It is our experience that candidates for security leadership roles often have a misconception about the view an organization will take toward the accountabilities of the senior-most security executive in the company. We have previously written about the fluid nature of, and misperceptions around, job titles. In this column, we focus on the overarching mission of the role of senior security executive and the various approaches organizations use when they address security-related risk issues.
We began working with a group of international security leaders many years ago, gathering information to develop a conceptual position model. The goal was to address the growing concerns CEOs, Boards of Directors and other stakeholders had about a wide array of security risks facing their companies. We wanted to better understand the nature of the senior security leadership role of the future.
The concept of the role often referred to as the “Chief Security Officer” is a person responsible for the strategy and governance of security-related risks facing an organization. It embraced the concept of convergence with accountabilities for securing people, core businesses, information, reputation, supply chain, resiliency, business continuity/crisis management, company preparedness and information gathering for ongoing risk assessments and proactive mitigation efforts.
In the early 2000s, interest in the current nature of these roles significantly increased. More formal studies, white papers and suggested guidelines emerged, considering the concept of convergence of the program efforts.
The idea put forward was the need to have a senior leader with accountability over all the aforementioned areas. They would have easy access to the Board and operating committees and report at a level that was intended to signal the organization’s commitment.
The thinking behind this type of security role was to ensure that the organization had a single point of accountability that would bring a broader view. The role would also lead to a better understanding of the relationships and interdependence of a more holistic approach to managing, mitigating and responding to those areas that can negatively impact the continued viability of operations.
The structure, process and methods of implementation as well as the support resources surrounding such a role would be built around the culture and business models used within that organization. Therefore, successful delivery might well be accomplished through a matrixed approach along business lines or major functions in conjunction with the use of a variety of risk committees or multifunctional teams — really any blended approach rather than direct ownership.
For this to be effective, it requires a deep understanding of where all the security-related program pieces reside, how and why that they are there and who has operational accountability regarding incident response. The named leader may be a senior business executive with key leaders overseeing areas across each of the security-related spectrums.
Recognizing that organizational change is ongoing, the successful leader needs to be very comfortable with ambiguity, flexibility and operating without authority; be effective at influencing and collaborating; and possess emotional maturity and intellectual curiosity.
As you choose the functional direction of your career, be aware that today’s organizations tend not to centralize ownership of these program efforts. Even when they do, you should expect that to change.
The success of any senior security executive is not measured in what you own. Rather, it is by how effective you are at reducing security-related risks facing your organization and aligning your program with the purpose. The true focus should be on building credibility with leadership and other internal or external stakeholders who may be impacted.