My company’s prime objective is not to stay secure. Its objective is not to manage its own risks or maintain business continuity or protect its assets or detect network intruders. My company’s objective is to ____________.
Most corporate senior management teams expect their security leaders to be able to easily fill in this blank. Many also expect their CSO or equivalent to take it a big step further by linking every one of the company’s security-related initiatives with that objective. Even CEOs who have shown little direct interest in security are starting to follow this trend. It’s all part of business’ evolving understanding of what security leadership is and who should be practicing it.

The Elements of Leadership

In 2006, the Security Executive Council conducted a study that found that companies were increasingly hiring professionals with business backgrounds into their top security positions. These results followed a long trend: historically, companies have predominantly hired security leaders with backgrounds and experience that speaks to the most pressing issues of the day.
In the 1950s and 1960s, they looked for military veterans; in the late 1970s and early 1980s, many began to focus instead on a background in law enforcement. From the 1980s through the mid 1990s, corporations began promoting security leaders from inside their own business who were familiar with their company’s culture, internal processes, brand and customers. At the same time, companies began reacting to international competition, quality initiatives and technology by hiring managers with executive leadership skills, such as the ability to manage large budgets, to negotiate, influence peers, coordinate external initiatives, lead staff and communicate and present effectively. And with the advent and growing popularity of the Internet in the mid 1990s, many organizations began hiring IT professionals to head security programs company-wide.
The trend of hiring businesspeople as security leaders actually began in 2003 and 2004, when companies started looking for business skills, such as an ability to align security with the business and to add value through security functions, in response to extreme competition and pressure on Wall Street to maximize profit and minimize cost.
The problem with companies’ tendency to hire security leaders with single, narrow skill sets is that when the risk picture changes and the pressing issue of the day fades into the background, these leaders have a harder time adapting to the new challenges. Instead, long-term success in security leadership comes through a blended skill set that includes major elements from each of the knowledge areas we’ve mentioned, as well as another: awareness of emerging issues.
Many security professionals who haven’t come from business backgrounds continue to struggle to acquire or hone the business alignment skills that are becoming more and more necessary in today’s business climate.

Joseph Hannigan, Associate Director of Executive Education at Kellogg, says that increasingly, government agencies are learning how to apply security business concepts to their agencies.

Aerodynamic Security

Globalization has made companies more complex, and the more complex an organization becomes, the more difficult the security leadership role has the potential to be. In addition, as our economy continues to flounder, corporate boards and senior management are demanding more value and lower cost, and that means making sure that no dollar is wasted. Some are slashing budgets and staff just to stop the financial bleeding, but many are using the downturn as an opportunity to cut with surgical precision. These organizations are increasingly looking at “lean” principles and other management philosophies like Six Sigma and continuous process improvement to increase business efficiencies. They’re eliminating waste—examining all elements of the business to determine which are critical to the success of the prime objective.
Security isn’t immune.
Knowing and working within the business strategy is the best way to succeed in such an environment, says Joe Nelson, Security Executive Council Emeritus Faculty in charge of the Security Leadership Information Sharing Initiative. “I call it aerodynamic security,” Nelson says. “Just like an automobile, a high-performing organization has to be streamlined. It has to have very little to slow it down, and the proper security organization therefore takes on a shape that allows for optimization and less resistance. Residual risks have to be managed, so business leaders need executive security leaders who are dynamic, who understand the business environment and can navigate for the company the absolute optimum solution. This keeps the business moving at a rapid rate with the minimum number of encumbrances while at the same time optimizing the cost of security protection. That’s a true skill.”
Dan Rattner, visiting scholar at the College of Professional Studies and College of Criminal Justice at Northeastern University, has observed a gradual decline in senior security leaders without business acumen since 2001. “What we need to be able to do,” he says, “is to continue to train people to be strong contributors at that level.”
There are a number of programs of different types available to security leaders who want to work on these skills.

Dan Rattner of Northeastern University has observed a gradual decline in senior security leaders without business acumen since 2001. “What we need to be able to do,” he says, “is to continue to train people to be strong contributors at that level.”

Focused, Online Training

The SEC Live online seminar series was launched in January to give security practitioners in any location access to live seminars, presented by industry thought leaders, who deal with executive-level leadership concerns. The online format is a good way to maintain and advance relevant skills especially when budgets are tight and travel and conference funds are short.
Joe Nelson, who directs the program, says SEC Live seminars focus squarely on the business element skills that are so crucial today. Previous and upcoming seminars will cover topics like managing careers, business alignment, managing change, building on the company strategy and developing core metrics. And the seminars are all based on tried-and-true thought leadership, built from the Security Executive Council’s knowledge base and taught by industry veterans who have themselves led successful security programs at the executive level.
“We are very particular about the content and the value deliverable that we provide in SEC Live,” says Nelson. “Participants not only walk away with deeper understanding of certain subject matter; they walk away with tools that they can use and apply directly.”

Mahlik of the FBI’s Directorate of Intelligence says that the Kellogg program "understands the nuances and challenges we face as a public organization."

Educational Resources

Some security professionals strongly advocate that all executive-level leaders earn their MBA. This would certainly assist them in learning business element skills, but it isn’t the only helpful option universities can offer. Some have degree programs and certifications specifically targeted toward security practitioners.
For 10 years, Michigan State University (MSU) has been offering an online version of its on-campus Master’s degree program in security management. This graduate specialization deals with the business side of security, as well as administrative, legal and management issues. Radford Jones, an academic specialist in the MSU School of Criminal Justice, says the university strives to present an advanced security management curriculum within a business context. “We want to develop leaders and managers who can provide to their executives a position paper that says what the risks are, what needs to be done, how it can be done cost effectively, and that shows some careful research into the expected results. We try to explain that security management is an integral part of the management of the business and you have to be part of that. Understand the culture of your organization. Understand the markets they’re working in and the legal requirements of them.”
MSU also offers three-course online certificates in various specializations, such as homeland security issues, threat assessment, public-private partnerships and emergency planning, all of which are designed for individuals in any field who wish to enhance their understanding of these issues.
Jones adds, “We ask our students (many of whom are practitioners): What does the company Web site say? What is the business objective of the company? Your security objectives need to be lined up with that. Are you going in the same direction? Because if you’re not, you’re going to be the loser.”
Like MSU, Northeastern University in Boston offers both an online Master’s program and certificate. Northeastern’s MS in Criminal Justice Leadership is intended for both public- and private-sector practitioners, according to Rattner. It focuses on issues of leadership, communication, integrity and ethics, and Rattner believes it can also remove some of the barriers between the public and private sectors and enhance information-sharing.
The certificate program in security management, on the other hand, is designed specifically for mid- and senior-level security management professionals across industries who wish to learn about the connections between business functionality and the threat environment, as well as post-9/11 regulatory issues that play a role in this interaction.
“Absolute security is impossible when you are in a for-profit environment,” says Rattner. “You have to accept some risk and transfer some risk, and you’ve got to make prudent decisions. If you go in always screaming that the sky is falling, you’re going to lose credibility, and then you’re done. What we need to do is continue to train and educate security practitioners to be good, smart, prudent businesspeople and understand that there is risk inherent in business. Otherwise you wouldn’t be generating a profit.”

Custom Programs

Individual membership organizations and agencies in both the public and private sectors also offer training that is tailored for their members. The International Security Management Association (ISMA) developed a partnership with the Kellogg School of Management at Northwestern University to create the ISMA Senior Executive Leadership Program. Daniel Diermeier, Professor of Managerial Economics and Decision Sciences at the Kellogg Graduate School, has been director of the program since its inception. “After 9/11 it became clear to everyone in the C-suite that security had become a very important corporate function,” Diermeier says. “And that meant that CSOs were getting much more exposure to the C-suite and to board members, but many did not come from a business context and had difficulty interacting effectively with executives at the strategy level.”
The Senior Executive Leadership program was designed to develop senior executives’ leadership skills and to improve their ability to interact with their companies’ senior management and corporate board. The program was initially for ISMA members only, but now it is also open to individuals who are recommended by a sponsoring ISMA member, according to Max Brenton, current president of ISMA.
The FBI has also partnered with Kellogg in a two-course executive development program that shows FBI executives, agents and analysts how business concepts can be applied to their agency. Much of the FBI’s executive education program concentrates on organizational change.
The program was born out of the shift the FBI experienced after 9/11, says Joseph Hannigan, the program’s academic director and the Associate Director of Executive Education at Kellogg. “The FBI had always been consistently branded as ‘the premier law enforcement organization. After 9/11, they had to become a national security organization with a dual focus: continued excellence in law enforcement; and terrorism prevention and intelligence,” he says. Considering that the agency already had a remarkably broad scope of responsibility, this shift added an entirely new level of complexity to an already intricate organization. The FBI began searching for training that would help its people—from the Director to first-line supervisors—effectively lead and navigate the changes that were occurring in the Bureau’s mission. Recognizing that they could leverage the knowledge of the business world to meet this challenge, the Bureau requested proposals from the country’s preeminent business schools, and Kellogg won.
“We don’t know intelligence,” says Hannigan. “What we have is an understanding of how complex organizations work through dramatic changes. A lot of government agencies are coming to realize that they have a lot to learn from corporations and the business schools that educate the top corporate executives.” The skills that help the program’s students navigate the change from a singular focus on law enforcement to national security and law enforcement can be used to lead and manage future organizational shifts as well.
Tom Mahlik, Chief of the Domain Management Section of the FBI’s Directorate of Intelligence, has been through the program. He is leading a number of new intelligence program initiatives associated with the FBI’s transformation and is impressed with the range and impact the training has had in helping to solve problems. “Kellogg has been able to blend a number of corporate best leadership practices into our culture and accomplish it in a way that inspires new thinking,” he says. “They understand the nuances and challenges we face as a public organization, and at the same time they’re helping imbue the lessons learned from the C-suite of corporate America into the FBI— from leading change to managing in a crisis. The program has included a breakdown of business cases that introduce opposing perspectives, new ideas and alternative approaches to make FBI leaders better decision makers. What does ‘good’ change leadership look like? What internal and external communication networks need to be in place? What change implementation processes work?” All of this adds up to changed behavior on the part of each person who is playing a role in fulfilling the Bureau’s mission, says Mahlik.

