As I mentioned earlier in the week, I traveled last week to London and spoke at the Global Security Challenge conference. While there, I met a fellow panelist from the British think tank Demos, Charlie Edwards, who was the co-author (along with Rachel Briggs) of a report entitled “The Business of Resilience” released a few months ago.
I read through the report earlier today, and it’s an excellent treatise on the evolving roles and responsibilities of the security function within the private sector. Briggs and Edwards offer a number of insightful observations regarding why security and resilience should be considered as core strategic imperatives, and what companies can do to align security with core business imperatives. They identify six characteristics exhibited by successful companies, which are worth listing here in full:
- They [companies] understand that security is achieved through the everyday actions of employees right across the company. It is not something that the corporate security department can do to or for the company on its behalf and its functional success is therefore dependent on its ability to convince others to work differently. This places emphasis on communication and requires security departments to value the views of non-security professionals just as much as those of the experts.
- They recognise the limitations of command and control approaches to change management. Behaviour is altered experience. The power of the corporate security function is now directly proportionate to the quality of its relationships, not the depth of its content knowledge.
- They understand that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimise damage when things go wrong. Risk-taking is essential to successful business and corporate security departments must not behave as security purists whose work detracts from, rather than contributes towards, the companyâ€™s goals.
- They embrace and contribute towards their companyâ€™s key business concerns, and as a result are expanding the security portfolio significantly. Corporate security departments now have responsibilities in areas such as corporate governance, information assurance, business continuity, reputation management and crisis management, which is causing many to question the relevance of the term â€˜securityâ€™ to describe what they do. The term resilience now more accurately reflects the range of their responsibilities.
- They draw a clear distinction between the strategic and operational aspects of security management, and have created group corporate security departments to lead on strategy, leaving operational work to be carried out by business units. They all have a clear philosophy to guide their approach to security, which provides direction for non-security professionals, makes it easier to communicate across the company, sell itself to the board, and be credible alongside other functions.
- Finally, and most important symbolically, the corporate security departments that are leading the way have abandoned old assumptions about where their power and legitimacy come from. Their position does not rest on that which makes them different â€“ their content knowledge â€“ but on business acumen, people skills, only by convincing, persuading, influencing and explaining why a new way of working is in each personâ€™s interest. This requires departments to work through trusted social networks, which places greater emphasis on people, management and social skills than security management ability and communication expertise. In other words, they have to compete on the same terms as every other function in the company. This is leading many organisations to place greater emphasis on these skills than on a security background and some have people working on security who donâ€™t have any security experience at all.
The authors go into great detail on each of these points in the course of the 109-page report. I found their argument in Chapter 10 in favor of greater diversity in the backgrounds and skill sets of security executives to be especially compelling, arguing that senior-level security managers need to be drawn from broader sources than the traditional ones, i.e. former law enforcement, military, and intelligence officials. They argue that security officials need strong business skills, the capability to operate across a flat and/or matrixed organization, and people who are comfortable with the trade-offs inherent in risk management – all skills which are not necessarily found in sufficient depth within the traditional talent pools.
For more on this subject, check out the new Conference Board report entitled “Navigating Risk: The Business Case for Security” (I’ll be writing about it within the next few days).