Created By: Bob Hayes, Managing Director and Kathleen Kotwica, Ph.D., EVP and Chief Knowledge Strategist, Security Executive Council
No single skill set or attribute guarantees security leadership success. There are simply too many variables among industries, organizations, management and security leaders for that.
The Security Executive Council’s research report, the Nine Practices of the Successful Security Leader
, highlights commonalities identified between security leaders who are widely recognized as successful, both internally and externally. While some of these nine practices—including conversing in business risk terminology and having a walk-and-talk management style—are the results of hard work, experience and skill, other important factors, like having top-level support from day one, may be a matter of being in the right place at the right time.
Nine Practices of the Successful Security Leader was created from a series of in-depth practitioner interviews with security executives about their top organizational risks, business alignment and drivers, internal influence issues, and senior management's view of security. The resulting qualitative analysis uncovered nine practices that the interviewees with highly successful, internally recognized security programs had in common:
- The creation of a robust internal awareness program for the security department, including formal marketing and communication initiatives
- Ensuring that senior management is made aware of what security is and does
3. Walk-and-talk methodology—regularly talking to senior business leaders about their issues and how security can help
- Conversing in business risk terminology, not “security”
- Understanding the corporate culture and adapting to it
- Winning respect by refusing to exploit fear, uncertainty and doubt
- Basing the security program goals on the company’s business goals
- Having top-level support from day one
- Portraying security as a bridging facilitator or coordinator across all functions
Even if a practitioner focuses on achieving the nine practices that are under his or her control, they may not have the same results as they did for the security leaders discussed in the report. The acumen, personality and priorities of the leader will impact how the practices are carried out and received by others in the organization. Likewise, the organization’s view of security and the maturity of the security program can either nurture or stymie some of the nine practices. If management sees nothing more in security than incident response and physical access control, for example, then making them aware of what security is and does is crucial, but extremely challenging. Again, skill and aptitude are crucial, but success also depends on being in the right place at the right time.
Security leaders who aspire to become what we like to call Next Generation Security Leaders—future-oriented professionals who work across many domains, run programs that are aligned with their businesses and are influencers in their organizations—should focus both on improving their aptitude and positioning themselves to be in the right place at the right time.
Assess to Find the Best Executive Development Resources
Education comes in many forms, and not all of it is good or worthwhile. To determine what type of learning opportunities to pursue, security practitioners should first candidly assess themselves and their organizations in light of research like the Nine Practices report, peer feedback, and industry benchmarks.
They can review or perform organizational risk assessments to refresh their perspective on the risks and opportunities security can or should address. They should also review the organization’s goals and evaluate whether security is helping to meet them. Then, a personal leadership assessment is in order to help the practitioner see the gaps in his or her skill sets and decide whether addressing them could help enhance security for the organization. Through this process, a security leader can best identify the educational gaps he or she most needs to address. The next step is figuring out how and where to bridge them.
Developing a mentorship with a more senior or retired security leader you respect and would want to emulate—preferably from within the same organization or industry—may be the best way to learn. Mentorship is more than shadowing or meeting for lunch now and again. It’s a long-term relationship that entails sharing detailed knowledge and experience. Mentors can also enhance networking for their mentees.
The biggest problem with mentorship is a dearth of mentors. Truly innovative, visionary, business-focused security leaders are rare, and where they exist, it’s unlikely they have the time to do much mentoring.
Again, a series of candid assessments should help point you towards education that would be relevant and helpful in your situation. Security-specific or industry-specific seminars offered by trade associations may be good sources for learning on certain security-specific topics. Business schools and industry-supported business programs may be more helpful for general business administration.
However, the Security Executive Council has found that while industry business programs help security leaders understand business practices and speak the business language, they fail to marry business processes with the job of risk mitigation. The Council is building a knowledge transfer program that addresses these concerns by including input from business professors, security industry veterans, and current practitioners—many of whom exemplify the nine practices we’ve identified. We have pinpointed 11 things that senior security leaders want to see in their staff and used these to guide the curriculum.
