Security in 2012: When Better Isn't Good Enough
As a general rule, forecasting is a bit of guessing. Even economists, whose job it is to make sense of hardcore data and then give solid analysis, often are reduced to intelligent guessing.
But security leaders know better. They know what they’ll likely face in 2012, namely terrorism, workplace violence, fraud, cybercrime, regulatory compliance, natural disasters, theft, intellectual property, brand protection, budget concerns and more – the same trends identified in Security magazine’s 2011 Security 500 report.
They know that in addition to those issues, they'll also have to deal with the 2012 Summer Olympics, the G8 Summit in Chicago, two national political conventions, a Presidential election and more next year. They will need to find ways to successfully reduce risk and drive business value, all in a very tough economy.
We asked a few security executives for their insight into the issues in 2011 that affected them the most and what will be on their radar for 2012. Looking even further ahead, what does it take to become a next generation security leader?
The Internet, The App, The Video
“I would say that the security industry was impacted by the Internet more so than in past years,” says Guy Grace, director of Security and Emergency Planning for Littleton, Co. Public Schools. “2011 has shown that the falls of certain, terrorists, dictators, governments and organizations were started on the Internet. This year showed that the Internet became a powerful tool in war and protecting one’s country. All of us in the security industry are affected by what appears on the Internet – our businesses face cyber attacks, malicious information attacks, thefts and breeches every day. The Internet is so intertwined with everything we do these days, such as with our cameras, security systems, information, money, social life, politics and even how people protest. We now may hire or not hire a new employee based upon something found on the Internet. We have noted that the majority of our suicide and threat assessment evaluations come from information obtained in social sites such as Facebook. I have seen a world without the Internet, however, the persons that we recruit into our organizations most likely have been using it since the day they could hold a crayon.”
Along those same lines was the growth in mobile apps, notes Bill Anderson, Group Director, International Safety, Health & Security for Ryder System, Inc. “Our jargon has gone from ‘Where’s The Beef’ and ‘Can you hear me now?’ to ‘Is there an app for that?’ The growth of smart phones and tablets has not only benefited big business, it has created an innovation outlet that has few barriers and requires little, if any, investment. Most of us know, or have heard about, teenagers developing successful apps. The marketplace is full of apps that have been developed by small companies as a way to penetrate a growing market.”
But this growing trend will inevitably create security issues that will need to be dealt with, he says, including:
• Who owns the intellectual property when apps are developed?
• What else am I installing on my smart phone/tablet when I grab that new app?
• Are employees allowed to install non work related apps?
• Does it matter whether it is a personal or work device?
Of course, video cannot be ignored as a game changer in 2011. Hosted video made the biggest news, says Fredrik Nilsson, general manager, Axis Communications. “Three years ago at all the major tradeshows we saw nearly all manufacturers finally promoting IP video,” he notes. “Two years ago it was HDTV and megapixel. This year it was hosted video. Not only are established hosting providers continuing their growth, but many of the leading systems integrators in the country, such as ADT, NAVCO, Niscayah and Stanley, have announced surveillance-as-a-service solutions. We also had the leading data storage provider in the world, EMC, join the market. Hosted video is more than buzz – it’s here today.”
But while hosted video took center stage, let’s not forget the continued advancements in network video camera technology, Nilsson says. “This year we saw cameras that have superior low light capabilities, even able to see color video at night without IR assistance. I guess the next challenge for R&D is to create a camera that can finally see better the human eye.”
The movement from analog to IP video continued, as well, although some dispute the rate at which the transition seems to be happening, or not. What does it mean for security and IT? “That movement…saw IT departments becoming interested in the networking parts of security systems, looking to be viewed as the ‘security experts’ because they could link various equipment to a network,” says Keith Jentoft, president of RSI Video Technologies. But don’t expect IT to take over that role, he says. “While IT experts may understand the communications/storage/cloud services issues of a security system, physical security is more than an IT infrastructure. Physical security entails expertise broader than the skill of having various devices communicate over a network,” he says. “This skill set is unique and will continue to remain separate from the IT-centric staff,” he predicts.
