How CSOs Can Strategically Keep Security on the Map, Part 2
This series is focused on a step-by-step approach for security leaders to design, implement and measure a physical security program that supports organizational priorities and operates with buy-in from organization’s leadership team. The first installment covered the key steps of understanding the organization’s business drivers and quantifying risk.
To read Part 1 of this series, click here.
Establish Relationships with Key Business Leaders
Sitting down with key business leaders is vital to understanding their business imperatives, priorities and risk tolerance. If a CSO doesn’t have this baseline knowledge, how can he or she develop and deploy a risk mitigation strategy?
It is crucial to understand the political dynamics in the organization and establish strategic relationships. In most organizations, the most influential roles are those which own Profit and Loss and through their responsibilities drive revenue and create shareholder value. These include business unit leaders, division presidents, the CEO and other executives.
Physical security provides an internal service to the organization; the key business leaders (and their teams) are your “customers.” You should meet with these business leaders to discuss your mandate. Some of them might not even know what physical security is, how much funding it receives, and how it helps or impacts their group. These internal customers need to understand and concur with a yearly Service Level Agreement (SLA), which details what programs and/or services your team will provide on a yearly basis.
Your ultimate objective is to build relationships with these individuals and determine the best way to articulate the value of your security programs – the indispensable ways in which the security team serves and protects their key functions and operations.
Depending on the hierarchy and reporting structure, you may encounter some challenges securing time and attention from key stakeholders – for example, a member of the C-Suite. These stakeholders have many demands on their time and getting on their schedule can be challenging. As you engage with key stakeholders, you may be able to leverage those initial conversations to gain an audience with a different group of stakeholders. For example, you can request introductions or provide information from those early conversations in a way that is compelling to a busy executive.
Another effective approach can be engaging with an executive’s direct report – someone who understands the business unit’s priorities and pain points, and likely has regular interaction with the executive. Similarly, an executive’s administrative assistant can be an effective conduit, with direct visibility into the executive’s schedule and some level of insight into their interests and personality. It may take some time to build rapport and gain an audience, and it may test your interpersonal skills and ability to read people. Your time is well worth it; you don’t want to be in the position of only communicating with key stakeholders after a serious security incident.
A brief slide deck is an excellent tool for your introductory meeting with key business leaders. It should include a succinct introduction to the security program mandate, team structure, your experience and budget. The objective is to set up a fact-finding discussion that builds your credibility by showing both a thoughtful understanding (based on your prior research) and the desire to learn more and receive input to better protect the organization’s bottom line. These meetings will allow you to seek the executive’s thoughts and concurrence on your plan. This is an effective way of engaging them and ‘managing up’ in your organization.
These key business leaders have indispensable information and experience. If you work for a manufacturer of computer equipment, for example, at least one of those leaders will know where the single-sourced, critical components are obtained or manufactured.
Suggested Topics and Questions to Discuss with Key Business Leaders
- What are their goals, business drivers, observations and KPIs?
- What are their priorities?
- What are the costs of operational downtime?
- What kind of events/incidents have been disruptive in the past? What type of disruptions did they cause (e.g., costs, delays, injuries, etc.)?
- What factors determine when a new supplier is engaged? To what extent are suppliers replaceable, and what kind of lead time is needed? Who and how are suppliers vetted? Are any suppliers/facilities single-sourced (e.g., component made only in one place) or mission-critical?
- Do any future business objectives create additional facets to the company’s risk profile (e.g., acquisition, constructing new factories, etc.)?
- What restrictions/considerations are imposed by the governing regulations (e.g., safety regulations, compliance costs, etc.)? When issues arise, what happens (e.g., investigations, fines, additional requirements, etc.)?
- Are there recurring sources of risk that the key business leaders could be mitigating with more robust security processes and programs?
- What is the organization’s tolerance for risk?
- What type of budget is available for security initiatives? To what extent can future cost-savings be used to justify current spending increases? What other initiatives might be competing for budget?
- With whom can you collaborate to co-fund projects or initiatives in a holistic manner?
It’s prudent not to over-commit to any particular task or approach in these meetings – you need to gather sufficient intel to pick the best or most impactful approach based on organizational goals and a number of other factors. Your collaboration with these people should be ongoing.
Based on these conversations, you want to identify areas where you can make demonstrable positive impact on business operations and consider them from the perspectives of what types of resources are needed, how significant the impact will be to the business, how soon you might have reportable success and what data you can use to articulate this success.
Formulate Your Short-Term, Intermediate and Long-Term Objectives into a Plan
Next you need to design your security programs based upon what you learned during meetings with the key business leaders. Essentially, this is overlaying the risk that you, as a seasoned risk mitigation professional understand, against the business model of the division or corporation. I suggest a one, three and five-year plan that is progressively phased in. Remember priorities can and will change.
At this point your ongoing conversation with the key business leaders entails a discussion of what you will do in year one (or some other reasonable but short-term timeline). The goal is to build consensus on what you will do but also what you will NOT do in year one.
As part of your short-term plan, you should strive for objectives with an immediate, demonstrable impact – ideally with minimal resources. It’s important to identify potential risks with your plan as well, as risk is an inherent component of any proposal. Proactively identifying potential risks will build your credibility.
Pick objectives that can easily gain consensus and approval from key business leaders. Have objectives that can be met with minimal investment so it’s easier to get funding and so you can demonstrate a proof of concept and later ask for enhanced funding if needed. Choose objectives that have a measurable impact so you can quantify and report on your successes.
When identifying positive outcomes for these stakeholders, think broadly and refer back to your prior conversations related to key business drivers and the functions of individual business units in the organization as a whole. Potential positive metrics include reduced costs or risks, increased revenue, new efficiencies, improved employee safety, better compliance outcomes, supply chain optimization and others.
Here’s a real-world example of a security initiative with demonstrable impact. Industry statistics indicate a large majority of cargo thefts occur within the first 200 miles of transport. Cargo theft is always problematic, especially so with high-value loads. A company with multimillion-dollar shipments created a policy wherein drivers must have sufficient fuel and legal driving hours to drive at least 200 miles away from a given distribution center before stopping. Any emergency stops are carefully monitored via GPS technology; GSOC watch officers will directly phone the drivers, and drivers must send a photo to verify their location (along with other requirements).
In this case, the most important metric is of course the absence of (or reduction in) cargo thefts, but there are supporting metrics such as the number of sub-200 mile emergency stops and driver compliance with other policies. Additionally, the conversations between GSOC watch officers and drivers identifies the causes of emergency stops, enabling corrective action if needed. In the event of a natural disaster or other emergency that disrupts traffic patterns, the GSOC can help the driver select a different route or otherwise navigate the situation.
As you create and document your security programs, it is crucial to relate your objectives to the organization’s strategic objectives. Include timelines, associated costs, potential delays or pitfalls, projected benefits and ROI and the KPIs that will be used to measure success. Focus most on the short-term aspects but relate them to the longer-term components – for example, ongoing intelligence-gathering activities as a foundation for future business continuity and crisis management planning.
If you need a template to document your security program – i.e., a potential format and key components – there are many free options available online. Here is an example from the Federal Energy Regulatory Commission. Just note that specific components of security programs vary between industries and organizations.
Once you have documented the key components of your program, you must go back to key business leaders to make sure you are all aligned. You don’t need to share the entire detailed description of the program, but rather a high-level summary that describes the key objectives, timelines and KPIs.
In the next installment, we’ll examine how to assess your programs and make adjustments as needed. We will also discuss how to communicate those successes to your key business leaders and internal customers.