Leading the Cultural Revolution for Security Leadership

July 1, 2017

Being an enterprise security manager in today’s world is getting more complex and challenging by the minute. Those of us who are old enough to remember the pre-internet days often think of them, affectionately, as ‘‘The Good Old Days.’’ Oh, there were threats, but they were generally ‘‘out there,’’ outside the physical and technological perimeters we carefully constructed to keep the bad actors away from our employees, our property and our information.

In today’s connected work environments, that is certainly no longer the case. Today, a well-intentioned employee opening the wrong email can become an attack vector which can disable an entire company infrastructure, endanger revenue and do permanent, sometimes irredeemable, damage to your organization’s reputation. The threats have changed, and smart security managers have changed with them: implementing IT policies and protocols to protect networks, utilizing futuristic technologies to maintain the physical and informational security of our assets, and, most importantly, using access, CCTV and other technologies to protect the safety and well-being of our employees. The security industry has become quick to understand and embrace the emerging solutions to these up-to-the-minute threats.

And yet, will all that said, there is still one hold-over from the ‘The Good Old Days’’ that seems difficult for many security managers to change: we still, in many cases, operate in a vertical silo which is attached to, but not particularly interactive with, the rest of our organizations. We work diligently with the policies, procedures and technologies needed to secure our operations, we build strong relationships with security colleagues, vendors and associations, and we liaise with executive management consistently and constructively, but generally have little day-to-day interaction with staff not directly associated with the security mission. We don’t work on committees not related to security; we don’t participate in company initiatives not related to security; in short, we remain behind the scenes for the vast majority of our organization’s operations, and personally unknown to most of its staff.

In today’s work environment, this carries a cost that might be difficult to quantify, but is easy to describe. With every employee connected to the world through their internet connection, and information flowing in and out of organizations through non-traditional conduits like social media, every staff member, every workstation, has been moved to the front lines of the security perimeter; every employee can provide the conduit that, later this afternoon, thwarts all your technology and procedures and brings your operation to a screeching halt.

Smart managers know that technology, audit procedures and other standard security measures can only go so far in protecting a company from these evolving threats. A critical component of a modern, comprehensive security plan must include creating, and then nurturing, a corporate culture which understands and values the importance of security, and which inspires every individual to feel like a key member in protecting the organization and its assets.

Creating such a culture can be challenging; it involves the soft skills of a good communicator or a salesman, combined with the ability to educate and energize people about something they may not have, until now, thought much about. But its value is almost incalculable; a company where every single employee understands the current threats, has a clear idea of how to mitigate them, and feels both empowered and responsible to stand guard over company assets will be, in the most accurate sense of the term, a ‘‘hard target.’’

So how can an enterprise security manager become the leader of this cultural revolution? Every organization is different, but some first steps could include:

Get out of your office; visit the various working groups within your organization, introduce yourself and get to know what it is they do, and how they do it. Stop being a name and title, and become a person the staff is comfortable with and used to speaking to.
Contribute; write articles and tips for the company newsletter, create a weekly ‘‘security minute’’ email for the organization or take part in daily or weekly huddles or staff meetings.
Participate; join operations groups or task forces outside the security silo, and bring your perspective and insights to a wider audience. Help security become a normal part of every operational aspect of your business, and influence other critical decision-makers with your understanding of risks and how to avoid them.

Ideally, we should work toward changing the corporate culture from having security be something that happens behind to the scenes, and without input or participation from the general staff, to something we all understand and do as a matter of course. This takes a determined effort, and a great deal of work on the part of the security management team, but the results – a resilient, prepared and security-conscious organization – are worth the effort.

Larry Pomykalski has been an instructor in the military and public law enforcement, and has worked in a wide range of security management roles in the corporate, retail and commercial sectors. He currently serves as the Director of Business Continuity for SAC Wireless, a technology firm that develops and implements network infrastructure for telecom companies throughout the United States. SAC’s core business consists of fully integrated network solutions specializing in site development, architectural and engineering design, construction services, equipment installation, commissioning and integration, operations and maintenance and advisory consulting services.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.