At the Security Executive Council's December 2022 State of the Security Industry (SSOI) Briefing, three
Tier 1 security leaders shared their stories and discussed how they are using the results of their Security Success Universe Assessments for positive change in their organizations.
The SEC Security Success Universe is based on more than 15 years of research into successful security programs and leaders. It outlines 115 elements in 13 categories that can help the security leader down the path to excellence. (
View a graphic of the full Success Universe complete with all subcategories.)
The Universe Assessment takes security leaders through a series of questions pertaining to the success elements, then assesses the results based on how many Universe elements are currently in place. Participants then receive a percentage score and a radar chart that visually depicts their current state across the 13 categories. A sample radar chart is below depicting just one of the 13 categories (Security Foundation).
Security leaders take the Universe Assessment for a variety of reasons. Some simply want to know what is possible for their function. Others want to find and analyze gaps, and to help strengthen the security program. Still others use the assessment results as a tool for discussing the state of the security function with management.
As always, it's critical to enter into any assessment of the function with a clear understanding of your
C4R: your current conditions, culture, circumstances, and resources. These four categories describe your operating environment, and they are unique to your company and situation. They are the reason there are no universal solutions to security challenges, even among companies that appear to be quite similar.
Our SSOI speakers come from vastly different circumstances, and they received a range of results, but each spoke about how the output from the assessment is working to move the needle for their programs.
--
Our first speaker, the CSO at a major media company, has only been in the SEC Tier 1 community for one year. Their organization has been in flux; the company recently split into two separate organizations, and the last 16 months has seen a series of structural realignments. All this change has created confusion and uncertainty about the capability, position, and mission of the security function, which has a low headcount.
This leader wasn't surprised when their assessment results showed a 48%. The percentage score doesn't indicate a “passing” or “failing” state and should not be viewed as such. Rather, it quantifies the extent to which the function currently aligns with its desired state. The speaker remarked that the results have helped them set priorities and will be used to help discount mis-assumptions about the security function.
They are up to the task of learning how to optimize convergence in their organization and educating executives and internal stakeholders on the capacity of security to support and grow business as well as build value.
--
Our second speaker considers himself more a risk manager than a security leader. They joined a major insurance company as CISO and were later made CSO with all of security and risk management under their purview.
This leader views security as a tide that can raise many boats. Through their governance model, executives acknowledge that they are the owners of the risk, while Security manages risk and presents options for treatment. The company fosters a team atmosphere and has a “no unfunded mandates” policy, so approved initiatives can reasonably expect support.
This security function scored a 69% on the Security Success Universe Assessment, with budgeting representing the lowest-scoring category due to the organizational differences in the budgeting process. The speaker expects the assessment results to help as the function shifts its focus to continually maturing processes.
Executives appreciate assessments like this that provide a model of what the accepted universe of the function and the standard of performance should look like. It's something one sees routinely in information security and enterprise risk management, this leader pointed out. The assessment results help the risk manager lay out a plan for how to advance over time, and they make it easier to have discussions around risk.
--
Our third speaker is a director-level security leader for a large pharmaceutical organization. They came to the company when it acquired a smaller organization for which this speaker was the program lead for Global Protective Services. The acquisition required extensive harmonization between two existing security teams with different levels of centralization, geographic scopes, and reporting levels, and left the new team the task of re-educating executives on the function.
Then a COVID-influenced enterprise crisis management assessment led to the security team being leveled up in the organization with an expanded remit for crisis management. The team is now seen as a true global partner, and it has greater interaction with senior executive leaders. They have used the radar chart of the Security Success Universe Assessment results to track the function's progress and to talk value with the C-suite.
The function's score of 83% shows that even the high-performing security organizations don't have it all figured out. It was noted that anytime you can take data like the Universe Assessment results to stakeholders and bolster that data with a brief and meaningful value story, it will positively impact risk decisions and resource allocation.
--
The Success Universe Assessment is one in a suite of five evaluation tools that can move security programs down the path toward continuous improvement. (
Learn more about all five assessments.)
More information about how the Security Success Universe Assessment works.
If you'd like to take your own free Security Universe Assessment,
contact us.
Download a PDF of this page below:
