Influencing executives' thoughts and decisions regarding risk and corporate security is a consistent challenge for security leaders. And it doesn't just present a problem when cutbacks are looming – though that's frequently when it's most noticed. Inability to influence is, itself, a vulnerability to risk.
This was one of the takeaways from a recent Security Success Strategies session, a new SEC offering for the security community. In the session, SEC Managing Director Bob Hayes, Emeritus Faculty Dean Correia, and Emeritus Faculty George Campbell discussed the consequences of lack of influence and shared a variety of ways security leaders can tackle this common issue.
1. Know Security's story.
Have a concise, compelling security story to tell, one that can be counted in words or sentences, not slides or pages. This is an elevator pitch that pinpoints in as few words as possible why the organization wants and needs the security function.
Said Correia, who was formerly director of corporate security at Walmart Canada and regional manager of partner and asset protection at Starbucks Coffee: “At Starbucks, our story was: We help protect the coffee experience. At Walmart, it was: We get product to the stores in a safe and secure manner.”
Having this elevator pitch helps ensure that all stakeholders, from the security team itself to the CEO, understand what security does and how it aligns with the business, Correia said.
2. Tell the story in a way that matters to the audience.
“Your audiences range from the board to people outside the organization, including vendors, contractors, and other professionals,” said Hayes. Each of these will have their own cares and concerns. “Clearly you don't talk to employees in the same way that you talk to the board or your C-suite or your leadership team,” said Hayes. While the message of the security story shouldn't change from audience to audience, the supporting information, data, and tone of the more detailed conversations that proceed from that story definitely should.
Remember that the security story is not just a sales pitch. It's a genuine effort to educate, communicate, and identify common goals.
3. Don't press for a security landscape that the organization isn't ready for.
The most successful security programs are the ones that pair well with the company's current conditions, circumstances, culture, and resources: what we at the SEC call the C4R. Neglecting to consider this can cause resource-wasting, time-consuming problems, as both Hayes and Correia attested.
“When I first joined Walmart, I was very comfortable with business continuity. I had a lot of experience in it. So one of my first actions was to try to start up a business continuity program at Walmart,” said Correia. “I fell flat on my face. Wasted a lot of time in the first two or three months because it wasn't as big of a priority for the company at that time.
“It wasn't aligned with the key three deliverables were for that year. My advice to help with this is: Find out what the key three deliverables are for your company in every strategic year. If you align your security practices to drive those big three, and match to C4R, it should set you on the road for success.”
4. Recognize when security's influence is decreasing.
It's sometimes difficult to see the connection between certain security-related issues and waning executive influence. George Campbell shared a series of warning signs that security leaders should look out for. Here are just a few:
- Security is not consulted before management makes changes with evident security risk impact.
- Decreasing engagement of essential internal partners in matters of clear security concern.
- Management declines to approve a new or revised security policy to mitigate a consistent pattern of risk.
- Uninformed and imposed budget reductions without consideration of increased risk.
- Realignment of Security at a lower level, impacting unfettered access to the top.
- Increased number of risky external relationships with no security review.
Any of these should signal to a security leader that it's time re-evaluate how security communicates its value to the organization.
5. Gather, manage, and use data.
Useful data is everywhere – in incident logs, incident reports, business plans, after-action reviews, incident postmortems, contracts, budgets, case results and more. If that data is not being gathered and managed to create meaningful measurements of security performance, then a major influence opportunity is being lost.
“Some companies have hundreds of pages of Excel sheets that logged all of the incidents over a number of years, and that data has never been harvested. It sat there waiting for somebody to say, 'What can I learn from this?',” said Campbell. “Manage the data and build a dashboard that informs and delivers an inescapable message of accountability.”
“Influence is a core competency,” Campbell concluded. “Think about the unique perch we have to view enterprise threats. We have data on threat and risk that nobody else has. How we package what we know is the key.
“When we clearly and competently communicate and advise the right people, things have a way of changing for the better.”
Next Steps
As with everything we do to enhance security for an organization, addressing executive influence requires pre-crisis planning and preparation. Don't wait until its too late to work on your ability to build a robust working relationship with management.
The Security Executive Council can help you on your journey. We have the people skilled in communicating with top executives that can work with you to maximize security's value within your organization.
Contact Us
Download a PDF of this page below:
