How CSOs Can Strategically Keep Security on the Map
Chief Security Officers (CSOs) are charged with protecting an organization’s assets and people. Like all corporate functions, the design of this department will vary greatly depending upon the organization. However, the process by which a program is designed, measured and evaluated has some consistent principles across different industries. This series explores how to make your physical security program more strategic, and how to secure funding for this objective.
As a backdrop, the strategic import of IT security has become more pronounced in recent years. Many CISOs and even some CEOs have lost their jobs due to a data breach or some other IT security issue. The high stakes and visibility have forced CISOs to become more calculated, led to massive increases in funding, and given the CISO a prominent position in the organization for mitigating risk. In my experience, the CSO can also become increasingly strategic about physical security and risk mitigation by following key steps. In essence it requires the CSO to adopt a mindset of businessperson first, security professional second.
This first article discusses a process to better understand your own organization and how to understand and quantify real and perceived risk.
Understand the Key Drivers of Profitability
The drivers of profitability (and market capitalization) might not be obvious to you, but they are salient to the key business leaders. As a CSO (or ranking security officer), you need to be a business leader who can connect safety and security to the organization’s bottom line.
If you haven’t already, you should conduct a detailed assessment of your organization’s business model, assets and structure – and know how they relate to physical risk mitigation. There are several places you can gather this information. Industry/trade publications can be a fantastic source. If your organization is publicly traded, its 10-K will be instructive – as will the 10-K of any competitors. You can search for them, along with other public filings, using the US SEC EDGAR database.
Your colleagues can also provide invaluable guidance. Make sure to speak with key stakeholders and business leaders at different levels of the organization and look for any available data to inform your analysis. (The next article in this series will delve into strategies for developing relationships with key stakeholders.)
Here are some key aspects to examine as part of your analysis.
At a high level, what are the strategic assets that drive revenue or profitability for your organization?
The answer to this question relies on many factors, including the applicable industry, organizational structure, primary product(s) and market(s) and others. You want to address this question with a balanced level of specificity. For example, a manufacturer of consumer electronics relies heavily on in its intellectual property (e.g., product design and capabilities), its highly skilled workforce (e.g., to design and test the products), its manufacturing facilities and personnel (e.g., to produce the products) its distribution channels and networks (e.g., so the product can be shipped and retailed) and a variety of other tangible and intangible factors that make it unique among competitors. All these characteristics create different facets of an organization’s risk profile.
Here are some assets to examine as part of your analysis:
- Facilities that store valuable assets, with an emphasis on high-value inventory, data centers, large sums of cash, sensitive/restrictive areas and any other factors that make a given location important or indispensable to the organization
- Production facilities or development offices
- Distribution centers and systems
- Key suppliers
- Retail centers and key customers
What are the unique risks faced by your organization?
Understanding the biggest risk factors to your organization’s bottom line - both real and perceived - are critical to building a strategic and successful physical risk mitigation program. A given organization’s risk profile is determined by the nature, location and categories of its assets: people, places, products and partners. You should seek to understand the sources of recurring or acute risk, based on your organization’s characteristics.
From the perspective of physical security, it’s easy to understand risks to life-safety – for instance, employees interacting with the public at brick and mortar locations; travelers or offices in volatile parts of the world or high-profile executives who speak on controversial topics. It can be a bit more challenging to intuitively grasp operational or financial risk – but it’s essential to an organization’s bottom line.
You want to recognize what types of incidents could most adversely impact your company in terms of revenue/EBIDTA, in terms of public/investor relations and in terms of long-term goals such as recruitment or business expansion. A CSO needs to understand the company’s business model and margins. A high margin business might over-invest in a risk mitigation strategy because they have financial resources to do so, where a low margin company cannot.
For example, consumer electronics, often rely on rare earths for microprocessors – truly crucial components that may be single-sourced. A supplier of a given crucial component may be the ONLY supplier – so any event that disrupts production of that component could delay production of multiple products. The tragic and devastating Fukushima earthquake/tsunami event impacted some of these types of manufacturers and caused earnings issues.
There already may be objective data which can aid your risk assessment. Here are a few examples:
- Prior loss data from business units, including impacted assets and the cause of the impact (e.g., environmental vs. man-made)
- Internal audit reports identifying risk issues
- Any information collected by your risk management team
- Insurance group prior claims and underwriter concerns
- Types and volumes of different alarms or alerts every month
- Any times/locations with higher volumes of alarms or other risks (e.g., high-crime area)
- Existing organization risk mitigation policies
- Prior fines, citations or other regulatory activity
- Offices/facilities in politically volatile or environmentally sensitive areas
- Compliance hotline data
One important thing to keep in mind here: it’s unlikely that you will have the resources to address all potential sources of risk. Thus, you should seek to mitigate the most impactful or recurring sources of risk. We’ll dig deeper into this in future articles.
In summary, a CSO needs to conduct due diligence on a company’s operations and profitability, prior risk experience, risk tolerance and existing programs before they initiate new strategies for managing the company’s risk profile. Risk mitigation strategies should be closely connected to the organization’s bottom line.
In the next article, we’ll examine how to develop the internal relationships with key business leaders that are required to not only succeed with the department’s mission but also with your own career.