At the New Year we find ourselves reflecting on who we are as an industry, what we’re doing and where we hope to be. Our ongoing research of security-related issues has shed light on some remarkable changes in the security industry in the last ten years, many of which are driven by technology advances and shifts in the business environment.
Let’s focus specifically on management, strategy and leadership issues. Based on our research and our collaborations with senior security executives in all types of organizations, here are our thoughts on how security leaders have advanced and where they seem to have hit a wall.
Advances
• More security practitioners are coming to their roles from varied backgrounds – not just military or law enforcement – which is gaining influence with senior level hiring managers looking for a role more inclusive of business skills in addition to security skills.
• More practitioners are beginning to infuse business theory and processes into every facet of their function.
• There is more interest in the business community in educating executive business leadership about security risk.
• We are seeing more security titles at the executive level and a higher level of executive interaction in many organizations.
• Risk is becoming a more common focal point for senior management, and they are communicating with security more about that risk.
• More practitioners are connecting the dots between security and the risks to each function of the organization, seeing the bigger picture and where their function resides within it.
• Security leaders are giving more consideration to aligning their services to the critical board-level (10-K) risks.
• More leaders are recognizing the need to brand or re-brand their security department.
• Operational excellence is increasingly a focus of future-oriented security leaders. We have worked with a number of practitioners who are hoping to develop quality management programs.
• Similarly, more security leaders are moving forward to build credible measures and metrics programs for security.
Needs Work
• Security practitioners continue to offer on-demand, ad hoc services in reaction to events, but not enough strategic, long-term programs that are built upon a solid understanding of the business, its risks and opportunities.
• Although senior business management is now savvier about security risk issues, there has been little forward progress in their understanding of the security function’s role in the business.
• While more practitioners are beginning the process of aligning their services with business goals, few are using this exercise to its full potential.
• A surprising number of practitioners cannot articulate or do not know exactly what resources their function consumes or their capacity for delivering those services.
• In a similar vein, practitioners and corporations are generally unable to calculate the total cost of the security services being consumed by the organization.
• Security practitioners often view their department as something different from other business units and feel that exempts security from behaving as the other units do – measuring performance, quantifying value, delivering on strategy initiatives. Increasingly, executive management disagrees.
• Many security leaders report that they continue to have little control over budget allocations and discretionary spending.
• Rarely are security services communicated in terms of what risk they mitigate, and this causes gaps in staff and leadership understanding and investment in those services.
• While metrics are an increasingly hot topic, many security practitioners continue to count things rather than to provide true, meaningful metrics. Metrics are intended to influence and to tell a story. It’s good to know how many laptops have been lost, but that number isn’t a useful metric.
• As an industry, we fail to have research-based documentation that provides baselines and templates for successful security.
In too many organizations, security remains an antagonist or an afterthought. This amounts to more than a PR problem. True, in some businesses the biggest issue is that organizational leaders simply can’t or won’t see the value in robust risk management. However, our observations have shown us that often, the problem is that the security leader doesn’t see himself or herself as a leader.
If you’re reading this magazine, it’s likely you do want to strengthen or maintain the quality of your program. Do you consider yourself a leader? How much do you know about the inner workings of your business? When was the last time you created or monitored relevant metrics about your program’s operations and ROI? How often does your top management ask your opinion? Can you articulate your strategy? What do you need to do in 2013?
Read moreLeadership & Management online at SecurityMagazine.com/Columns/Leadership
This article was previously published in the print edition as "Advances and Stalemates in Security."