Once you’ve begun building your aptitude, it’s necessary for you to find an organization in which you’ll be able to use it to the utmost.
Finding a Job that Enables Next Generation Leadership
Putting oneself in the right place at the right time is a matter of effective career management. If Next Generation Security Leadership is your goal, every step of your career management strategy should be engineered to advance your journey toward it. This includes recognizing the organizational factors that play a role in achieving Next Generation-level success and building the job search, interview process, and decision making around those factors.
Some of the commonalities found in our research for The Nine Practices of the Successful Security Leader may indicate how an organization or a security program can enable its security leader to excel. Consider what the following practices say about a prospective new employer and its existing security program.
- The creation of a robust internal awareness program. This is not employee risk awareness training; it is a formal marketing program that builds internal awareness of the security function and raises the understanding of what security does and the value it imparts to the organization. Program maturity is a significant factor here, as is corporate culture. It may be difficult or impossible to implement this practice if the existing security program is very small; if it is under-funded or under-appreciated; if it is recovering from major negative events that require all of the program’s resources and time; or if the program’s mission, vision and goals are unclear even to the security function. These are things to look out for.
- Ensuring that senior management is made aware of what security is and does. Like building internal awareness, this practice’s success depends on culture and maturity, and also on reporting structure and the perspective of upper management. Security Leadership Research Institute findings show that the reporting level of the security leader is a major factor in success and influence. It doesn’t matter which function security reports through as much as how many levels away from the senior-most operating executive the security leader is. If senior leadership will not be accessible or does not appear willing or ready to listen to security, this should inform career decisions about the organization.
- Understanding the corporate culture and adapting to it. Is the culture something you can adapt to? If it runs counter to your principles or your leadership style, consider truthfully whether you will be willing or able to adapt.
- Having top-level support from day one. This is arguably the most important predictor of success. Is the senior-most business leader a driver of or an inhibitor to security improvement? Does he or she buy into the value security can bring to the organization and hope to maximize that? Will he or she provide resources and authority to enhance the program and its value creation?
In his book From One Winning Career to the Next,
J. David Quilter outlines a number of considerations for security leaders who are plotting out their next career steps. Many of the checklists and questions he provides to career seekers can help a prospective Next Generation Security Leader determine whether an organization is a fit for the practices above, as well as other factors of success.
Here are a few of the questions he recommends the job seeker think about during the interview process:
- Has the organization spelled out the responsibilities and accountabilities of the new security leader?
- Have there been numerous mergers or turnovers in key personnel? Have departmental and executive roles been sorted out in the aftermath of changes?
- What important security issues has the company faced within the last five years? How have they been resolved?
- Is there a well-established security function in place or is this a start-up?
- Is it clear to you what this company needs from you, and the timeframe in which they expect you to deliver on goals and objectives?
- Are existing security team members and others interested in personal and professional growth?
- Are members of the executive team participating in your interview? Can any of them discuss security with the same enthusiasm as they might speak of sales, marketing, finances, or operations? If not, what priority do you think they will they put on security in practice?
- Will you report to a C-suite executive and have access to the chair and CEO?
- How is the morale of operational managers?
- What about teamwork within departments? Are departments collaborative between each other?
- Are your questions answered honestly and without undue defensiveness?
- Do top executives trust others to lead within their departments, or do they merely want you to manage?
- Is the security organization fully integrated into the company?
- Does the corporation you are thinking of joining spell out its values? If so, how have they become part of the daily operation of the company? Are there ways in which the company evaluates itself behaviorally on specific criteria?
Quilter recommends that security leaders learn as much as possible about those to whom they will report through searches of publicly available information and other resources. They should speak with employees not in the presence of their interviewers and attempt to see how the company treats employees and security issues on a day-to-day basis.
Next Generation Security Leadership is a long-range goal for most. Developing the knowledge and skill sets it requires while carefully managing career moves—these are complex and challenging tasks, but they are worth the effort, and their results are worth the wait.