By the Security Executive Council
If you as a security leader have never asked yourself why the security function isn't gaining the influence and traction it deserves, you are in a very small minority.
We revisit this question almost daily with the security professionals who come to us for advice and resources, and we've identified a few valuable points you can consider as you begin to answer it for yourself.
Recognize there are some things you can't change.
Organizational structure and readiness, as well as the maturity level of the program, will impact your role and how you can most effectively manage security. For example, senior management's expectations for security in a startup will be very different from the board's expectations for security in a well-funded, 25-year program.
Start by realistically examining where your program is and what the expectations (and limitations) are.
Click here for more information about organizational readiness and maturity.
Then, look at what you can change. Often, this begins with you, the security leader.
Can you better understand the business?
The first step in gaining traction and influence is to know what your business does, what it values, how it works, its risks and opportunities, what management expects, and what their priorities are.
Clearly, building this level of knowledge can be a long and complex process. It requires in-person conversations across the organization and in the C-suite and examination of goal statements and strategic plans.
Don't assume that because the company's goals or strategic plan don't explicitly mention security, that they don't present opportunities for security to help meet those goals.
If one of the company's goals is to reduce total delivered product costs, for instance, it may mean that management feels they are bleeding dollars in the product supply area. Perhaps the security function can enhance or institute a process for reducing theft in transit or initiate a more collaborative alignment with transportation companies to reduce losses is in orders. Or perhaps security can deploy a more efficient physical security review of distribution centers to reduce losses.
Can you better understand its risks?
The next thing you need is a good threat risk assessment. You need to know what types of risks your particular organization might face and what management's expected response would be. You also need to know threat sources and be ready to engage your tools and resources at an appropriate level.
Click here for more information on assessing risk.
Can you better align with the business and its goals?
Any business unit can easily become so mired in its own operations, requirements and challenges that the broader goals and needs of the enterprise become obscured. But for the corporate security function to be fully effective, its goals and objectives must be reflective of and inextricably interwoven with the company's goals.
We encourage security departments to align with board strategies by learning to view risks the way the business is likely to perceive them. To this end, we recommend they group identified security risks, as well as security mitigation strategies, under a list of risk categories organizations commonly tend to use. The security risks can be compared to the critical organizational risks the Board has identified. This way, the security function can present a direct link between each business risk category and the potential use of a security program or service to mitigate the risks identified.
Click here for information on how to evaluate risk from a board perspective.
In this vein, there are a few things you could focus on that will help meet business goals in many organizations:
- Develop and manage security programs that enhance profitability.
- Make the company a tougher competitor.
- Enhance the company's ability to reduce shrinkage, reduce attrition of employees and create a safer, more efficient workplace.
Can you communicate more often or more effectively?
Related to both of the above points, it's important for security to be in continual dialogue with business leaders to ensure security strategy compliments business strategy and helps to accomplish the company's goals.
If you don't currently have strong relationships in business units or the C-suite, make them happen. Get time on the calendar of senior corporate leaders, and be prepared to "sell your case" in five minutes or less, as you may not get much time until relationships are established. Explain to senior managers and line managers that the security function exists to meet the security needs of the business and that a greater understanding of the business means more efficient, effective, and appropriately directed security services.
Don't be afraid to ask questions. But at the same time, be confident that you are the security expert, you know the best strategic approach for security, and you want to ensure you fully understand all aspects of the business so security can better help the business meet its goals.
The Security Executive Council is made up of former successful leaders of security programs. We have the skills and knowledge to help you gain traction within your organization. Contact Us
to discuss how you can tap into our resources.