It’s your first day in your new enterprise and your new job as the security executive. There is a mountain of work to accomplish, dozens of internal stakeholders to meet, myriad risks to address and not much time to get up to speed. You will need to gather intelligence about the enterprise to understand and assess the various risks facing different business units; know your vendors, integrators and law enforcement partners; comprehend compliance and regulatory needs; and craft a flexible yet straightforward security strategy that positions your department as a valuable partner and competitive advantage within the enterprise. So, where do you start?
According to Jerry Brennan, founder of executive search firm SMR Group and Career Intelligence columnist for Security magazine, your work should begin long before you get hired.
“Individual CSOs need to spend a lot of time doing research on the company and its culture, as well as networking, and not just within the security function. Security is there to support the business, so you must have a very clear understanding of objectives for the organization, and in-depth understanding of the company culture and how things get done,” says Brennan. Doing this research ahead of being hired enables the incoming CSO to develop a set of questions to ask while meeting enterprise stakeholders and executives.
According to Bryan Warren, Director of Corporate Security for Carolinas HealthCare System in Charlotte, N.C., CSOs should begin networking immediately, both inside the organization and in professional associations. He recommends meeting with likeminded CSOs or those in similar enterprises and sectors to create an information-sharing network and find collaborative solutions.
He also recommends building up a base knowledge about what you’re trying to accomplish in the enterprise, and how that fits with the enterprise’s mission and risk appetite.
Within the healthcare field, for example, Warren is faced with achieving “compliance while providing a secure environment for people who don’t want to be in the hospital. It’s a very dynamic field with many facets.” When it comes to getting hired, leadership qualities are the most desired aspect to a candidate, Warren says, but a knowledge base can help.
For Grant Ashley, Vice President of Global Security and Aviation for pharmaceutical company Merck & Co., research alone was not enough to get up to speed. He met with peers with similar security and anti-counterfeiting challenges as Ashley has in the pharmaceutical industry, gaining insight into the usual threats, acceptable business risks and potential shifts in the field. Speaking with his predecessor proved incredibly helpful as well, as it gave Ashley the opportunity to glean information from the former CSO’s personal experiences, perceptions and history with the company.
Ashley recommends being “a human sponge” during an incoming CSO’s first few months in the organization, but learning and information-sharing shouldn’t stop there. “No matter how much you know or learn about your business, it will always be inadequate. Make sure you seek out those that know, live and own the business, and learn from them every day. And make it easy for them to instruct, guide or correct you, even if your location requires you to walk, drive or fly. Don’t just use the phone or email,” Ashley says.
“We (security leaders) should never be in competition with each other, even if our organizations are,” says Warren. “It makes no sense.”
According to Kirsten Meskill, Director of Global Security for BASF Corporation, security leaders shouldn’t “be afraid or embarrassed to reach out for help. Peers in security are eager to help and provide advice for the common good of helping to protect people. No security professional is an expert in all the various areas of security (executive protection, investigations, access control, policy development, etc.), so where there might be gaps in your own experience or skill, or in the experience or skill of your team, connect with a security peer who might be able to provide that assistance.”
And it’s not just security professionals who can provide assistance and insight. Security leaders should take the time to debrief key stakeholders and internal clients to get a clear understanding of what’s in place, key programs and processes that might fall under the security or risk umbrella (whether they’re owned by the CSO function or not), and what enterprise leaders’ concerns are, says Brennan.
“A common finding from CSOs at this point is that people in the business have a very narrow view of what the security organization does,” he adds. “These meetings can help stimulate thoughts about security’s role in accountability and functions, and begin a discussion. This will begin to set the tone of how you’re perceived in the enterprise.”
Who incoming CSOs should prioritize to meet depends on the structure of the enterprise, says Meskill. “My key stakeholders have consistently been HR, Legal and Compliance, Corporate Audit, Corporate Communications and recently the Chief Information Systems Security Officer (CISSO). If course, engagement with the CEO, COO and CFO, as well as key business unit leaders, is essential, but engagement of the functional stakeholders is crucial for implementing proactive programs and reacting to incidents and investigations,” she says.
