Change is never easy and for many of us who have been in the security industry for a while, our comfort zone is in the “nuts and bolts” of our day-to-day tactics. We know our details.
The risk management approach to business decision-making is a popular topic for business executives, and certainly, something that looks like it will stick around. How should the security industry get on board with the risk-based approach to managing our programs? It starts with embracing the inevitable. We WILL be expected to speak the business language about our programs. We WILL need to be able to provide measurable results of risk impact, tolerance, and the effectiveness of mitigation strategies. And, we WILL need new skills and approaches to do that.
SECURITY IS MORE THAN A TACTICAL RESPONSE
Change is never easy and for many of us who have been in the security industry for a while, our comfort zone is in the “nuts and bolts” of our day-to-day tactics. We know our details. We understand PTZ, CPTED, IDS, BCM, WPV, EP, and any number of other technical acronyms. We know how the organization can protect people and assets from harm.
But in the world of risk-based business management, it’s the security leader who can show the reasons behind all those tactics, and the impact those tactics will have on the overall risk profile and exposures to the organization who will succeed. It’s that strategic security leader who will successfully shepherd the organization safely into the future as risks and tactics shift on a near-daily basis. It is the ability to see the risk landscape holistically and react with the appropriate mitigation at the appropriate time, that will give us and our security teams the edge in ensuring that we can be ready for the future of security risks.
This doesn’t mean that tactical skills are not important. Team members must have the ability to carry out the entire spectrum of security mitigation activities. However, those tactical skills are simply not enough to ensure that the business understands the need for, and supports the implementation of, the security program. And that is where new skills are needed for the entire team.
Skills for the Security Leader
The skills needed to lead a risk-management-based security program are not much different than the skills most of our business partners leverage in managing their business functions. They are skills that, until the last 5 to 10 years, have not been strictly required of the security leader. Until recently, security leaders were typically hired to lead organizations because they were highly skilled security tacticians. Why is that a problem? I have had several conversations with incredibly skilled military and law enforcement professionals who struggled with their new environment when they transitioned into corporate security. They were not prepared when they were handed their first budget, or when they had a discussion regarding company financials, or when they were told that the company would not support the enforcement of a basic security requirement.
Acquiring the additional skills necessary to lead a business-focused security organization is not difficult, but this is a situation where a little education can go a long way.
? You should have a comprehensive understanding of the enterprise’s business, assets, business drivers, and organizational goals.
? You should understand the business’s footprint, products, services, and mission, both at the holistic organization level, and the functional level of your internal business partners. Additionally, be familiar with the market you operate in so that you can discuss both the business and security risks.
? You should work across business lines and understand the individual needs of each strategic partner to more fully understand all aspects of the business.
? You should know how to read the company’s financial reports. A basic business website can give you easy definitions for terms like PBITA, EBITA, Gross Margin, and more. This will have you speaking the same language as your executives very quickly.
You should have a good understanding of risk models and be competent in the application of risk management principles to your department. You can study one of the major risk management models such as ISOs or ANSIs, or even specific financial risk management models to be able to confidently discuss the nature of a risk approach. Having the ability to articulate core risk principles and understand their application throughout your business is key to engaging executives in the risk-based conversation.
You should have the ability to work with stakeholders across multiple departments and functions to ensure that your security projects meet the risk mitigation needs of your stakeholders.
In the current industry environment of technology-enabled security implementations and networked systems, the ability to work with technical, engineering, and IT groups to implement complex security solutions is invaluable. An understanding of project management principles from an organization such as SIA or PMI, or, even better, a certification, is a step in the right direction.
COMMUNICATIONS AND MESSAGE MANAGEMENT
You should have the ability to communicate your security program and its focus on mitigating enterprise risks through protection activities. This will help you ensure a level of understanding of the value of your program at the executive level.
Reaching both internal and external stakeholders with information about the security program and its results (in terms appropriate to the audience) will help your business partners understand the need for the security program.
Report writing is a special skill worth acquiring. So much of the activity in security involves communicating incidents, trends, and threats. Crafting quality reports is a critical communication skill. So critical that it will have a dedicated article in this series later this year.
A well-crafted report can: Drive the risk conversation forward. Promote risk discussions within and outside of the security function. Provide risk and process transparency to ensure awareness of risk thresholds. Ensure continued follow-up of identified risk profiles. Provide the basis of executive risk metrics reporting.
This skill is key to enable you and your team to truly move from a task-management security focus to a risk-management security focus. The ability to lead, and to demonstrate and model a commitment to change, will drive the message home to your team, your business partners, and your executives. The risk-based approach is a serious business commitment for your team. It demonstrates your readiness to engage with the business on its terms.
SKILLS FOR THE SECURITY TEAM
The business and risk-management skills for the Security Team are skills for the whole team, including the security functional leader. Team members, of course, need the tactical skills required to carry out their daily security activities and to protect the organization from harm. They must prevent, contain, or recover from security incidents by the security risk management plan that was agreed to by the organization’s executives.
TO EFFECTIVELY OPERATE IN A RISK MANAGEMENT ENVIRONMENT, YOUR SECURITY TEAM WILL NEED THESE SKILLS:
The good news? As security professionals, we inherently understand the concept of “risk.” We are surrounded by leaders and business partners who also understand these concepts. To align the differences in our approach, we just need to adjust our understanding, gain a few more skills, and approach our programs with a management mindset similar to the way business looks at risk. The skills needed to interact in a risk-focused business environment are not hard to learn. With a little effort on the part of the security industry, we can all gain the needed skills to sit confidently in the boardroom and talk about security risk management in the same way as other aspects of the business discuss financial risk management, operational risk management, or any other kind of risk management that is integral to the working day.