There are elements crucial to the success of the relationship between the CEO and CSO. Focus on the business is one, according to (seated) Russ Cancilla, Baker Hughes vice president of security and health, safety and environment, and CEO Chad Deaton of Baker Hughes.

“In 30 years, this was the first time I saw this happen.”
 

Chad Deaton, CEO of Baker Hughes Inc., is responding enthusiastically to a question about what a successful working relationship between a CEO and CSO should look like, and what elements are crucial to that success. Also on the line is Russ Cancilla, Baker Hughes vice president of security and health, safety and environment.
 
Baker Hughes is an oilfield service company offering products and services to the worldwide oil and natural gas industry. The company operates in more than 90 countries. Deaton explains that until recently, Baker Hughes management considered Iraq off limits for the business because of concern over the safety and security of personnel. Cancilla, after joining the company in 2006, decided to take a team in to assess the situation on the ground. “When they came back they said, ‘We believe the situation in Kurdistan in northern Iraq is better than you think and with the appropriate resources, we can manage the security exposures. Come in and take a look with us and let’s see what we can do.’ In my 30 years in (the oilfield service) business,” said Deaton, “I’ve never seen security come to management and say, ‘It’s better than you think. Let’s do it.’ It’s always been just the opposite.”
 
Removing this area from the off-limits list opened up new business opportunities, and the episode clearly enhanced Deaton’s already high regard for Cancilla and his security team. It also demonstrates the two elements that have helped turn Baker Hughes into a model of enterprise security success: Cancilla’s understanding of corporate strategy and security’s role in supporting it; and Deaton’s appreciation for and awareness of safety, security and business risk.


A SHARED FOCUS

Deaton joined Baker Hughes in late 2004 and brought Cancilla on board as CSO in mid-2006, reporting to the general counsel. Before that time, the corporate security function at the company worked independently from security operations teams. In fewer than three years, Cancilla restructured corporate security into an enterprise security and crisis management (ESCM) function built around a security business model. The move to ESCM has improved the planning, execution and management of security programs enterprise-wide and better aligned security activities with Baker Hughes’ business model.

 

Among other changes, Cancilla has also helped develop a security assessment process that requires all security personnel to conduct standard business S.W.O.T. (strength, weaknesses, opportunities and threats) analyses to identify emerging markets and opportunities and assess risks. Russ Cancilla is a member of the Security Executive Council.

 

Improvements like these led to Cancilla’s promotion in January, by which the company combined the functions of security and health, safety and environment and brought them under him as corporate vice president. Now he reports directly to Deaton with a seat on the corporate strategic policy council.

 

Deaton believes the change just made common sense. “We have a significant number of people all around the world. In this oilfield service sector, like any multi-national, we have a lot of exposure. And as we move into countries that sometimes have a lot of problems; it’s critical that we look after the security and the safety of our people, which are closely linked. It’s very important for us to make sure the senior management team understands the risks we’re faced with,” he said.

 

Cancilla’s impressive performance as CSO clearly paved the way for strong future collaboration with his CEO. In order to continue the successes that have brought them this far, Deaton and Cancilla must maintain a common and articulated focus on the well-being of the business.



BUSINESS FIRST

“I expect our CSO, just as I expect our CFO or General Counsel, not to focus on only his particular function but to look at strategy in general,” said Deaton.
 

It’s an expectation Cancilla shares, both of him and, at another level, of his entire security team. “We look at the security team as a group of business professionals who happen to be expert in security,” he said. “In a very, very unusual circumstance should security ever say a business can’t do a given thing. We’re a support function. Our objective is to understand what the business wants to do and figure out how we can support it. It’s generally just a matter of how much risk we want to accept and how much investment we want to make into security.”
 
One key to this approach is knowing how to communicate the impact of risk in the language of business. “We have to be able to demonstrate that we understand what ROI means and what a S.W.O.T. analysis is and why presenting a business case analysis is important. Then we must apply those principles to demonstrating the cost and benefit of a security decision. We have to be able to use those terms and imperatives when we’re talking about security,” commented Cancilla.
 
“It’s easy to say security is adding value to the business. But really, is it? As the leader or CSO, you don’t have to be an MBA, but you can’t come into the boardroom or the senior executive meeting and talk about just security. You have to be able to talk about why or where there is value in terms of real dollars.” This also means the security leader must remain focused on the overarching business objectives. He or she must bring to a strategy meeting the information that is relevant to the decisions being made and demonstrate how the security input is relevant in business terms.
 
Often business leaders need some coaching on how and why it is important to include security as a business function. When security has long been viewed as an obstacle, as it was by many at Baker Hughes before Deaton and Cancilla came on board, managers and business leaders may have a hard time remembering that the security team is really there to work for them, not against them.
 
“There’s one thing I ask of our business folks here,” Cancilla observed. “If one of our security professionals tells you we need to invest in a security program, please don’t let the first question be ‘How much will that cost?’ Instead, ask ‘What’s the risk or threat?’ Then you have an understanding of why there might be an investment needed to manage that risk or threat, and you as a business leader can make a more informed decision on whether to invest that money.”


BUILDING TRUST ACROSS THE ORGANIZATION

Deaton says focusing on the business is the primary action Cancilla can take to help them maintain a strong working relationship. The second is satisfying the leadership at all levels all across the company.
 

“I think it is critical for any senior executive to be accepted by the thousands of employees we have around the world,” said Deaton. “Our operations people have to see that Russ or any other executive is bringing value to them, that they’re solving their problems. And Russ has done that. When he came on three years ago, security was there but it was kind of obscure. It was looked at as a cost, as overhead, but Russ and his team have changed that. Our operations people want him there, they want his opinion, and they want his team’s opinion, so they go to them to help them solve a problem.”
 
Cancilla agrees. “I don’t think it’s just the relationship the CSO has with the CEO that matters,” he says. “I think it’s the feedback the CEO gets about what the security organization is doing. And if those relationships aren’t strong and you don’t have credibility, the CEO may have to say, ‘I like you, but are you really bringing anything to the executive table that translates into helping us make better decisions or be more successful?’”


Links