Bring on 2012
What’s in store for 2012? At the top of the list, and prominently included in the Security 500 report, is cybercrime. “I am convinced that 2012 will continue to be dominated by all facets of cyber-related security risks,” says Eduard Emde, CPP, manager, security consultancy at Interseco and incoming ASIS International President for 2012. “These types of threats received significant exposure this year, which, in turn, served to increase the level of awareness within organizations and the security management community. I think that topic will continue to be of major interest for the year to come, as well as some other trends and developments in the organization and the security profession. While I cannot pinpoint the timing, the next development in the sourcing of security services is likely to come about within the next five to 10 years. This evolution will impact the security industry, but the main driver will come from organizations that upgrade the theme of universal sourcing. This could have quite an impact on the [security] profession.”
Similar to 2011, we’ll see the ongoing migration from analog video to HD for all of the security sectors, and this includes integration into an organization’s entire security program, predicts Grace. “I am seeing some very interesting feedback, interest and comments quoted in all of the sectors regarding migration,” he says. “In the public education sector, our greatest challenge is going to be converting, integrating and evolving our current infrastructure into the HD age. For Littleton Public Schools the main infrastructure for our security surveillance system was installed in 2003-2005. We have added to and improved the infrastructure over the years. Our conversion and planning process is slowly chugging ahead as we plan for the future course of actions regarding surveillance. What is very important for us and other public education agencies is to remember during the process that these are financially trying times. We have a responsibility to utilize what we already have on hand as much possible. We also have a responsibility to the taxpayers and the community we serve.”
Most of the IP penetration has been in larger systems (more than 32 cameras) where network-based video dominates because of its scalability, superior video quality and total cost of ownership benefits, notes Nilsson of Axis. In smaller systems (less than 16 cameras), most still use analog because of perceived cost and system complexity issues, as well as lack of education and application focus, he notes. “In 2012, I expect IP to penetrate these small systems at a much faster rate, thanks to hosted video growth and storage technology improvements with NAS devices and SD cards, which will create new system concepts.”
Without a doubt, security in 2012 will be driven by the larger macro-economic environment: a slower than expected economic recovery; government debt issues in Europe, which could lead to a regional recession; expanding purchasing power in Asia; and the expansion of supply chains as manufacturers look to meet demand by outsourcing before investing in production capacity, says Anderson of Ryder. Given the past and current business environment, Anderson says that he’ll personally be watching for:
• Outsourcing production to low cost markets;
• Transactional pricing to avoid investments in fixed assets and capacity; and
• Staffing domestic production through employment agencies.
What does that mean from a security standpoint? “As businesses move away from being the producers of goods to the marketers of goods, more emphasis will be placed on protecting a company’s brand reputation and image, and securing the supply chain related to producing the goods and getting them to market,” Anderson says.
Overall, security will stay the course, but will also Think Big, Implement Small, these security executives note. “For example, when times were better financially for school districts, we installed larger scale projects in more of a global sense,“ Grace says. “However, now improvements are mostly made in levels or on individual sites, if funding is granted at all. With limited funding, it is important to implement improvements that will be compatible with your organization’s vision and goals today and for the future. It is also important to understand as much as possible the future you are building towards. For example, it may be wise to install a demo at a site to see what and how the new technology may benefit your operation. The goal in the demo should always benefit the host site, and additionally, provide everyone insight as to what we should be building for. Perhaps the demo will be a winner, however; it most likely may save you from a failure down the road,” Grace says.
The Mobile Office and Security’s Role in 2012
As businesses continue to leverage their work force and employees seek ways to stay in touch while at work and on the road, mobility will be an issue that security needs to deal with in 2012, predicts Anderson of Ryder. “Employees on the go that no longer have time for a laptop…but, how does this trend blur the lines between work and personal life?” he asks. “If I am always available to my family, and always available to my company, is this a work device, or is it a personal device. This leads to some significant security and risk management questions that businesses will attempt to answer in the coming years.” Those include how secure is data in the cloud; will IT security rules, encryption and other limitations spoil the advantages of mobile devices; and when a device is lost or stolen, for example, who is liable for the personal and corporate data?
“It may seem as though the mobile proliferation has already made its mark,” adds David Feeney, director of Integrated Solutions, AlliedBarton Security Services. “But I expect this trend to continue to broaden and deepen through 2012. Security personnel [and entire organizations as well] are increasingly mobile, so the systems with which they interact will need to be mobile as well.” As such, he says, platform independence may gain momentum as more and more software providers and security executives experience this need.
|Money, Money, Money|
Will more or less money be spent on security in 2012? According to the Security 500 survey, in 2011, 47 percent of CSOs increased their security budget, 18 percent decreased it and 35 percent said it stayed the same.
