A complementary Conference Board report provides a reason: in a challenging economy, the C-suite is often more protective of staff, though insistent on squeezing budgets. With a glimmer of silver emerging from the clouds, these same executives can spend more time on performance evaluation.
Report Card ComparisonsThe 2010 CEO Report Card and its comparison to 2007-2009 ratings appear elsewhere in this article. While the Report Card breaks down CEO expectations into 14 elements, C-suite executives look at the big picture as well as the critical details.
Chuck Robey, with 40 plus years of professional diversified service including management positions, believes that, for some C-suite executives, there still needs to be a mindset change. In these cases, “top corporate management may see security as holding to an outdated philosophy of ‘controlling and enforcement’ rather than a philosophy of ‘service and consultation.’ When this outdated corporate fish bowl syndrome occurs, security generally has two basic options, either positive or negative. Obviously, in order to survive in this contemporary security society, the response must be positive” and proactive, Robey contends. Check out his Proactive Road article at www.securitymagazine.com.
Back to the BasicsIt’s a matter of basics when security operations are evaluated by top management through their understanding of the relationship of risk, threat and vulnerability, then prioritizing security decisions, according to John Culwell, a security executive with the City of Phoenix water services department. “Security must not interfere with the business needs of an organization; if it does, it cannot be effective because executive management will revisit the risk, threat and vulnerability relationship. We all (security professionals) understand that risk is something you take, threat is something you face and vulnerability is something you accept; our bosses expect us to mitigate, prevent and reduce,” says Culwell.
But “executive management’s understanding of that reality is a major challenge,” Culwell adds.
On the topic of challenges and change, however, while top executives are pressuring security on performance issues more deeply, there is no doubt that economic times are somewhat changing in 2010 compared to 2009 and 2008.
With no control over a turbulent global economy, CEOs had retrained their sights onto “bread and butter” survival issues, while longer-term challenges, especially in talent management, were de-emphasized.
CEO Worries Jump Back and Forth“In that late 2008 survey, worries about global economic performance, business confidence, geofinancial instability, and integrity of capital markets leapt up into CEOs’ Top 10, and each has now dropped at least 10 places,” observes Linda Barrington, one of the report’s authors. “This year, all the challenges that jumped into the Top 10 in the crisis have now jumped back out.”
The critical issues of excellence in execution and consistent execution of strategy by top management have consistently remained at the top of The Conference Board list.
Focus on the Bottom LineSecurity must always see itself as a contributor to the bottom line. “Know what makes the business move and tick. Always ask yourself what is the business in business for,” suggests James Francis, vice president, security consulting services at T&M Protection Resources, who many times bridges the gap between the CSO and the C-suite.
But such happenings as workplace violence incidents, infant abductions, college hazing and safety violations can harm the value of a brand as well as a corporation’s stock price, observes Barry Nixon, executive director for the National Institute for the Prevention of Workplace Violence, Inc. Nixon was a speaker at this year’s first iSecurity online conference and exhibition, held by Security magazine. His presentation and other events from iSecurity are available archived at www.sdmmag.com/isecurity
In The Conference Board study, the challenge of government regulation also made significant leaps in the United States, particularly in the financial services industry. “Complying with regulations,” an essential business need in the Security magazine survey, garnered a rating a bit lower than last year, but enterprise security executives interviewed for this article suggest that with increase regulatory pressure, security is just one of a number of departments and layers in corporations with responsibility and that chief financial officers, chief information officers and corporate attorneys often play a larger leadership role.
A Return to Building the Business“Employers who’ve been forced to focus on reducing headcount will return to deciding whether to buy, build, or rent the skills necessary to meet future business needs,” says Mary Young, author of a report, Strategic Workforce Planning in Global Organizations.
“The economy’s impact on SWP is likely to be moderated by the level of credibility, acceptance, and integration that SWP had attained before the economic crisis turned things upside down,” Young adds. “In companies that were just getting their feet wet with SWP, the global economic downturn may have put a halt to these efforts, although only temporarily. The same is true in companies where immediate financial pressures required that SWP shift from long-term planning to short-term problem-solving. But in companies where SWP was well established, SWP served as a critical tool for managing through the economic crisis.”
What about Ethics?With enforcing ethics one of the 14 Security magazine elements, a more overall issue is the need for senior management and boards to move proactively to better integrate integrity and corporate strategy. “The time for integrity to be integrated into strategy has come,” contends Andrea Bonime-Blanc, general counsel, chief compliance officer, and corporate secretary of Daylight Forensic & Advisory LLC, who co-authored a recent topic report with Jacqueline E. Brevard, vice president and chief ethics officer of Merck & Co. Bonime-Blanc and Brevard are members of The Conference Board Global Council on Business Conduct, which joins company representatives from around the world to address issues of ethics, compliance, governance and stakeholder engagement.