“Generally, these functions already understand the value security brings to the organization and have a pretty good idea what security does and how it fits into the fold,” she continues. “CSOs need to understand from these functional leaders what types of incidents are occurring, what their key concerns are about security’s participation and response to incidents, and their ideas for collaborating effectively moving forward.”
Warren also recommends reaching out to local law enforcement and first response partners during the first 90 days to get to know local leaders and their role in supporting you and the business from the public sector.
It’s also vital to spend time getting to know the internal security team and infrastructure. If the incoming security leader is responsible for physical security systems, he or she should meet with security vendors and integrators to get suggestions for a technology roadmap for the next one, three or five years, and cultivate a relationship with these partners so they can serve as subject matter experts moving forward, says Warren.
He also recommends spending as much time as possible getting out of the office and visiting different areas of the enterprise to evaluate the real situation. How do employees use their badges (or avoid using them)? Where are the cameras? What card readers do you have? What issues are security officers facing?
“Having a fresh set of eyes in the department can help you find issues that need resolving, and your engagement (in the security department) show that you’re trying to learn from the ground up,” says Warren. “There has to be a balance – you can’t just lead from your office.”
According to Meskill, “A new leader’s dialogue with the security team leaders is essential. What’s working? What’s not? How’s morale? How are people developed and challenged to learn and grow? How do they work? How do they interact with other key stakeholders, businesses and functions? … These answers, along with the answers from key stakeholders and business leaders will set the foundation of the security team’s strategy over the coming months and years.”
After gathering information and compiling a good overview of business operations, CSOs should begin to map out their security strategy, including expected results, value and impact to various stakeholders. It might behoove CSOs to run test balloons past the hiring manager and potentially impacted stakeholders to get feedback before presenting the strategy to the C-suite or leadership team, says Brennan. “If you’ve already validated your concepts or received conceptual support for these items, you have buy-in. When preparing your presentation and strategy, have costs and budget in mind, staffing costs, leveling infrastructure and international footprint, if applicable. Within 60 days of your hire, you should have this pretty well mapped out, at least in draft form,” he adds.
According to Warren, your security strategy should be a combination of industry and organization goals, not one page long but not 1,000 pages, and it should never be static. The environment, risks and issues change frequently, and the security strategy should change with them.
“Never settle for one security strategy year after year after year,” he says.
In addition, ensure that “security theater” is not part of your strategy. “Whatever you do, do it for a reason and make it matter. If you’re going to make a change, don’t make it just window dressing. You’ll get short-term results, but it can erode your credibility over time,” Warren adds.
According to Ashley, the key to developing flexible security plans is working to gain the trust and respect of enterprise leadership and stakeholders, who may lift the curtain a bit to enable the CSO to gain more insight about future options and where the enterprise may be headed. For example, if a CSO is in an industry poised for consolidation, will his or her enterprise be an acquirer or be acquired? Will the enterprise be investing in more start-ups in order to kick-start innovation?
“If you know how your business is changing, you can prepare for these types of services for the business,” Ashley says. “If (security) can be efficient, quicker, and protect the business’s people and reputation, we become a competitive advantage for the business.”
He adds, “You cannot provide a competitive advantage or sufficient value proposition if you are merely reacting to what is happening in your industry and company.”
Before Day 100: 7 Steps to Success; 9 Steps to Failure
According to Jerry Brennan of SMR Group, incoming CSOs should accomplish the following things within their first 100 days in office:
- Develop a strategic security plan.
- Develop key relationships with stakeholders and partners.
- Build a trusting relationship with the security team.
- Identify what changes you need to make near-term and long-term.
- Develop a plan for team development and training.
- Execute on any low-hanging fruit.
- Be well underway with the strategic plan and deliverables.
On the other side of the spectrum, SMR Group research has revealed that CSOs most often fail due to any (or a combination of) the following:
- Overlooking the importance of people
- Inability to function effectively in a work group
- Failure to focus on image and communication
- Insensitivity to the reactions of others
- Difficulty working with authority
- Too bored or too narrow vision
- Indifference to customer or client needs
- Working in isolation
- Misconduct and criminal acts