The first 90 days of a Chief Security Officer

Congratulations! You’ve climbed the ranks of a security department and have started a new role as the Chief Security Officer (CSO). And, as excited as you may be about the new role you are taking on, you’re probably just as nervous and stressed about how you will navigate your new organization, manage its culture, build trusting relationships, and deliver on the expectations set by the organization.

While every new CSO faces unique challenges based on the organization’s mission and its security posture, the focus remains the same for every new CSO: ensure that their organization's security function adds value and gives it a competitive advantage. Your first 90 days as a CSO lay the ground foundation for this focus, and ultimately, determine your success in the new position.

Here, the following security leaders discuss how a new CSO can approach his or her new role in the first three months for maximum effectiveness:

- Adam S. Lee is Dominion Energy’s vice president and chief security officer. He directs the development and implementation of corporate security strategy and policies which protect the company’s physical and cyber assets, valued at over $100 billion and spanning 20 states.

- Jim Sawyer, CPP, CHPA, is Director of Security Services for Seattle Children’s Hospital – a position that he has held since 1975. At Seattle Children’s Sawyer plans, implements and evaluates the overall strategy and related plans to ensure a safe and secure environment for patients, families, visitors and employees with an emphasis on prevention.

- Amy Lyons is the Head of Corporate Security and CSO for Bristol-Myers Squibb. Lyons leads enterprise wide security programs to address emerging threats in today’s complex business environment impacting patient safety and to safeguard the company’s assets, people and most sensitive information.

- Steven Antoine is Chief Security Officer for Yum! Brands Inc. Antoine is responsible for leading Yum! Brands’ life safety, duty of care, executive protection, employee travel and physical security strategies globally; and for helping to educate, advise and support franchisee owners and operators to improve their capabilities in this space in an ever-changing marketplace.

Security: What are the critical focuses for a CSO during the first 90 days?

Lee: For a new CSO who has just promoted into the role, transitioned from government, or who is entering the role from another non-security field, the first 90 days can be daunting; it’s easy to lose focus. Of course, you must assess the capabilities of the security organization you now lead, take an inventory of its security-related capabilities, and establish an understanding of how the security organization interacts with the larger corporate enterprise. You mustn’t lose focus on the nature of the executive leadership role – your team will be watching you from the day you arrive to see what impact you will have on their professional lives; will you demonstrate an inspiring vision and a sound, effective strategy and lead your team toward success by capitalizing on their talents and strengths? Will you rely on your own talents and strengths and lead through command and control? Stay focused on being an executive and lead through vision and strategy!

Sawyer: As a new CSO, encourage and advocate teamwork, collaboration, and open communication from day one. Communicate to all staff that you indeed have an open door policy for all staff. Within the first 90 minutes, commit to diversity, equity, a just culture, and a policy of ‘zero incidents’ — not ‘zero tolerance.’ As a new CSO, you must also advocate for a policy of comprehensive threat reporting from the outset. It’s critical to establish the best practice that all threats are reported without exception, to help maintain a safe and therapeutic work environment. As part of your comprehensive safety and prevention plan, promote a strong domestic violence support plan for all staff. It’s also important you meet and greet local law enforcement within your first 90 days.

Lyons: During the first 90 days, focus on understanding the organization’s business need, role expectations with management, senior stakeholders and your new staff. It’s important to start developing meaning relationships with new staff and conduct an assessment on their knowledge, skills, and abilities. Collecting team members inventory skills by talking to team members, holding one-on-one meetings and observing performance can help ensure employees’ goals are aligned with organizational and security goals. It is also critical to meet with your business partners, stakeholders, the C-suite, especially General Counsel, and all leaders within the organization. Being visible and known among all management, senior stakeholders and your new staff can help learn organizational structure and establish mutual agreement on expectations and role responsibilities. It can help you uncover the organization’s security posture and if it’s functioning at best performance.

Antoine: Within the first 90 days, spend time understanding the organization, what type of industry it operates in, and learn its organizational structure. When you take the time to learn the organization and its culture, you’ll have a better chance of surviving it. You also have to check in with your coaching structure because you need to establish priorities, to include a clear understanding around the organization’s priorities and opportunities for improvement. Next step is to create an actionable blueprint on how to achieve goals effectively. I recommend starting with easy-to-accomplish tasks or easy-to-solve problems, as opposed to efforts that are going to take longer investment, whether that’s time or money. Develop a strategy to prioritize which efforts to tackle first and what the deliverables are. Another important goal is to build relationships with all security staff, leadership and stakeholders. Listen, observe, learn and collect as much information to get a broad picture of what the organization is all about. This will help you increase your knowledge and awareness of the organization’s customers and business goals, and in turn, align your security program to support the vision of the organization.

