Faculty Advisor: Making Risk Mitigation Strategy Adjustments in Your New Job

Return to Risk-Based Security

Q. I recently accepted a new job as CSO at a company that is in the same sector as where I was previously. Is it safe to expect that since my new job is within the same sector I will be able to employ the same risk mitigation tactics and strategies as before?

A. You ask a very reasonable and important question. The answer is, “it depends,” and I will explain why I say that. There are certain key elements within the new company to consider when a CSO migrates from one company to another, even within the same industry. You should think about the tolerance of risk differences between the two companies and the scale of how they compare.

Let’s spend a moment on discussing some of the key issues regarding security risks at your new company compared to your previous employer.  Our goal here is to understand the differences between the two companies and their current business directions in order to set priorities for security programs.

  • Risk Tolerance. How does the company look at risks related to security issues?  Remember, companies have choices on managing risks. They can accept the risk, transfer the risk (insurance), change locations, or mitigate (security programs). Management’s approach to security risk will vary from “tell me more” to “don’t bother me.” 
  • Scale. Two companies in the same industry but of different sizes have varying security risks driven by their sales and geographical investment in property and employees. Size creates the opportunities to implement security programs that can be effective and contribute to the overall success of the business.
  • Maturity. Companies are, in many ways, living organisms that are constantly changing, so a key question is, “What is the current status of the company?” Is it expanding, hiring, growing, or is it closing sites, downsizing employees, and reorganizing? The growing organization will have different security risks and program needs versus the company reorganizing itself even within the same sector. 
  • Corporate Culture. Companies have cultures driven by management leadership. Understanding what your new company’s culture is can lead to success in managing the security risks. Some companies exhibit a high tolerance for risk and look for the CSO to provide “heroic recovery” efforts where issues occur.  Other companies have a culture of careful planning and management of security risk.

In similar ways some companies vertically integrate to manage costs and quality, while others outsource everything possible and work to ISO standards for their quality control. In the first instance the CSO protects the investment; in the latter case the CSO influences through contracts standards and inspection.

  • Capital Investment. Companies vary in their approaches to capital investment including security program needs. A company that reinvests constantly in their business has a high tolerance for the same investments in security program mitigation. A CSO can use technology investment to lower costs and improve results. Recent trends in global security operating centers (GSOCs) is a good example.
  • Communication/Collaboration. Companies vary significantly in their internal approaches to teamwork and information sharing.  As a new CSO, observe how security currently interacts with the business units and what opportunities exist to improve and integrate security into the main stream of risk management. Is there an opportunity to create a business-based security council for better communication and integration?
  • Regulation/Compliance. Companies often have varying compliance and regulation requirements for security programs, most often driven by local, state or country regulations.  Security program regulations, for example guard training requirements, will vary significantly from state to state in the United States.
  • Budget. Companies vary significantly in their approach to managing security costs. Understanding how your new company pays for security costs internally is critical.  Some companies have a “charge out” method that requires you as the CSO to communicate and create metrics to achieve agreement with your internal “customers” to pay for security costs.  Other companies manage their security budget on a centralized basis and simply charge business units on a “cost per square foot” basis. Your new company may operate its budget process much differently than your previous employer.

As the new CSO, the company hires you as their security expert. However, it remains critical for you to understand the company culture and approach to managing risk in order to align and be a successful contributor to the company.  The Security Executive Council has conducted expert examinations of companies including their tolerance for risks. The lessons learned can be shared with you and reduce the time and effort needed by you as you walk in the door. Always remember, the company management often does not even think about security risks until there is a problem. Being prepared to answer their questions within their approach to business is critical.

Good luck!

Response provided by the late Richard Lefler, former Security Executive Council Emeritus Faculty member.

Return to Risk-Based Security