Business: The Language of Dialogue

The FBI’s collaboration with the Kellogg School illuminates one more reason that business training is important for security professionals: It will enable more effective dialogue between the public and the private sector.
“Public-private partnership is such an important component both from the point of view of the Bureau and the commercial sector,” says Diermeier. “It gives the Bureau an ally who can translate the need for anticipation and intelligence-gathering and quick response, and it gives the business a valuable asset to help manage the security function appropriately. The benefits of partnership are tremendous, but they get lost sometimes because you have two people speaking different languages and communicating different concerns. Having a CSO that can serve a business function on one side and an agent who understands how business operates on the other side makes it go so much more smoothly and increases the chances for success.”
As the Bureau increasingly reaches out to businesses to share information and protect the country’s economic security, security leaders must do their part to learn the language that will unlock this dialogue.

Everyone is a Leader

When the FBI first launched the executive education program, it exclusively targeted high-level executives. But they quickly realized that the training needed to go further, according to Mahlik. “We needed to communicate this new way of thinking to all supervisors throughout the agency, because everyone is a leader in their own sphere of influence.”
This philosophy applies in corporations, as well. Security professionals who are several steps down the chain of command in their organization should not think they don’t need to work on the skills discussed here. The security program will enjoy much more success if everyone acts as a leader in his or her own sphere of influence, walking in lockstep with the business and making the business’ objective a personal mission.

How will you bring about change?

Wharton/ASIS Program for Security Executives Enters Sixth Year

The security risks facing your organization are greater than ever, yet these rising challenges may not be reflected in your budget. How can you communicate a clear business case for investments in security? How can you present your strategy so the C-suite will listen and approve your recommendation? How can you manage your own resources to make the most impact for your organization? The Wharton/ASIS Program for Security Executives: Making the Business Case for Security offers core business knowledge from one of the leading business schools. The program is entering its sixth year.
The Wharton/ASIS two-week program is designed for chief security officers as well as managers next in line for future leadership. It’s also appropriate for senior level managers with responsibility for making a business case for security needs.
The program covers the core concepts of business to broaden managerial and strategic perspectives, enhance business instincts and sharpen the ability to tackle management challenges. It also draws upon the insights and current research of Wharton faculty, and includes discussions and cases centered on the challenges of security executives.
The program uses specific case studies in security management to illustrate strategic concepts and key business skills in finance, marketing, management and leadership. To bring lessons on leadership to life, for example, one of the sessions examines critical strategies and decisions made during the Battle of Gettysburg.
Key session topics include strategic thinking, leadership, managing people, negotiation, essentials of finance and fundamentals of marketing.
The first week-long segment is followed by a month-long interim period. During that time, the class continues to interact with one another and with faculty through a secure Web Café, which allows participants to test and apply new knowledge at work before returning to the classroom for the second week.
The course is taught by:
  • Charles E. Dwyer, PhD, Associate Professor, Educational Leadership Division, Graduate School of Education, University of Pennsylvania;
  • Jagmohan S. Raju, PhD, Joseph J. Aresty Professor, Professor of Marketing, and Chairman, Wharton Marketing Department, The Wharton School;
  • John R. Percival, PhD, Adjunct Professor of Finance, The Wharton School and CEO, JRP Associates;
  • Mario Moussa, PhD, Principal, CFAR (Center for Applied Research), Inc. and Senior Fellow, Leonard Davis Institute of Health Care Economics, University of Pennsylvania
  • G. Richard Shell, JD, Thomas Gerrity Professor and Professor of Legal Studies and Business Ethics and Management, The Wharton School
  • Mike Useem, PhD, The William and Jacalyn Egan Professor, and Professor of Management, The Wharton School

“This is a challenging and relevant experience for senior security leaders,” says program graduate Vincent Jarvie, vice president of corporate security at L-3 Communications Corp. “The insight to align security objectives with key business drivers results in a significant competitive advantage.”
The Wharton/ASIS program is offered Nov. 30-Dec. 4, 2009 and Feb. 1-5, 2010 on the University of Pennsylvania campus in Philadelphia. For more information, visit
noframe/index.html for program information or registration details.