Security: What’s your advice on how you get a handle on the culture and how the CSO role fits within their new organization?

Lee: Culture can, indeed, constrain strategy. It is important to understand the culture of your new organization and, sometimes, culture change can and should be an early part of your strategy. If the enterprise your organization is charged with securing involves significant risk – critical infrastructure, significant national asset, etc. – it is important to frame your interactions with your company’s board, top-echelon leadership, and your colleagues within the C-suite around security risk to the enterprise. If you aim small, your program will be considered small, your budget will be small, and your contribution to mitigating the most significant risks will be small. Of course, you must be proficient at responding to security incidents and other emergencies. Your program, however, must also manage the threats of corporate espionage and fraud, stock manipulation, theft of valuable trade secrets, active shooter and other major workplace violence issues, etc.; all of which pose significant security risk and liability exposure. An effective executive in the professional security discipline must have a strategic mindset, understand the threat picture, and maintain a global, holistic mindset.

Sawyer: During the first 90 days, it’s critical to learn the culture of the organization. Talk to all security staff and ensure you talk to staff outside of the security and support staff too. Visit the company after hours and on weekends, and talk to all staff again. It’s important to read the company mission statement and review how that is accepted internally. It’s also critical to ask for security reports from the past year, a recent CPTED review, a risk vulnerability assessment of the company and do a comprehensive physical assessment and focus on parking lots and perimeter areas. This can help you get a sense of the culture of the organization and assess its security posture and plan accordingly. When learning the culture, ask for an area crime demographics analysis, which can be invaluable. Quietly review the company weapons policy and bullying policy and find out the company position on cultural awareness, equity and diversity.

Lyons: It’s critical to fully understand the culture of the organization and how security fits into the organization’s ecosystem and how security can best serve the business too. I recommend conducting an initial assessment of the core function and responsibilities of corporate security, and evaluate how it helps protect the organization’s people, assets and reputation. To get a handle on the culture of your organization, talk to your team members and interface with leaders at all levels within the company to understand what the organization’s risks and threats are and to better understand how corporate security can be a value add, without being heavy-handed or restrictive. Collect feedback and encourage employee voice. We need to keep organizational culture healthy and productive, as an ineffective culture can not only bring down leadership, but negatively impact the bottom line. In the end, we are here to be business enablers, and help the organization accomplish its mission by identifying factors that could impact the business.

Antoine: As a new CSO and newcomer, you must engage in the social networks of the organization to make sure you learn the organizational culture. This is a crucial step in developing sound strategies that support enterprise objectives and goals. Invite your team and yourself to engage into programs that are not security related. Attend programs, business meetings, and spend some time investing in other corporate functions. When you invest in other people, they tend to invest in you. There, you will learn how they think and what’s important to them. In turn, this will help you determine how the CSO fits within the organization. We are not only security leaders, but business executives who are instrumental in developing an effective security program aligned to the organization’s business operations.

Security: What is your best advice for a CSO during the first few months?

Lee: There are tremendous resources out there for security professionals, even those at the executive level. Your time will be constrained by the ‘tyranny-of-the-urgent,’ but time spent leveraging the experience of others in the security space is worth it. You will likely have industry peers who are eager to benchmark with you and share thoughts and experiences. Reach out to them; get to know these people. Additionally, many sectors have government resources which can inform you and help you keep your eye on the strategic threat picture discussed earlier. The FBI’s Domestic Security Alliance Council (DSAC), the Department of Homeland Security’s Classified Intelligence Forum (CIF) and its Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure enterprises, and the myriad state and local groups focused on security issues are invaluable for understanding the most significant threats to large commercial enterprises nationally and in your area.

Sawyer: As a new CSO, advocate and teach that security is an active-integrated department. Safety and security is everyone’s job and responsibility. Always keep in mind that security team members are, in fact, active partners with every organizational entity – it is not a siloed department removed from the organization but an active integrated work team that supports and partners with all staff.

Lyons: Listen, learn and ask a lot of questions. Consult internally within the company and network with other CSOs in the industry to learn from their experiences. This is very important because other executive leaders have significant security and business experience and can offer seasoned advice on how to add value to your organization. There is a wonderful network of CSOs that are happy to share their experiences and best practices with others. It’s also important to network internally – get to know and learn who your critical partners are, such as the Human Resources leader, the Chief Information Security Officer (CISO), and the leaders of compliance and ethics, manufacturing and all other partners who can help you learn about the organization and expand your risk and threat awareness.

Antoine: Ask a lot of questions, and invest in other functions. Engage with all business partners, stakeholders, and staff. Most CSOs know the security business already, but they need to learn the business that they support and the functions that they work with. A CSO’s priority will be not security-focused at the gate, it's going to be business-focused out of the gate. The better a CSO understands the partners they’re working with, the more effective they will be.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.