Home » Coping with Changes to Company Leadership

Coping with Changes to Company Leadership

October 1, 2012

Though we deal with risk everyday, there is one risk that rarely makes it into our risk management plans – a change in organizational leadership. Whether the result of an internal structural shift, an external hiring decision or a merger/acquisition, a change in leadership and reporting can signal a challenging time for security.

The new leader will have his or her own agenda, goals and view of what security does and what security’s role should be. If this does not mesh with your view or your existing strategies and operations, some meeting of the minds will be necessary.

You could choose to accept this risk, essentially ignoring it and dealing with the fallout as it arrives. However, a better choice would be to mitigate the risk by preparing for it and making the transition to new management as smooth and productive as possible.

What You Need to Consider

New leadership tends to fall into one of three categories.

1. The Advocate. This is someone whose security goals align with yours and who is prepared to defend you and the security team in conflicts with other management. You can tilt this option in your direction by being armed with documentation of what security has accomplished to date, what your function does on a day-to-day basis and how successful it has been.

2. The Associate. At some level your goals likely align with this leader’s, but this is someone who can be best be described as a significant customer. You may disagree on the details of how to achieve security’s goals, but you will have to accept that in this case, “the customer is always right.” In this situation you want him or her to understand the value security brings to the organization. You need to be prepared to present a convincing case to ensure the boss ends up a satisfied customer.

3. The Assassin. This leader likely does not understand security’s role in or value to the organization. He or she may have a mandate that is at odds with your understanding of risk management within the organization. This situation may require a damage control approach, but in any case it necessitates preparation and a thorough understanding of your adversary and your current operating environment, because you may need to defend previous actions. If you can show that existing customers of security value your services, it will go a long way toward discouraging adversarial action.

What to Do

A proactive approach to new management is the best recourse; views are easier to change before they become entrenched. If a new leader is making statements to others about what he or she is going to do to “fix security,” then pride may prevent them from recanting or modifying their initial position. A preemptory strike may be required, and if you are not prepared to execute on it wisely, you may do yourself more harm than good.

Do some thoughtful investigation of why new management is being brought in and what the new leader’s background is. Ask yourself hard questions, take the viewpoint of the new management and be brutally honest with yourself. Is this new management likely to start up a new security program? Has he or she been brought in to help turn around risk-related failures, to realign functions or to sustain success? What led the organization to this point?

Next, do some research on the new leader’s career history. Identify the most likely security issues and risks they have faced in previous organizations. What industry-specific issues or regulations did they have to address? Be prepared to answer questions related to these issues.

If the new leader is an internal reassignment, identify the security services they would have used. How much have you spent on their previous business group? What experiences have they had previously in dealing with security, and were those experiences helpful or problematic? Understanding how your customers feel about security will help you understand how best to approach them.

Whether the new leader is an advocate, associate or assassin, you will need to educate them on what your department does. You will need to show the value of security and demonstrate how others see value in security. You will need to have documented results.

If you do not currently have this information, you need to develop it internally or with the help of a third party. It will help you immensely in the leadership transition and beyond.

Read moreLeadership & Management online at SecurityMagazine.com/Columns/Leadership.

This article was previously published in the print magazine as "Facing a Change in Leadership."

How Business and Risk Drivers Impact Mitigation Strategy

Rebuilding Influence after Corporate Restructuring

Protecting People at Risk

Bob Hayes is Managing Director of the Security Executive Council. He has more than 25 years of experience in security, including eight years as the CSO at Georgia Pacific and nine years as security operations manager at 3M. The Council works with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. To learn about becoming involved, visit www.securityexecutivecouncil.com/?sourceCode=secmag.

Greg Kane is Director of IT and Product Technology for the Security Executive Council.

You must login or register in order to post a comment.

In this webinar, security expert Pieter Danhieux explores how CISOs and CIOs can inspire real change, fostering a positive security culture that enables their development teams to become more security-aware, more aligned with internal AppSec specialists and, ultimately, securing code as it is written.

Healthcare organizations often overlook the security needs of freestanding clinics and offices. In this webinar, Alan Lynch, Network Director of Safety & Security for St. Luke’s University Health Network, headquartered in Bethlehem, Pa., offers best practices to help you address the security risks in ambulatory care centers and physician offices.