It’s a tough life out there.
There is more business pressure to succeed. Chief security officers (CSOs), wanting that C-suite seat, now are more visible and vulnerable. In a slumping economy, there is more concentration on budget constraints. With regulations, rules and liability in their face, CSOs know more eyes are on them. And thanks to convergence and the networking of security data, there is the stress of working – successfully – with the information technology department, which is fondly revered by CEOs.
So it’s not surprising that there’s a lot of failure out there.
Security Magazine surveyed CSOs on why some colleagues fail at their job.
Of course, there are many successes.
For Tim Leiweke, president and CEO at AEG, it’s a matter of picking the right team and encouraging them. At his monster L.A. Live project, “After our initial systems integrator selection process was completed, our General Manager Lee Zeidman (who assisted in the initial selection process) continued to run point on the project with our Security and Technical Projects Manager Paul Flannigan overseeing the installation, testing and training of our personnel who are now responsible for our security.”
At Domino’s Pizza, the difference between success and failure is a matter to staying ahead of the curve, especially when it comes to protecting information.
“At Domino’s we are in the process of implementing a corporate-wide data loss prevention initiative to avoid any accidental loss of private or proprietary information,” said Karl Anderson, network security manager, Domino’s Pizza. “We realized that e-mails being sent to partners and vendors, such as insurance providers, may contain information, like Social Security numbers, that must be encrypted before sending.”
But Col. Thomas Davis knows the test of failure. As the director of the Texas Department of Public Safety (DPS), he recently announced his resignation following an arson fire at the Governor’s Mansion and evidence of serious security problems that day but also department problems going back to last year. faced budgetary pressure but at the same time may have not faced and reacted to warnings from his employees.
For example, the San Antonio Express-News recently reported that DPS troopers said they spoke to higher-ups about increasing the security detail at the mansion “months before the fire,” but told a legislative committee that he received no requests for additional troopers to help guard the mansion. So he's gone.
In an e-mail survey and in interviews with security executives, Security Magazine determined a number of issues that may lead to failure or even firing.
At the top is a lack of communications. A danger sign is when the CSO is detached from the business and focuses only on security. Another can-be-fatal flaw is forgetting that value perspective when talking about security risks. Some respondents said that holding back information on a serious incident can show you the door. When it comes to technology purchases, especially running on a corporate network or handling business needs as well as security, the C-suite and IT will not be pleased if the tech doesn’t work or doesn’t as promised.
And there is no doubt that how a CSO handles change is an important element of the difference between success and failure. This month’s News & Analysis section has a lead article by John Baker on how to manage change.
What follows here are thoughts, advice and experience of CSOs and security managers on what elements they see as leading someone to failure or firing.
Dick Lefler, Security Executive Council Emeritus Faculty and Former Vice President for Worldwide Security at American Express
The failure of managing an upward relationship is often due to a lack in understanding the perspective of your boss. In companies, strategic planning is used to align resources, which drive goals and focus by management. Security leaders who fail to align their security goals to the business goals, no matter how valuable their ideas run the risk of failing to “get it” and are at risk to losing relevance.
When working with your boss’s staff, it is important to build close and trusted relationships based on candor and common goals. Your boss speaks with their staff repeatedly and garners significant feedback as to your contributions. Some security directors assume positions that they only work for their boss and not their boss’s minions, an attitude that can prove painful. On the issue of your own staff, a security director or chief security officer must focus on helping employees work to achieve their own goals, and while it is overused, creating a win-win is very desirable.
When related to upgrades, retrofits and new technology, make the business case. For any upgrade or new technology, it is after all about reducing costs, and improving protection and delivery of products and services. A great security upgrade that fails to translate the improvement to benefits to the company business and accomplishment of business leader’s goals puts any security director at risk.
Jeff Dingle is the Director of Security Training for LSI
The boss often does not understand security. If security reports to a facility or operations manager, they may not know anything about security - which is why they hired YOU. This is especially true with a CFO. Occasionally, security information or recommendations need to be broken down into very simple terms, so that the senior non-security manager really understands what the needs are.
Barry Tarnef is a Loss Control Specialist with Chubb Marine Underwriters, Chubb & Son
People in the security and, for that matter, most professional areas, need, and in my opinion many lack, imagination. I am not referring to the ability to conjure up fanciful images but the ability to translate meaning to experience and understanding to knowledge. In my mind you develop real skill through a combination of theory and imagination.
Most people can certainly comprehend and follow instructions and are very comfortable with “the letter of the law;” however, you can quickly separate the mere knowledgeable from the skilled when they are asked to stray from the written page.
I am also a proponent of owned/shared, not vicarious, experience. Many people get most of their “intell” from local sources. This is the nature of the business I suppose but it is much better that you experience the essence of the situations firsthand and couple that with local information rather than rely solely on others and the inherent (spatial, time, cultural, etc.) filters.