An umbrella over all elements of the security mission and as understood by the CEO boils down to two words – risk management.
Dressing up Risk Management“The concept of enterprise security risk management, an integrated approach to identifying, evaluating and mitigating risk, once implemented, is both sustainable and adds value to an organization; it should be our goal,” comments Culwell.
Risk management, security, loss prevention, whatever the label or title, there are things that chief security officers can do to win or keep his or her seat at the boardroom table and the confidence of the bosses and stakeholders. Metrics is one area. So are two other strategies: One is the effective selling of a security plan and the other is better management of the relationship of the CSO to C-suite executives.
There are cautions when it comes to metrics, however.
Talk in C-suite TermsWhen it comes to selling a security plan or major purchase to the boss, CSOs will gain by talking and proposing business benefits common to the C-suite focus, not security’s focus and lingo.
Hatfield sees a two-step process when it comes to solid communications. “Security professionals need to understand the needs of each C-level executive and work to deliver the best security options. And security needs to be educated in communication to be able to address C level execs and have their points heard.”
Among her suggestions:
• Find out from your boss what “good” looks like and all who are involved in measuring “good” to make sure you’re meeting everyone’s expectations. After all, what seems good to you may only be mediocre to your boss.
• Ask the boss what kind of follow up he or she wants and what’s needed to meet the C-suite comfort level.
• Examine the boss’s style and adjust to that style. Peter Drucker says there are two key leadership styles: readers and listeners. The readers want data before you talk with them. The listeners want to talk before they read. And while there are many personality types in the workplace, if you can make this one distinction between the readers and the listeners, you’ll go far with managing the boss.
• Muster up the courage to tell the boss when you feel you haven’t been fully heard.
• Become aware of other managers’ styles, especially when they have a stake in the outcome of a project or plan.
The good news is that no matter how well or poorly security manages the boss’s relationship in the past, it can be re-crafted on every new project, adds Kelley. “Ideally, you want to create a relationship where talking from the heart is the norm, as then confrontation on serious issues won’t be difficult. In the end, it’s really about understanding your boss. When you teach your boss how to work with you and hone great communication skills with him or her, your work life will be happier and much more productive,” she stresses.
A Routine of Meeting ExpectationsImhoff also emphasizes the importance of a strong relationship with C-suite executives. “There is no better way to communicate security’s value to the C-suite than to establish a routine that creates the expectation of essential information on a regular basis.”
He adds, “It’s imperative these meetings and/or communications succinctly focus on key elements of security performance and highlight emerging issues with recommended, cost-effective solutions.
About the CEO Report Card
Surveys were sent to Fortune 1000 and other company CEOs, presidents, chief operating officers and chief financial officers with a promise to maintain confidentiality of responses. Companies had to have a staffed security department, operation or established staffer. The respondent companies range from $405 billion to $90 million in revenue, from 2.1 million employees to less than 500. Enterprises range from retail, manufacturing, financial and transportation to government, utilities, healthcare and educational institutions.
Selling Yourself and Your Ideas to the C-suiteHere are seven things to do and three things to avoid, according to Patricia Fripp, management consultant and author. The Fripp Do’s:
1. Practice. A report to the C-suite is not a conversation; however, it must sound conversational. Once you have your notes, practice by speaking out loud to an associate, or when you are driving to work, or on the treadmill. Make sure you are familiar with what you intend to say. It is not about being perfect. It is about being personable.
2. Open with your conclusions. Don’t make the C level audience wait to find out why you are there.
3. Describe the benefits if your recommendation is adopted. Make these benefits seem vivid and obtainable.
4. Describe the costs, but frame them in a positive manner. If possible, show how not following your recommendation will cost even more.
5. List specifics, and keep on target. Wandering generalities will lose their interest. You must focus on the bottom line. Report on the deals, not the details.
6. Look everyone in the eye when you talk. You will be more persuasive and believable.
7. Be brief. The fewer words you can use to get your message across, the better. Jerry Seinfeld says, “I spend an hour taking an eight-word sentence and making it five.” That’s because he knows it would be funnier. In your case, shorter is more memorable and repeatable.
The three Fripp Don’ts:
1. Don’t try to memorize the whole presentation. Memorize your opening, key points, and conclusion. Practice enough so you can “forget it.” This helps retain your spontaneity.
2. Never, never read your lines — not from a script and not from PowerPoint slides. Your audience will go to sleep.
3. Don’t wave or hop. Don’t let nervousness (or enthusiasm) make you too animated — but don’t freeze. Don’t distract from your own message with unnecessary movement.