Running Security Like a Business
Last month we addressed the importance of aligning security with the business. The security leader who prioritizes alignment will have built a strong foundation from which to meet the coming challenges of risk management. However, alignment is sometimes a significant challenge. It often requires current and rising security leaders to run security like a business, which includes knowing your business and its level of readiness for your strategies; communicating with and influencing internal customers; demonstrating how and where security resources are being used; and adding value to the organization.
First, if the security function hopes to align itself with the business’ needs and goals, the organization, the security leader and the security programs must all share the same level of “readiness.” For example, the leader may be extremely mature, with years of experience and a long list of successes at other organizations, but if the organization is not ready for visionary security leadership – or not interested in it – then the leader may have to adjust in order to meet the company’s needs. Or if the organization is prepared to shift from a compliance-focused security strategy to a proactive, growth-focused strategy, but the existing security programs are all built and measured around compliance concerns, a major shift in programs will be in order to match the readiness level of the organization.
A company’s readiness may be impacted by many factors, including budget, senior leadership and culture. To align with the readiness level of their organizations, security leaders must understand their own leadership maturity as well as the company’s risk appetite, management’s awareness level and the drivers of security programs.
Running security like a business also requires communication and influence. A research report released by the Security Executive Council last year, “The Nine Practices of the Successful Security Leader,” identified commonalities among many highly successful individuals in their Tier 1 Security Leader community. (The report is available for download at https://www.securityexecutivecouncil.com/sm9.) “The findings in this report show that much of success revolves around communication and receptiveness,” says Kathleen Kotwica, EVP and Chief Knowledge Strategist for the Security Executive Council. “Each of our findings reflects how security or the security leader is perceived by other business leaders, management and employees based on how the security leader presents risk and, to a great extent, him- or herself.”
In many organizations, security can also enhance alignment by helping improve the bottom line, either by reducing loss or building profit. In a business sense, risk management is not only about transferring or mitigating potentially negative risk; it is about identifying risk that may provide opportunities for growth or profit. While security has traditionally been expected to focus on mitigation, the global economic recession has caused many businesses to push all organizational functions – security included – to identify ways in which they can add value.
To align, therefore, security must extend beyond consequence protection. In order to enable this shift, security leaders will need to show a certain level of business acumen. They will need to be able to find the money by identifying opportunities in existing programs as well as potential value-adding partnerships with other functions. “The ability to promote transaction integrity – asset transfers, data, hiring, purchasing, sales and supply chain – through anomaly detection and mitigation will optimally pay for compliance programming and optimize the business,” explains Francis D’Addario, emeritus faculty for Strategic Influence and Innovation for the Security Executive Council and former vice president of Partner and Asset Protection for Starbucks Coffee. D’Addario has a solid record of business-focused security success. “Injury, loss reduction, and revenue enhancement often yield more than 250 percent ROI with capable protection investment,” he says.
The Council’s Next Generation Security Leader Development Program is offering courses on each of these topics. Next month we will touch on some of the aspects of risk that the next generation of leaders will need to be aware of to reach the height of success.