Maria Chadwick is Director of Surveillance, Wynn Las Vegas
Sometimes the lines of communication simply don’t exist. This can be the result of having an undefined chain of command, an unhealthy work environment involving differing points of view or even an information black hole (somebody who has information but neglects to pass this information on). People often make the mistake of editing their information for what their audience “wants to hear” as opposed to what they “need to hear”.
When working with their staff, unfortunately some managers are more concerned about being one of the guys instead of being a leader/boss. Coaching, discipline and feedback whether it be positive or negative are ineffective because they have blurred the line between personal and professional. These managers believe they are doing a good job if they are liked by their staff. Conversely, you have those managers who believe that fear is a good motivator. These managers may be insecure in their positions or may feel they are superior to those “below” them. This type of environment breeds mistakes, causing people to always look over their shoulder waiting for the next explosion to occur. In any event, too much of either environment can be detrimental to the effectiveness of a department.
We fear what we don’t know and people become uncomfortable with change, i.e. the mentality of “if it’s not broke don’t fix it.” People who have not changed with the times and have not kept up with advancing technologies are more apt to stick to what they currently use, even though it may be proven to be less efficient and more costly to maintain. Often they justify a lack of spending as a benefit when in reality they are causing more harm than good. The longer they wait, the higher the costs become because more of the infrastructure will eventually have to be upgraded.
People leave people. I am a firm believer that people will leave a job when they do not enjoy whom they are working for or do not feel appreciated. Individuals want to belong to a bigger picture and feel like a part of the group. At the end of the day, everyone wants to feel like they have accomplished something. It becomes worthwhile work with a sense of pride and purpose. If people are recognized for the efforts, they won’t want to leave.
Gregory C. Allen Sr., Program Director, Professor, Bellevue University
There are several factors that play into why these individuals do not work well with their boss. First of all, that person may not have the knowledge of that boss in what that organization’s belief is on security and their mission. I have seen that quite a bit lately. Another problem is that this person may not have the education and experience, as much as their boss does or it could be the other way around. Either way, those issues need to be addressed so there is a basic understanding of each other. There needs to be a constant communication with your boss for a basic understanding of the operations and the support of what needs to be accomplished. Many times a boss does not think security is an essential tool of an organization and that security professional has a very difficult time convincing that there is an importance for this tool to become part of that organization. This also occurs quite often.
Attitude of that professional is a key issue, especially if that person comes from a previous position where he or she has had the latitude to do anything they wished to do. Today, organizations are looking for a person to be well rounded with what they do and if this professional is not, then there could be an issue with this. Being able to work together and gain that respect and understanding is a key issue on both sides of the spectrum.
Mark G. Griffith, Director of Security, Blount Memorial Hospital
When things go wrong at the C-suite reasons could include:
- Poor communication- you have to learn what the boss needs from you in your communication with him/her. Is he/she interested in the details or do they just need an overview? How often do they need this info?
- Letting the boss get blindsided by an incident- this brings their credibility into question to those above him/her.
- Not showing a passion for your work- in our line of work you better be or you will not survive.
- Low standards -- if you show you will accept a lower standard then true professionalism, your good staff members will leave or their work will show that “acceptable” lower level.
- Not showing a commitment to your work -- staff can tell when their superiors do not have a commitment to the work they perform each day. Why should they if the boss doesn’t have it?
- Showing favoritism towards certain employees – spread the appreciation around, not to just a few. It costs nothing but can turn a mediocre employee into an excellent one.
- Listen to your employees -- they are on the front lines. They see and hear things that can alert you to critical needs.
- Show your appreciation -- when inclement or severe weather causes my officers to work extended periods of time I come in with pizzas or loaves of bread with luncheon meats and drinks. I want them to know I appreciate the extras they are performing for the hospital and its staff.
The biggest mistake I have seen security professionals make is not looking outside of their arena to find opportunities for taking on more responsibility to provide additional services to their company. Many tend to try to stay in their comfort zones with the typical security services (equipment, guards, investigations, etc.) and fail to identify areas where they can add more value. The most valuable departments in a company are the last ones to be placed on the list for budget cuts or FTE reductions when those times roll around.
There is failure to provide good leadership. Weaker security professionals don’t communicate well and usually don’t provide a clear vision of where the department is going and what it will take to get there. Have a plan and delegate responsibilities to the staff in order to instill ownership in the plan. That also provides more opportunity to recognize achievements and celebrate significant accomplishments.
Unsuccessful security professionals seem to focus on what their needs are today rather than what they forecast their needs will be five years from now which leads to mistakes like purchasing proprietary programs/equipment and relying on old technology. That methodology may “fix” a problem today but create even bigger problems in the future with acquisitions or business expansions.
