In the headlines we read much more about leadership failures than leadership successes. The security professional aspiring to that coveted corporate executive position may find it daunting to watch the parade of fiascos and consequences the past several years have brought: Enron, HP, BAE, HealthSouth, Vivendi, Parmalat. While there’s much to be learned from these leadership breakdowns, do their lessons really apply to security leadership? If so, what can the aspiring security executive do to develop the skills that will help him or her avoid similar catastrophes once in the top position?
Getting the best answers to these questions means asking the right people – corporate security executives who’ve already faced the lions and become recognized, both in their organizations and the industry at large, as successful leaders. Several members and faculty of the Security Executive Council, an international professional membership organization for leading senior security executives, agreed to share some of the secrets to their success and the resources they relied on to get there.
WHAT IS GOOD SECURITY LEADERSHIP?Jerry Brennan, founder of Security Management Resources, a global executive search firm dedicated to corporate security, emphasizes the importance of first recognizing the difference between management and executive leadership. “A leader is a visionary, someone who can drive strategy and who understands the levers of power in the corporation, and someone who can clearly articulate his or her vision. There’s a lot of marketing involved in that. A manager has to think strategically as well, but there you’re dealing with people leadership, results and personal leadership, effective delegation, rewarding performance, developing employees.” Many executive positions today ask for a combination of leadership and management skills, according to Brennan, but it’s important for the security professional to clearly understand the differences between them.
Leadership is not about telling people where to go and what to do; it’s about showing them the path you would like them to take and inspiring them to follow it. “The basis of leadership is having the characteristics that cause people to want to follow your lead – to listen, adapt and follow your example,” said David Burrill, former head of security for BAT Industries (British American Tobacco), a major global insurance and tobacco conglomerate, and founder of Burrill Green, a management consulting firm for corporate security.
Security leadership at the executive level is in essence no different than executive leadership of any other business unit. “In the corporate world you need to be a business leader, period,” said Dwight Williams, vice president of security for DynCorp International LLC, a multi-billion-dollar provider of specialized technical services to government agencies. “It’s about the business at the end of the day.”
While knowledge of the security field is an important factor of success, the ability to talk business at a level on par with other corporate executives is critical. Burrill explained, “The rest of the C suite needs to look at the individual and say, ‘That guy is like us. He has different technical competencies but we’re comfortable with him, he’d fit in well, and he’s bound to bring value to us which extends beyond the pure efficiency of his function, which happens to be security.’ If the senior executive doesn’t have that sort of profile, he will always be looked upon as a corporate cop. He’ll be there because he has to be, but nobody will discuss anything but security with him because they don’t think he’ll understand, and if he does, they don’t reckon that he’ll bring any thought leadership or value to any conversation in which he is involved. That’s pretty damning.”
If business skills are vital, what specific business knowledge, skills and characteristics must the security professional develop to avoid being seen as the corporate cop?
ARE KNOWLEDGE, SKILLS AND CHARACTERISTICS NECESSARY?
Know the Culture. Success begins with knowing business culture in general and the culture of your business in particular. According to David Burrill, one of the most difficult challenges for security professionals coming out of the public sector is learning to understand how the private sector works. The gap between public- and private-sector processes is wide, but can be overcome by the attentive and open-minded professional.
Lorna Koppel, director of IT security with Kohler Company, said that learning the culture of the organization and where you fit into it is first priority for leading successfully in the context of the company. “Be highly observant and watch others around you at your level and higher. Pick up things they’re successful at and avoid things that they’re less successful at.” Your leadership style should depend upon the culture and needs of the company, according to Koppel.
Jim Hutton, director of the global security department of Procter & Gamble, agrees, adding that you also need to recognize and remedy any disconnects between your style and the organization’s. “Understand that what you think you need to deliver may not in fact be what they need. What you’re good at or best prepared for may not be the best fit for the new mission. Being willing to address the gap between your background and the mission is really important; you have to be confident enough to go out and learn new things.”
