Now back from the ASIS show, how are you going to convince the C-suite crowd to sign off on your plan? Well, more to the point, to sign off on you? Have you had that hard stare with the mirror and asked the person staring back:      
  • How can you communicate a clear business case for investments in security?
  • How can you present your strategy so the C-suite will listen and approve your recommendation?
  • How can you manage your own resources to make the most impact for your organization?
The folks at ASIS, in concert with the Aresty Institute of Executive Education at the Wharton School, have asked these questions. Through the ASIS/Wharton Program for Security Executives, many of your peers have been provided answers. Dr. Mario Moussa, academic director of the program, shared his thoughts about security management’s challenges and opportunities.
Security: What do you think of the fact that a person can earn an MBA and never take a security management course?
Moussa: It underscores a potential blind-spot in many organizations. In fact, a security executive has an important role to play in influencing the C-level mindset. CEOs tend to be focused on growth and performance. The CSO needs to focus on business resilience and continuity. Security needs to be involved in overall organizational performance and avoid being viewed as a narrow, technical function.
Security: How do you frame the security function so it aligns with the values and beliefs of the entire organization?
Moussa: We have identified career barriers that limit most security leaders from successfully reaching the C-suite. We work to help people reframe their focus and contribution.
Security: How do you overcome those career barriers?
Moussa: First, we work with participants to help them establish credibility by properly exhibiting expertise and competence. Often, people do not know how to properly develop trust and position themselves as a competent business person rather than a functional specialist.
One key way is to adopt business language instead of technical security language. Avoid talk about reduction in shrinkage or loss prevention terms. Talk instead about impact on earnings as a result of reduction in shrinkage. Then we focus on relationships. The security executive should actively find ways to get involved with senior management. Join committees, task forces, etc. If the other executives don’t know you, that’s a problem.
Credibility and relationship building are critical. Of course, you need to work through formal reporting relationships, but you also have to pay attention to the “informal organization” – the web of relationships that exist in the “white spaces” on the official organizational chart.
Once relationship barriers are removed, then you should focus on the biggest barrier to the success of the security function: negative beliefs. Simply stated: Does senior management view the security function as a strategic asset or a cost? Being viewed a cost is a problem, since costs tend to get managed downward.
Security: Many of our readers get stuck knowing what to measure, and presenting it in a meaningful way. What do you suggest?
Moussa: That really goes right to our next barrier. The security leader must understand what the organizational value drivers are and define security’s value in those terms. So, you should not only use business rather than security language, but also use business rather than security measures. For example, concentrate on inventory turns, customer relationships, or employee retention. And it all ties together, because to get the attention of senior management in the first place, the security leader has to have credibility and the right relationships.
We work with our students to see a situation from the senior leadership’s perspective and goals. You want the C-suite to see security as a business driver. Too often, security leaders are focused on advancing security’s goals, and they reach this fourth barrier – interests – and fail.
Security: It seems that the organizational maze is a challenge for many of the security leaders you work with. Have you found a core reason for this?
Moussa: Yes, and it is our fifth barrier. Often, security leaders come from very hierarchical organizations (such as police or military) and need to learn a whole new set of ideas and language. We focus on unlearning what they know and then teaching them how to “speak the language” of a complex and non-hierarchical organization.
Security: How does Maureen Rush, VP public safety at the University of Pennsylvania and the top ranked University security and safety executive in North America, exemplify your program’s vision?     
Moussa: Maureen understands the credibility, relationship and language issues and has mastered them. She frames security’s contribution to senior leaders in terms of organizational goals and speaks at a business level.
Security: What is the big “Aha!” for your graduates?
Moussa: They think they will get answers to technical questions in our program, but the light bulb goes on when they realize they need a broader organizational understanding to be effective. They learn that both large and small organizations are facing similar problems and that most management and leadership issues are universal. They tend to be surprised to learn from other classmates that their position is not unique and that they have significant control over their own success and future. They begin to see themselves as empowered.
Dr. Mario Moussa is a principal and member of the Management Committee at CFAR, Inc, a strategy and leadership consulting firm that spun off from the Wharton School of Business in 1987. Dr. Moussa teaches in the Wharton Executive Education Programs and is the Academic Director for the ASIS/Wharton Program for Security Executives.