Created by the Security Executive Council
The Security Executive Council (SEC) has developed an assessment based on over ten years of research and trending on successful corporate security leaders and programs. What became clear is there are three main factors and two cultural attributes that play a role in the success of enhancing or moving programs ahead in any given organization. These form the OPaL+ acronym:
- Organizational readiness
- Program maturity
- Leadership status within an evolving continuum
- Corporate Culture
- Organizational Risk Appetite
Organizational Readiness
Every organization has a view of what "security" means to them. For some it's preventing activities (e.g., access control, fencing, guards). For others it's balancing proactive business risks (opportunities) with a reduction in unwanted risks in order to achieve business goals. The SEC has identified at least five archetypical states of readiness, from "guns, gates and guards" to security viewed as a business partner. Knowing the organization's state of readiness for an advanced state of security strategy arms the risk mitigation leader with the correct way to plan and communicate to senior management.
Sample Issues to Probe
- What is the organization's overall risk appetite?
- How does senior management define "security?"
- What are senior management's expectations of Security?
Program Maturity
The SEC's research shows that security programs move through five stages to reach a highly developed state of maturity. Typically, these stages are: moving from reactive to proactive mind-set; from undocumented to documented and repeatable programs; to business aligned and integrated, to innovative. Knowing where the security program is currently helps to develop a roadmap to a desired end state.
Sample Issues to Probe
- On what kind of activities is most time spent?
- What is the state of measuring impact and success (a metrics program)?
- What strategies are used to "market" the security department?
Leadership Status
Built on the concept of "personas" development (used in marketing to create representative groups within a demographic to distinguish attitudes and behaviors), the SEC has identified seven distinct security leader types. The leadership types tend to fall into a continuum of evolution, although a new situation can cause a reversal to an earlier stage. As a leader moves through the continuum, he or she transforms from a creator of programs to a facilitator, to a promoter and director of the expansion of security and its value across the organization, and finally to an industry recognized innovator, often contributing to the organization's bottom line.
Sample Issues to Probe
- Are you working more on core programs, sector issues, designing security into business projects, or developing innovative programs to meet transforming business needs?
- Does the security leader report to the senior executive responsible for business operations oversight?
- Does Security have a seat at senior-level corporate committees?
Corporate Culture
The corporate culture is similar to a fast-flowing river that the organization operates on. Exhaustive rowing may get you to your destination, but most initiatives will need to flow with the culture of the organization if you expect them to be successful. Corporate culture largely impacts how you need to communicate your programs and strategies.
Sample issues to Probe
- How would you describe your organization's culture?
- Is your organization's culture open to change or new initiatives?
- How might you tune security strategies to match your organization's culture?
Risk Appetite
Different organizations have different levels of tolerance to risk. Even divisions within a large corporation could have varying risk appetite levels depending on their objectives and goals. It is not the CSO's role to determine what level of risk is acceptable. Instead, the CSO's role is to provide the information necessary to executives so that they can identify the correct security posture to support their strategic initiatives.
Sample Issues to Probe
- What is your organization's inclination toward risk?
- Will executives see your strategic plan as complementing the organization's approach toward risk or as a drag on growth?
Our research shows a specific strategy for each of these elements is needed to:
- advance the success factor of the Security program in the organization;
- develop security leadership aptitude;
- advance the organizational readiness of sites, staff groups and senior management leadership.
It is also important to define the elements needed and valued in a particular organization. The SEC meets this challenge by building tools and solutions that assist in closing any gaps in OPaL+ factors to build an effective, meaningful and value-driven Security program.