Enable the Business. Leading security is your job, but you can’t succeed at it unless you put the needs of the business first and then tailor security to those needs. “I tell my people that we start from yes, we don’t start from no,” said Hutton. “We may have to heavily caveat our yes sometimes, but it’s a general rule. We make them mindful of the constraints, but we enable them. And then the five percent of the time I have to say no, absolutely no, they’ll listen.”
“You have to know the risk appetite of the company and how you can match your security program to that,” said Leslie Lambert, CISO and vice president of IT for Sun Microsystems. Security is traditionally viewed as a naysayer, always telling the company what it can’t do. “But we should be learning to talk to business folks about what is possible instead of listing out all the limitations,” Lambert said.
If your security stance doesn’t resonate with the business, added Kohler’s Koppel, you can’t expect business to change. You have to change your message. Corporate security may have legitimate and even critical concerns, but if they deal with them in a way that’s counter to business goals, they’ll fail.
Know Security. While business knowledge is the number one priority for successful security leadership, an in-depth knowledge of security – specifically corporate security – is obviously also important. But that doesn’t mean you have to be an experienced installer, said David Burrill. “You wouldn’t expect a leader to be able to site security video or directly run a guard force or know how to break into a combination safe. But you would expect him or her to know that there is a range of activities for which there must be technical competencies, and to know that the people he’s employing or outsourcing to have the adequate competencies,” he explained.
Security acumen is critical because, according to P&G’s Hutton, “your solutions are going to have to be well grounded and well crafted. Executives are getting more sophisticated in this space.” If you’re proposing a solution that’s outdated or has proven ineffective at a similar organization, decision-making executives will recognize that and shoot you down.
Communicate Effectively. Communication is key to successful security leadership, both with other executives and with the security team below you.
“As security professionals in the corporate or IT side, we have to be strong in business language. If we can’t present our issues in a business framework or in business lingo, (C suite executives) are not going to understand what we’re talking about and they’re not going to understand why we care,” said Koppel. And if that’s the case, they’re certainly not going to support your initiatives.
Effective communication with senior management must begin with the very first meeting, said Bob Pappagianopoulos, CISO of Partners Healthcare System Inc. “Don’t go to senior management the first time and ask for money. When you have your first meeting with the people with the purse strings, make sure it has nothing to do with asking for funds. Find out what floats their boat – economies of scale, efficiencies, fast fixing – and then focus your requests on something that would interest them.”
The same rule applies to communication down the chain, with your security team. As soon as you’re appointed to a leadership position, said Pappagianopoulos, “have a meeting with all the people in the room. Even if they’re at different locations, you have to have a physical meeting and say ‘Here are the guiding principles I tend to manage by,’ so they know.” If you’re open about your style and expectations from the beginning, team members can begin adjusting to your leadership immediately.
Make yourself available in person or by phone or e-mail, and make sure your employees know they can contact you with any questions. When they do contact you with a question or concern, listen carefully, take it seriously and give them a helpful response. When you receive e-mails from employees, reply to them, addressing the sender by name. According to Miki Calero, CSO for the City of Columbus, Ohio, you can’t overestimate the impact of a personal touch. “People respond to you if you care about them,” Calero said.
“I practice management by walking around,” said Dwight Williams of DynCorp. “It’s important to be seen. It’s important to let people know you’re involved, you care and there’s a sense of urgency about what you’re collectively doing. It’s hard to do that if you’re never in the office or you’re never around your team.”
Sun’s Lambert said that she’s recognized that her team performs better if she shares her thinking with them, explaining how she reached a given idea or conclusion. “If you can teach your staff to do what you would do, you don’t have to micromanage anybody. And if your team doesn’t ‘get it,’ maybe you’re not showing them how you got there and what it’s all about.”
