Created by: Bob Hayes, Managing Director and Greg Kane, Director of IT and Product Technology, Security Executive Council
Though we deal with risk every day, there is one risk that rarely makes it into our risk management plans—a change in organizational leadership. Whether the result of an internal structural shift, an external hiring decision, or a merger/acquisition, a change in leadership and reporting can signal a challenging time for security.
The new leader will have his or her own agenda, goals, and view of what security does and what security’s role should be. If this does not mesh with your view or your existing strategies and operations, some meeting of the minds will be necessary.
You could choose to accept this risk, essentially ignoring it and dealing with the fallout as it arrives. However, a better choice would be to mitigate the risk by preparing for it and making the transition to new management as smooth and productive as possible.
What You Need to Consider
New leadership tends to fall into one of three categories.
This is someone whose security goals align with yours and who is prepared to defend you and the security team in conflicts with other management. You can tilt this option in your direction by being armed with documentation of what security has accomplished to date, what your function does on a day-to-day basis, and how successful it has been.
At some level your goals likely align with this leader’s, but this is someone who can be best be described as a significant customer. You may disagree on the details of how to achieve security’s goals, but you will have to accept that in this case, "the customer is always right." In this situation you want him or her to understand the value security brings to the organization. You need to be prepared to present a convincing case to ensure the boss ends up a satisfied customer.
This leader likely does not understand security’s role in or value to the organization. He or she may have a mandate that is at odds with your understanding of risk management within the organization. This situation may require a damage control approach, but in any case it necessitates preparation and a thorough understanding of your adversary and your current operating environment, because you may need to defend previous actions. If you can show that existing customers of security value your services, it will go a long way toward discouraging adversarial action.
What to Do
A proactive approach to new management is the best recourse; views are easier to change before they become entrenched. If a new leader is making statements to others about what he or she is going to do to "fix security," then pride may prevent them from recanting or modifying their initial position. A preemptory strike may be required, and if you are not prepared to execute on it wisely, you may do yourself more harm than good.
“A proactive approach to new management is your best source.”
Do some thoughtful investigation of why new management is being brought in and what the new leader’s background is. Ask yourself hard questions, take the viewpoint of the new management, and be brutally honest with yourself. Is this new management likely to start up a new security program? Has he or she been brought in to help turn around risk- related failures, to realign functions, or to sustain success? What led the organization to this point?
Next, do some research on the new leader’s career history. Identify the most likely security issues and risks they have faced in previous organizations. What industry-specific issues or regulations did they have to address? Be prepared to answer questions related to these issues.
If the new leader is an internal reassignment, identify the security services they would have used. How much have you spent on their previous business group? What experiences have they had previously in dealing with security, and were those experiences helpful or problematic? Understanding how your customers feel about security will help you understand how best to approach them.
Whether the new leader is an advocate, associate or assassin, you will need to educate them on what your department does. You will need to show the value of security and demonstrate how others see value in security. You will need to have documented results.
If you do not currently have this information, you need to develop it internally or with the help of a third party. It will help you immensely in the leadership transition and beyond.