Common Circumstances of Reinvention
There are at least four common circumstances that call for reinvention of the function:
- A shift of focus in an existing function. This may happen when an organization decides to pursue the convergence of physical and logical security, or when legislation or standards require changes in the governance of the function, for example. A shift of focus is generally the least demanding circumstance for reinvention.
- Merger or acquisition. The complexity of this type of reinvention will depend upon many factors, such as the sizes of the organizations, locations, cultural differences and accepted security postures of the companies involved.
- New functions in maturing organizations. As organizations grow and their needs and risks change, they may create new security functions for responsibilities that were previously handled informally or by other business units.
- Broken functions. Occasionally senior leadership will recognize that an existing function is not effectively mitigating the risks that are important to the organization, and they’ll bring another resource to the table that might help them fix it.
Milestones to Reach
- Understand the problem statement. This is not only important for the leader of the reinvention effort, but also for the senior management. In the cases of M&A and new functions, the problem statement may be fairly clear to most. In the case of a broken function, it can be a significant challenge. You as the leader may have to quickly examine and assess the function and discern the cause or causes of the dysfunction. That’s a big hurdle to clear.
- Understand the culture, business overview and executive priorities. In some instances you may need to work hard just to get a seat at the table to truly understand what the C-suite priorities are for a new function, but getting that seat is critical.
- Assess the risks. In the very short term (30-90 days), assessing risks across the enterprise may be a daunting task, perhaps not even doable. If at all possible, you should aim for a reasonable assessment of the risks to the organization at the enterprise level. Initially you may only have time to interview key stakeholders and assess little more than anecdotal evidence. A more robust process will need to follow as you mature your organization.
- Understand your inherited team, service delivery, core competencies and where each succeeds and fails. It’s key to understand the gaps between service delivery and your developing goals.
- Re-establish broken relationships and “disinvites.” In the case of a broken function, one of the biggest hurdles to reinvention is reestablishing broken relationships and what I call disinvites—when security has basically been shouldered out of cross-functional or interdepartmental discussions, decisions and processes because of legacy problems. You have to re-establish security’s role in those things through increased communications and reaching out, but you also have to re-establish credibility.
- Develop a game plan. Once you’ve assessed the organization and the function and discerned the gaps and their causes, you will be able to lay out the roadmap for the new, reinvented function. Some tips on developing an effective plan:
a. Articulate the value proposition to the people that need to hear it.
b. Plan for short- and long-term wins.
c. Tie everything to your strategy; operational effectiveness alone is not enough.
d. Make sure that the proposed solutions “fit” the enterprise.
e. Consider scale and sustainability.
- Develop appropriate new relationships; plant seeds to build/rebuild processes. Once I have a game plan in mind, I plant conceptual seeds especially in the C Suite, so that I can go back to what feels like familiar ground on my next visit with the executive.
- Gain sponsorship. All of this effort is wasted unless senior management and other business leaders understand and support the vision of the reinvention. Make sure that you articulate the value proposition to C-suite and to your new alliances across the organization, as well as to new and legacy team members.
- Understand and remove obstacles.
How to Lead Reinvention
- Conceptual skills. You must be able to see the enterprise as a whole, recognizing interdependencies between functions as well as political and social nuances. In my experience, you don’t generally have the luxury of unlimited time and resources to work these things out. Sometimes you have only 45 to 90 days to assess, put the plan in place, design the team and start the process of inventing your new organization. Get in front of the current team and pay close attention to what’s going on with them, how they’re interacting with people and what their relationships are like.
- Communication skills. You have to be able to successfully sell your value proposition. You must understand the various audiences whose support you’ll need, and you have to be able to speak to each and to highlight the aspects of your plan that are the most important to them.
- Ability to establish and drive a sense of urgency. Encourage your team members and allies to recognize the importance of the task at hand. The market segment of the organization(s) may make this job easier or harder. Most of my corporate life I’ve been in the field of high tech, where time to market for new products might be a matter of months. In this market, a sense of urgency can become imbued in all aspects of the business.
- Ability to accurately evaluate talent. This skill is key to re-establishing relationships and credibility. The first step to regaining credibility is getting smart people to the table; either re-focusing some existing talent or recharging the organization with new people. I like to “draft high”; that is, to find the most talented people I can, people with strong decision making skills, experience and expertise, without regard to how exactly they’ll fit into the organizational chart. That part will work itself out over time. As they work competently through issues and problems, they will by default begin to rebuild these broken relationships.
- Willingness to allow your team both to succeed and to fail. The team you put in place must feel empowered to make the decisions necessary to move the function forward. If you’ve drafted the right team, the failures they experience are likely to be of the minor variety. It may feel like a risk to turn over the reins entirely to a new team, but the right people will generally make good judgment calls. They understand security and are on board with a mutual vision.
- Comfort with ambiguity. When you reinvent a function, particularly when you’re dealing with a broken function, you have to be willing to play in the gray space. Things do not easily fall into categories of black and white. When I get comfortable, which doesn’t happen often, I know something is wrong. If you’re comfortable, you’re not innovating.