Build the Right Team. “There’s a strong correlation between team chemistry and success,” said Calero. “Without team chemistry, you will be thrown more often into micromanagement.” When you as a security leader have the opportunity to create your team from the ground up, you’re at an advantage. Don’t rush to fill positions; take your time to find the right people. Recognize that you must choose based not only on experience, but on character, said Pappagianopoulos. Will they collaborate? Are they inquisitive and flexible? Will they listen and share their own observations? These are all important factors to consider.
If you’re coming into a position where the security team already exists, you have a greater challenge. Calero said, “I dedicate a lot of time to understanding what each (of my existing team members) can do for me. Then I envision how each can meet a specific need, which can build on another’s strengths, in all contexts. This is not a quick process; it has to have time. You have to know how to bring the most out of them.”
Be Flexible. Jim Hutton believes that an inability to be flexible is a deal-breaker for successful security leadership. In a business environment where acquisitions and divestitures are in the headlines every day, the security leader has to be ready to move where the company takes him. “Have an intellectual curiosity on how to follow the business,” he said. “Be mindful of fact that the job you take may become very different in a short period of time.”
WHERE CAN YOU GET THE SKILLS?A security professional interested in moving up to the executive level can leverage a number of resources to help him or her develop the skills of quality leadership. It’s important to start this development process early. According to Security Management Resources’ Jerry Brennan, “If the job is looking for an executive leader to drive strategy, they are not going to want somebody in training.” They’ll be looking for the executive confidence, communication and vision during the interview process.
P&G’s Hutton recommends that security professionals begin their leadership development two years before they hope to transition to an executive role. That gives them ample opportunity to take advantage of any training provided by or assisted by their current organization.
MBA programs, while longer and more expensive than some other training options, will pay dividends to the security manager looking to become the security executive. Other programs exist specifically to train security leaders in executive leadership skills, such Johns Hopkins University’s Police Executive Leadership Program, the International Security Management Association’s Leadership Programs in partnership with Georgetown University and Northwestern University’s Kellogg School of Management.
“The Security Executive Council is also a marvelous vehicle for learning,” said David Burrill.
Many universities and business organizations offer individual courses on presentation skills and financial acumen, and internal training provides another valuable resource.
“Pick up a little reading,” recommended Kohler’s Koppel. “There are plenty of management books out there. Pick books that are written for a higher level than you’re at. If you’re a manager, pick up something at executive level, and pay attention to the language.”
Burrill encourages aspiring leaders to find coaches or mentors who are already proven leaders in the field. “Some people don’t like the title (coach or mentor) because they feel it implies they’re deficient, which is nonsense. The people who have the most potential are the people who are most prepared to seek a coach or mentor. The weaker people tend not to, perhaps because they don’t want to appear that they need help or they lack confidence in their own ability.” In reality, said Burrill, working with a mentor is peer-to-peer, bouncing ideas around with someone who has had a similar experience.
While coaching is extremely useful, said Calero and Lambert, always remember to take your mentor’s advice in the context of your own situation and not to discount your own instincts.
CAN LEADERSHIP BE LEARNED?
All the above resources exist to train individuals in the skills needed to achieve strong leadership, but successful leadership also relies upon certain traits and intrinsic personal qualities, such as vision and the ability to inspire and motivate. Can these be taught? Burrill contends that they cannot. “There is an issue of aptitude,” he said. “With the right aptitude, people can learn. I believe leadership is natural to a person but can be improved with training. But I don’t believe with training you can make a person who does not have leadership aptitude into a leader.”
If you aren’t sure if you have that aptitude, you could pay a fee to take what’s called a psychometric test to determine if you have the characteristics that lend themselves to successful leadership. Or you could take a good hard look at yourself. Jim Hutton advised, “Candidates should look at what motivates them and what their experience has been. Do you have the skill set to be CSO for a $20 billion company? What do you bring to the table? What can you develop in yourself? Determine the right job for you; don’t just apply to every job you see.”