Several questions come to mind. The first is whether there have been any personnel changes at the senior management level. Are any previously supportive people now gone? If this is the case, unfortunately, some of the ground you covered and trust you earned while gaining support for your program may have walked out the door. Hopefully, you already have a metrics program in place that can help you show new senior management an objective view of your program goals and accomplishments. Remember, brief and to-the-point presentations are crucial for this audience.
In regards to the new boss situation:
Another aspect to consider is how well you have been aligning your programs with corporate-level goals. For most corporations this is constantly shifting. Have you tapped into the "state of organizational readiness" your organization has for your security programs? Do they look at them as reducing risk in well-defined areas (e.g., workplace violence or investigations)? Or at the other end of the spectrum, do they view security as a true business partner? Knowing how senior management views security will help you define your programs to meet their current expectations.
It is at this point you are prime for any change in direction you feel will further benefit the organization. But you can't just expect your programs to be accepted (or continually accepted) because they may have worked in the past. You must keep up with the business side and its ongoing transformations.
You must also take a hard look at where you are as a security leader. Have you settled into a "maintenance" stance? While it is clear many security departments are currently understaffed and are working with a meager budget, consider the next stage you want to achieve—for example, keeping the program maintenance at a quality level but also looking toward emerging issues. Plan for this. If your department is thought of as simply a cost center, when the inevitable business shifts loom, you will surely be in the line of fire.
As stated at the start, yes, these are warning signs. Take the time to think through your situation and the organizational structure. Then, plan strategies that will eventually get you back to the position where the current senior management understands security’s role and the importance of including you in decisions that reduce risks of concern to the organization.
Click here for more on how to gauge your organizational readiness, leadership status, and more, with the SEC’s OPAL+ assessment.
Learn about the SEC’s Enterprise/Security Risk Alignment Program.
Learn more about how the SEC can assist with executive messaging.
Answer provided by Bob Hayes, Security Executive Council Managing Director and Kathleen Kotwica, EVP and Chief Knowledge Strategist, Security Executive Council.