickly. If you don’t have top talent you are at a disadvantage,” which is why Senser and Walmart as a whole focuses much effort on mentoring and recruiting top talent. “I know how to run a security organization,” he says. “I now have a serious responsibility to position Walmart security for excellence into the future. I can’t do that without a deep reserve of talent, so spotting and developing that talent is important for me and my leadership team. In addition, with security being a male dominated industry we have tried to be deliberate in spotting diverse talent and encouraging that talent.”
Walmart Security Leadership
The size of Walmart – employing 2.2 million associates around the world -- 1.3 million in the U.S. alone – in addition to operating in 11,450 stores in 27 countries – opens the company up to risk. Senser says that after 9/11, Walmart realized that the world was changing and thus, risk was changing as well. “Retailers usually have a robust loss prevention program, which Walmart had, but they didn’t have a global security program, and that’s what I built from the ground up.”
During his career Senser has had several leaders who gave him great guidance and helped shaped him as a leader. If he was sincere, he says, and asked for help, the good leaders always responded, so he has tried to be a similar leader in the sense that he makes himself accessible to his team. “Over time I have had to learn to lead differently. I strive to be less directive and more consultative, and it allows my team independence to run their programs. I ask for accountability and for results. We have a process at Walmart where we solicit grassroots feedback on how to become better leaders.”
Walmart as a global corporation has four basics beliefs, Senser says, and at the top is respect for the individual. “It’s not about letting someone off the hook, but giving them every opportunity to succeed,” he says. “The other three are excellence, integrity and serving the customer. My team and I have applied the Walmart way of working, things like operating at ‘Everyday low cost’ so we can provide the customer ‘Everyday low price’, but then we have put the security spin on it. I am teaching that if you are going to be successful, you have to think like a retailer. I teach my team to advise the business units on how to achieve their business goals, and to respond with solutions for the business that are comprehensive, that cross organizational boundaries and are timely. We give them options versus just telling them no.”
Senser also follows five competencies that govern his performance and all executives at Walmart: decision making, strategic and total company perspective, being a culture champion, building and developing talent and diversity and inclusion. “In order to continue to be successful at Walmart, I have to excel at these competencies,” he says.