How to Envision the Big Picture
By Security Executive Council
SEC Emeritus Faculty Contributors: Dan Sauvageau, formerly SVP of Global Security with Fidelity Investments; Dean Correia, formerly with Wal-Mart Canada Corp; Tom Bello, formerly with Exxon Mobil Corporation; and George Campbell, former CSO of Fidelity Investments
Security leaders tend to excel at tactical thinking: dealing with urgent situations quickly and decisively; implementing solutions to protect people and assets. Historically, tactical thinking has been part of security leaders' training, which often began in law enforcement or the military. However, unless tactical thinking is balanced with strategic thinking, it will be difficult to make forward progress toward long-term goals.
If you find yourself asking why you can't convince the business of the value of the security function, why you struggle to influence executives for support or change, and why you never seem to have time to develop your own skills or the skills of your staff, an imbalance between tactical and strategic thinking may be part of the problem.
Tactical vs Strategic
Here are a few examples to clarify the difference between tactical and strategic thinking:
- New business acquisition.
- A tactical thinker responds to senior leadership's decision to acquire a business by checking out the acquisition's security program, seeing what it consists of, and integrating access control systems so executives don't need to use two badges.
- A strategic thinker knows the company is considering the acquisition before the final decision is made. He or she is part of the acquisition team and
- develops plans for acquisition teams to stealthily investigate the business without showing their cards
- prepares a robust report about the past risks and exposures of the company, public profile of its principals, social media sentiment, list of suppliers, and their past security and cyber risks that would be detrimental or costly to the acquisition
- conducts deep dives on their 10k risk and scenario planning to get a sense of the health of their risk countermeasures and preparedness to respond to stated risks and/or how much risk/exposure the acquisition will cost
- Use of security technologies and solutions.
- A tactical thinker is familiar with all the traditional security tools and implements them by default for traditional purposes.
- A strategic thinker asks business leaders about their challenges and problems, explains security tools in place, and leverages them in creative ways to solve business problems. For example:
- using security video analytics to display queuing data for customer service lines and responsiveness
- using video for quality assurance of after-hours vendor services like cleaning
- using access control readers on multifunction devices like office printers to reduce waste and improve information security
- using access control data to assess office population density and space utilization to inform business decisions in HR and facilities
Put simply, tactical thinking asks "how." Strategic thinking asks "what if."
Signs of Imbalance
SEC faculty have worked with many security leaders who, for a number of reasons, think primarily tactically rather than both tactically and strategically. The following could indicate that you are overfocused on tactical thinking:
- You feel constantly overwhelmed
- You don't network or present at conferences or events
- You don't know your company's top three goals
- You have not read your company's 10K
- You talk about immediate needs, but not about the next quarter or the quarters beyond
- You don't know many key leaders in other functions at or above your level
- You are surprised by company announcements like mergers and acquisitions
- You find that senior management asks security risk-related questions of other groups, like public affairs or international government relations, rather than the security function
- You become aware that the company is engaging outside security experts without involving you
- You do not conduct annual strategic planning meetings or develop strategic plans that describe your mission, goals and objectives, with KPIs
- You are having trouble meeting your boss' expectations
- You collect incident reports and data but don't use it to develop actionable metrics
Obstacles to Strategic Thinking
"Who has the time?" This is one of the more commonly cited reasons security leaders put off strategic thinking. If all your time is being taken up by the day-to-day and by putting out fires, there could be a number of underlying issues.
- You lack adequate resources to efficiently manage operational and tactical issues. This could mean you operate in severe threat industries or locales, and/or you do not have adequate manpower to delegate, and/or you do not have the budget to implement enough solutions to mitigate everyday threats.
- Your senior leaders perceive security as a crisis focused function, not a source of strategic business value. This may be a sign of ineffective communication with business leadership and/or security's lack of understanding of the business' goals, mission, and strategic direction.
- You are taking on too much, either voluntarily or because senior leaders have unrealistic expectations of you and your function. This could mean they don't understand the function or its capability, or they haven't adequately resourced the function to meet their demands. Or it may mean you need to take a step back and work within your means.
Tips for Finding Balance
Unfortunately, there isn't a simple, pain-free way to free up time for strategic thinking. Improving the balance requires you to recognize the value and benefits of strategic thinking and to make the time to engage in it.
Our faculty shared several recommendations they offer to clients who would like to expand their strategic thinking time.
- Put it on the schedule. Block out a time to think strategically about the function and treat it like an important meeting – no cancelling.
- Meet with stakeholders. Ask them about their top objectives and risks, and about their perception of security. Ask about key changes, plans, coming investments, and forecasts.
- Meet with leaders in other functions, and invite them to your meetings. Ask them about their objectives and risks and how security can help meet them.
- Tour your company's sites.
- Find a mentor either within or outside your company.
- Read the business' 10K.
- Develop your team with next generation leaders you can rely on, so you can free up more time to think about the big picture.
- Make sure your team has annual performance objectives and personal development plans, and follow up to see how well they're being met.
The SEC helps clients and Tier 1 members think strategically by coaching them on how and where to connect with senior leaders, how to approach other leaders as a partner, how to align with the business' mission, and how to develop metrics that effectively tell security's story.
One of the reasons we developed the Next Generation Security Leaders program was to assist clients and their teams with thinking strategically.
To learn how we can help, contact us.