The nature and responsibilities of the senior-most security roles in organizations is always a hot topic with employers and amongst candidates for those top jobs. Differing philosophies about the concept of convergence of all security-related risk areas into one single executive’s portfolio have fueled long-running debates on the topic.
Differing sides of the argument about the purpose, nature and objectives of these roles often indicate a misunderstanding of the core goal. There can also be territorial challenges around ownership and execution.
These ongoing debates are, unfortunately, an impediment to these evolving security roles. Security challenges often change more rapidly than the programs put into place to mitigate them. It is important that security leadership roles likewise expand to meet the task.
The original concept of a senior-most security leader was built around an organizational standard. It created a single point of accountability. This individual was the executive charged with providing leadership and governance by ensuring a comprehensive, integrated security risk strategy. The role was accountable to the senior leadership team of the organization.
This senior-most security position signaled a high level of commitment to the organization for reporting and functioning at the top level. The role had access to other leadership bodies, the board and its operating committees. Functional reporting was not recommended.
The title of the position was not viewed as critical to being successful in the role. Depending on the organizational culture and structure, the person in the role might well be a business executive with other executives and/or senior managers leading separate, key security-related functional areas.
In some organizations, this can be accomplished through cross functional teams and/or risk committees. Further, program execution and operational management might well be matrixed and shared along with separate organizational businesses or operating units. This thinking did not rule out a centralized approach.
When viewed this way, it is critical that the top security role display leadership through development of a deep understanding of the organization. They must be willing to lead through influence even without authority, thrive in an ever-changing environment, be comfortable and flexible with ambiguity, have an ongoing desire to continually learn through intellectual curiosity, and have managerial courage when met with resistance.
Security professionals who want to successfully grow their careers to the top level require an understanding that the role of the security executive is to support leadership. They must provide them with analysis, advice and recommendations to enable the advancement of business objectives.
Today’s organizations are creating a flatter, cross-functional structure with separate management of the various operational areas of physical security and cybersecurity, crisis management, investigations, protective services, intelligence and threat management. There is no indication that this trend will revert to the linear structures of the past. Similarly, security executives should expect their roles to mirror future trends.