“We are living in times that are completely unprecedented,” notes Gene James, director of asset protection for Jack-in-the-Box. “Today, business exists in a state of acute uncertainty. Consequently, this creates uncertainty with capital budgeting for security departments. In an environment of ever decreasing margins, there is no margin of error as it relates to ROI. We cannot gamble on emerging technologies with intangible and nebulous promises of return – we need the sure thing in this business environment.”
Increased security spending in 2012 is likely, says a report from Gartner, which predicts that worldwide security services spending is on pace to reach $38.3 billion in 2012, and surpass $49.1 billion in 2015.
“The security services market has changed rapidly over the last several years with a growing number of security technology providers offering their technologies as services, and customers often preferring services to save on operational costs while they consolidate resources to more strategic security related initiatives,” says Lawrence Pingree, research director at Gartner.
The IT management segment of security services is forecast to grow from $8 billion to $14.9 billion in 2015, almost doubling the size of the security services market for managed security using the outsourced management model.
North America is the largest market for security services spending, with revenue forecast to surpass $14.6 billion in 2012, and grow to $19 billion in 2015, Gartner says. In Western Europe, spending is expected to reach $11.9 billion in 2012 and total $14.4 billion in 2015. Security services spending in Japan is projected to grow from $5.1 billion in 2012 to $5.9 billion in 2015. In Asia/Pacific, spending will total $4.7 billion in 2012 and total $7 billion in 2015.
Heading to 2012 and Becoming a Next-Generation Security Leader
By Bob Hayes and Kathleen Kotwica, Contributing Writers
In Security’s June cover story, we argued that no single skill set or attribute guarantees security leadership success. There are simply too many variables among industries, organizations, management and security leaders for that.
The Security Executive Council’s recently released report, “The Nine Practices of the Successful Security Leader,” highlights commonalities identified among security leaders who are widely recognized as successful, both internally and externally. But while some of these nine practices – including conversing in business risk terminology and having a walk-and-talk management style – are the result of hard work, experience and skill, other important factors, like having top-level support from Day One, may be a matter of being in the right place at the right time.
Even if practitioners focus on achieving the nine practices that are under their control, they may not have the same results as they did for the security leaders discussed in the report. The acumen, personality and priorities of the leader will affect how the practices are carried out and received by others in the organization. Likewise, the organization’s view of security and the maturity of the security program can either nurture or stymie some of the nine practices. If management sees nothing more in security than incident response and physical access control, for example, then making management aware of what security is and does is crucial but extremely challenging. Again, skill and aptitude are crucial, but success also depends on being in the right place at the right time.
Security leaders who aspire to become what we like to call Next Generation Security Leaders – future-oriented professionals who work across many domains, run programs that are aligned with their businesses and are influencers in their organizations – should focus both on improving their aptitude and positioning themselves to be in the right place at the right time.
Assess to Find the Best Resources
Education comes in many forms, and not all of it is good or worthwhile. To determine what type of learning opportunities to pursue, security practitioners should first candidly assess themselves and their organizations in light of research like the Nine Practices report, peer feedback and industry benchmarks.
They can review or perform organizational risk assessments to refresh their perspective on the risks and opportunities security can or should address. They should also review the organization’s goals and evaluate whether security is helping to meet them. Then a personal leadership assessment is in order to help the practitioner see the gaps in his or her skill sets and decide whether addressing them could help enhance security for the organization. Through this process, a security leader can best identify the educational gaps he or she most needs to address. The next step is figuring out how and where to bridge them.
Mentorship. Developing a mentorship with a more senior or retired security leader you respect and would want to emulate – preferably from within the same organization or industry –may be the best way to learn. Mentorship is more than shadowing or meeting for lunch now and again. It’s a long-term relationship that entails sharing detailed knowledge and experience. Mentors can also enhance networking for their mentees.
The biggest problem with mentorship is a dearth of mentors. Truly innovative, visionary, business-focused security leaders are rare, and where they exist, it’s unlikely they have the time to do much mentoring.
Educational Offerings. Again, a series of candid assessments should help point you toward education that would be relevant and helpful in your situation. Security-specific or industry-specific seminars offered by trade associations may be good sources for learning on certain security specific topics. Business schools and industry-supported business programs may be more helpful for general business administration.