Jeff Kistler, Manager of Safety/Loss Prevention and Traffic Services, VF Outlet
You need to be open to new ideas and make every attempt to implement the changes that they want. You still have your opinions and you need to be able to discuss them openly with your boss.
In 20 years at VF Outlet, I have always been remembered the analogy of the young tree and the old tree standing in the wind storm. The old tree stood firm in its beliefs and didn’t bend to the wind and eventually fell and died. The young tree, bent and moved with the wind accepting the changes in the breeze. You need to be that young tree and accept change in whatever direction it is blowing, because if you stand firm you’ll be blown out the door and they will find someone to replace you who is more accepting of change.
Rodney Pettus, Security Operations Manager, Jones Apparel Group
Communication is key and if the projects given to us are not clear then we are set up to fail before the project is even started. If we could just slow down, make a few notes, and then give the employee what they need, it makes it easier to succeed. Let the employee tell the boss their ideas which will make them fell needed.
Not giving the proper training can lead to failure. Most feel that 15 minutes to 30 minutes is enough time to learn any new equipment given to us. We are all different with a different learning curve. Some people do pick up quicker than others but by not making sure all is clear before releasing someone on the new equipment, we assume they should know it since the other half of the room does. Take a few minutes and use a different technique…who knows the person that was the slowest might turn out to be the best operator.
Ivan Hurtt, product marketing manager of identity and security management at Novell
CISOs and CSOs are often separated within organizations, but if they are organized to support each other instead of placed in competitive or contentious situations, there will be infinite benefits to any business.
A CSO will succeed if he or she enforces consistent security that is based upon business policies and compliance standards. Those security practices should greatly improve governance and operational efficiency. A CSO will also succeed if he uses effective security practices that enhance a brand’s reputation and create a huge competitive advantage. Security can be used to bring in business opportunities and enhance relationships among partners, customers and prospects. Security can also be used to integrate physical and IT systems to protect an entire organization while leveraging the right information for all employees to do their jobs. By completing these tasks, and leveraging security in these ways, the CSO will be able to show value back to the business and be viewed as an equal partner among his peers.
Some of the activities that can cause a CSO to fail are:
- If he brings in processes that are divergent from business goals or social acumen of the company
- If he brings in processes solely to “check the compliance box” without actually bringing value to the organization.
- If he’s unable to demonstrate or articulate value to the organization and thus his recommendations are not funded or heeded.
- The integration of physical and logical security systems, so the holistic threat environment is understood by the entire organization.
- Tying IT and physical systems together to facilitate greater governance and business optimization.
- Trying so hard to meet compliance standards that more security holes are introduced, or more complexity abounds.
- Adding new technologies that aim to solve a business problem, but when not integrated properly, can shut down systems and leave room for DoS attacks.
- Allowing wireless access, but not managing that access or where the connectivity is coming from.
- Allowing removable storage devices within the organization that aim to promote productivity and flexibility, but when aren’t managed appropriately, open the door for massive breaches.
Ultimately, security executives realize the need for security. The frustration, sometimes openly, arises when a security executive is trying to convey the possibility of a security risk to someone who thinks about security from a value perspective. Specifically, how can you measure the effectiveness of a security program without an occurrence? If a security program is working, then you are not having security incidents. It is harder to justify the need for increased budget in this scenario. There is no way to show immediate value; however there are ways to show value over a period of time. Showing pessimism or anger during verbal exchanges with their direct reports only further alienates the security executive. The moral of the story? Maintain a cool, level head and only as a last resort, should you go around the executive hierarchy - doing so, even accidentally, can have far reaching impacts.
Other big issues arise when security executives alienate and do not communicate security incidents to upper management. Upper management should be given an immediate briefing of severe security incidents. Not doing so, could make your direct reports look poorly in the eyes of their upper management. In addition to immediate reports, when warranted, a monthly security incidence report with some of the highlights for a given month is also recommended. Don’t make yourself an island or you might find yourself stranded.
Communication, while building rapport with C-suite executives or upper management, will further the CSO’s agenda for being “proactive about tomorrow’s uncertainties.”
The biggest problem I have seen with managers and staff is the reluctance to let “A” players grow. An “A” player, according to Jack Welch in the book “Straight from the Gut” is someone you should do anything in your power not to lose. Alternatively, “B” players have the opportunity to become “A” players and finally “C” players you get rid of quickly to make room for the opportunity for more “A” players. Make no mistake, “C” players will stay around and leech off your budget, stagnate the growth and potentially get you in trouble. Moreover, “C” players could be promoted as a result of seniority when “A” players move on.