The Security Executive Council has found that while industry business programs help security leaders understand business practices and speak the business language, they fail to marry business processes with the job of risk mitigation. The Council is building a knowledge transfer program that addresses these concerns by including input from business professors, security industry veterans and current practitioners – many of whom exemplify the nine practices we’ve identified. We have pinpointed 11 things that senior security leaders want to see in their staff and used these to guide the curriculum.
Once you’ve begun building your aptitude, it’s necessary for you to find an organization in which you’ll be able to use it to the utmost.
Finding a Job that Enables Next Generation Leadership
Putting oneself in the right place at the right time is a matter of effective career management. If Next Generation Security Leadership is your goal, every step of your career management strategy should be engineered to advance your journey toward it. This includes recognizing the organizational factors that play a role in achieving Next Generation-level success and building the job search, interview process and decision making around those factors.
Some of the commonalities found in our Nine Practices research may indicate how an organization or a security program can enable its security leader to excel. Consider what the following practices say about a prospective new employer and its existing security program.
• The creation of a robust internal awareness program.This is not employee risk awareness training; it is a formal marketing program that builds internal awareness of the security function and raises the understanding of what security does and the value it imparts to the organization. Program maturity is a significant factor here, as is corporate culture. It may be difficult or impossible to implement this practice if the existing security program is very small; if it is under-funded or under-appreciated; if it is recovering from major negative events that require all of the program’s resources and time; or if the program’s mission, vision and goals are unclear even to the security function. These are things to look out for.
• Ensuring that senior management is made aware of what security is and does.Like building internal awareness, this practice’s success depends on culture and maturity and also on reporting structure and the perspective of upper management. Security Leadership Research Institute findings show that the reporting level of the security leader is a major factor in success and influence. It doesn’t matter which function security reports through as much as how many levels away from the senior-most operating executive the security leader is. If senior leadership will not be accessible or does not appear willing or ready to listen to security, this should inform career decisions about the organization.
• Understanding the corporate culture and adapting to it.Is the culture something you can adapt to? If it runs counter to your principles or your leadership style, consider truthfully whether you will be willing or able to adapt.
• Having top-level support from Day One. This is arguably the most important predictor of success.Is the most senior business leader a driver of or an inhibitor to security improvement? Does he or she buy into the value security can bring to the organization and hope to maximize that? Will he or she provide resources and authority to enhance the program and its value creation?
In his book From One Winning Career to the Next, J. David Quilter outlines a number of considerations for security leaders who are plotting out their next career steps. Many of the checklists and questions he provides to career seekers can help a prospective Next-Generation Security Leader determine whether an organization is a fit for the practices above, as well as other factors of success.
Here are a few of the questions he recommends the job seeker think about during the interview process:
• Has the organization spelled out the responsibilities and accountabilities of the new security leader?
• Have there been numerous mergers or turnovers in key personnel? Have departmental and executive roles been sorted out in the aftermath of changes?
• What important security issues has the company faced within the last 5 years? How have they been resolved?
• Is there a well-established security function in place or is this a start-up?
• Is it clear to you what this company needs from you, and the time-frame in which they expect you to deliver on goals and objectives?
• Are existing security team members and others interested in personal and professional growth?
• Are members of the executive team participating in your interview? Can any of them discuss security with the same enthusiasm as they might speak of sales, marketing, finances or operations? If not, what priority do you think they will they put on security in practice?
• Will you report to a C-suite executive and have access to the chair and CEO?
• How is the morale of operational managers?
• What about teamwork within departments? Are departments collaborative between each other?
• Are your questions answered honestly and without undue defensiveness?
• Do top executives trust others to lead within their departments, or do they merely want you to manage?
• Is the security organization fully integrated into the company?
• Does the corporation you are thinking of joining spell out its values? If so, how have they become part of the daily operation of the company? Are there ways in which the company evaluates itself behaviorally on specific criteria?
Quilter recommends that security leaders learn as much as possible about those to whom they will report through searches of publicly available information and other resources. They should speak with employees not in the presence of their interviewers and attempt to see how the company treats employees and security issues on a day-to-day basis.
Next Generation Security Leadership is a long-range goal for most. Developing the knowledge and skill sets it requires while carefully managing career moves – these are complex and challenging tasks, but they are worth the effort, and their results are worth the wait.
About the Authors:
Bob Hayes is Managing Director of the Security Executive Council, and he has more than 25 years of experience in security. Kathleen Kotwica, PhD, is EVP and chief knowledge strategist for the Security Executive Council. Visit https://www.securityexecutivecouncil.com/about/spotlight.html?sid=26499.