Clearly, more than ever, security executives are investing in “bleeding, not leading edge” technology. I have witnessed the purchase of hundreds of thousands of dollars of security equipment based on demonstration and the promises of sales persons. Only, later do these security executives realize that they had investing in the wrong technology. These decisions make big impacts upon C-suite executives. Bad and usually expensive decisions can irrevocably damage the perception of the security executive in the minds of upper management.
SIDEBAR: Failure: Not Listening to OthersAfter more than 40 years at the Texas Department of Public Safety, Colonel Thomas Davis, its head, is now with his head rolling. In a short message he said he was resigning at the end of August.
What brought him down, beyond a loss of confidence in him, was the early June arson attack on the Governor’s Mansion. A report about the incident that severely damaged the historic site including the fact the only one trooper was assigned to guard the place and he had more than just security duties. Only 13 of 20 security cameras were working and a motion detection system wasn’t operating properly. More telling it's been reported that DPS has reports of inadequate security months before.
SIDEBAR: Success: Communications and a Business EyeThe newest – and still developing – attraction in downtown Los Angeles is already drawing patrons from throughout Southern California. And from the time each steps foot on the property, they are under the protective eyes of hundreds of cameras and a dedicated staff of security officers.
Security is a top priority at L.A. LIVE, a $2.5 billion mixed-use project that is expected to help reshape the downtown area. It is located across the street from STAPLES Center, a 20,000-seat sports arena, and adjacent to the Los Angeles Convention Center.
Tim Leiweke, President and CEO – AEG, set the security tone along with the integrator, ADT Security Systems and his internal security staff.
“We don’t keep it a secret to the opportunists that might hang around L.A. LIVE that if they step on our property, they will be closely monitored,” said Barry Stanford, CPP, director of security for project developer AEG. “We want to maintain a safe and secure area for the thousands of visitors we have almost every day.”
AEG, a wholly owned subsidiary of the Anschutz Company, is one of the world’s leading sports and entertainment presenters. The company owns and operates venues around the world.
ADT has provided video surveillance and access control equipment and the design of three security command centers, along with maintenance and fire system monitoring. Roy Remsburg, national accounts manager for ADT, said the company, which also provides security for AEG’s O2 arena in London, was brought into the project early in the planning process, but was given only three months to design and install the access system prior to the opening of NOKIA Theatre L.A. LIVE.
The cameras – all from Panasonic Security Systems – are an even mix of fixed and pan-tilt-zoom. There are about 100 cameras in and around STAPLES Center. About 200 cameras monitor NOKIA Theatre L.A. LIVE and the surrounding NOKIA Plaza, with another 100 aimed at the ongoing construction sites. All are recorded onto 33 16-channel DVRs, each with three terabytes of storage space, and enough to keep about three months of video at a time.
The access system for the theater and construction area is based on a C•CURE 800 backbone from Software House. NOKIA Theatre L.A. LIVE has one main entry, two VIP entries and an auxiliary entry that can be used to accommodate large crowds that arrive within a short time frame. Everyone – including patrons, employees and performing artists – entering the building goes through security checkpoints that include a magnetometer from Garrett Electronics and a hand search of all bags.
The theatre’s security command center, located adjacent to the seating and stage, has two security officers on duty 24 hours a day. Additional staff is added during events, of which 120 are expected during the theatre’s first full year of operation. Officers can review live and recorded activity on one of four, 20-inch monitors or choose a 50-inch monitor mounted above the console for closer inspection of events.
In addition to monitoring the main entries and the surrounding plaza, the officers also monitor a subterranean vendor vehicle entry. Vendors are required to present a photo identification card that is passed through a visitor management system from STOPware. The system prints a temporary badge, which the vendor wears while onsite. Vendor information, including the time the person leaves the project, is recorded on the access system.
Security for the entire project is divided between two AEG teams – STAPLES Center/NOKIA Theatre L.A. LIVE Security and L.A. LIVE. The former group is responsible for activities and events inside the STAPLES Center and NOKIA Theatre L.A. LIVE. L.A. LIVE’s responsibilities include the one-acre plaza, two onsite parking structures and other surrounding exterior areas.
Stanford, a 17-year veteran of the Los Angeles Police Department, said the two teams work closely together.
“The coordination between the two teams is seamless,” he said. “For example, if we have to remove a patron from one of our events for violation of venue policies, we immediately notify the L.A. LIVE team members and they will use the cameras to monitor that person until he is off our property,” he said.
The three command centers are all networked and interoperable. If one or two of the centers goes out of service, all security functions for the entire project could be maintained from the remaining command center or centers.
A wireless handheld reader is used to help confirm the identity of all employees as they report for work each day. As they arrive on the site, all workers are required to swipe their ID badges through the reader being held by a security officer. The device communicates with the access system to display a picture of the person so the officer can confirm that there is a match. They repeat the process as the workers leave at the end of the day.