Contributed by
Security professionals who have worked to establish their voice and define their organizational role must then answer an important question: “Once you have a seat at the table, what’s next?”
In a previous article, Being Heard Above the Herd, we talked about the critical importance of finding your voice and making yourself heard by defining your role before the culture defines it for you — something that is all too often overlooked in the security business. However, once corporate security directors and other security professionals have found that voice and defined their role, the question becomes what do you do with that voice? Because once you have learned how to “navigate the corporate terrain,” the next step is to leverage your voice and your platform to translate that foundational influence into meaningful action by designing and executing an effective strategic security plan.
From priorities and procedures to pitfalls and possibilities, here is how you translate influence into impact and answer those critical questions that arise once you have a seat at the table: What now? and What’s next?
Why to use specific and clear language in security policies and strategies
One of the most common pitfalls we see with security leaders is relying on language that is overly broad and ambiguous. Articulating not just policies, but procedural specifics and clearly defining your own role, as well as the role of a coordinated cross-functional security program, is arduous and even tedious work, but it’s an essential prerequisite for any security strategy. Without putting everything in writing, you won’t have the necessary precision — particularly around process ownership and cross-functional responsibilities.
For example, an investigation into potential financial malfeasance is likely going to involve auditing, HR, and legal personnel at a minimum. A disgruntled employee threatening executives necessarily impacts employee relations and legal and comes with potential IPO implications and communication/PR challenges. Almost any full-blown investigation impacts many internal cross-functional teams. Defining how those teams work together and what their roles and responsibilities look like is an essential piece of the security puzzle. Lack of such specificity often leads to misunderstandings, turf wars, and ultimately poor performance in critical situations that could impact the organization’s brand.
Specificity is equally important in defining not just the basic structure of a cross-functional security apparatus, but some of the key elements of your work. One of the most fundamental tasks of a corporate security professional, for example, is to astutely define what constitutes an investigation — and on what grounds an investigation should be launched.
Corporate investigations are manifestly not something that are launched because of rumor or personal animosity. You must have corroborated and substantive information that could serve as the basis for elevating a casual inquiry into a formal investigation. Initiating an investigation based on wild allegations risks expending organizational resources and potentially besmirching someone’s reputation, let alone the negative impact for those managing the investigation itself.
Centralization vs. decentralization in security functions
Another area that demands clarity and precision is determining which elements of the security function are centralized and which are decentralized. While centralization is important from a coordination and control standpoint, sometimes decentralization is a good thing. If an organization has hundreds of facilities, a security coordinator doesn’t want to deal with every 3:00 a.m. false alarm. What they should do is specify KPIs for a guard company and rely on facilities personnel to execute guard management in the context of those KPIs and in collaboration with purchasing and related functions.
Defining the scope of your own role in a decentralized organization is obviously critical. That starts with delineating the differences between different categories of incidents that may occur. A facility emergency, a regional emergency, and a true corporate crisis are all very different situations that require very different responses.
Don’t just think through all of this — articulate it, record it, and communicate it.
It is somewhat alarming that a large number of very mature, very well-known and well-respected organizations do not have these definitions in place. Almost inevitably, what they have instead is a constellation of disparate security elements or programs that aren’t integrated or cohesive with each other. That is dangerous. Because even when a security issue is addressed, critical steps can be missed. If an employee is fired for accessing or mishandling sensitive information before IT can gather evidence and the full scope of any intellectual property concerns is addressed, that’s a problem. And that is precisely the kind of dilemma that you are liable to run into when you do not have clear delineation of well-defined programmatic structures, process ownership, and roles and responsibilities.
Developing a comprehensive security strategy
It is impossible to design an effective security strategy without critical context. Experienced security leaders understand that they need to analyze the industry, analyze the organization (including its history and its risk profile), and speak to contemporaries and targeted operations leaders about their own perspective on risks and liabilities.
Once you have done that research, have that input, and performed that analysis, put it in writing. Outline the environment, the risks, and the proposed mitigations and parameters of programmatic delivery. With that well-articulated and comprehensive security strategy in place, make sure you get both feedback and buy-in. Send a copy to everyone who participated and ask for review and feedback. A stamp of approval from the pertinent parties gives you a validated process to elevate to the C-suite for review and ultimately lays the groundwork for sound programs, investigations, and security training going forward.
Researching, constructing, collaborating, seeking input, and developing a final written product that will go to an executive committee or board not only presents a much more detailed explanation of universally understood policy goals and procedural details, but it also provides security professionals with a documented asset to shape future engagement. Against the backdrop of what can be a complex and often contentious corporate org chart of fiefdoms and individual priorities and perspectives, the ability to point to an approved strategy is likely to be an invaluable asset.
The value of a proactive approach to security
So many corporate security missteps boil down to a fundamental flaw: failing to define the security function and the corresponding security processes with precision. One common symptom of that upfront work is a reactive security posture, with personnel scrambling from incident to incident, resolving each situation but subsequently missing out on the learning, coordination, and cross-functional collaboration that would describe risks and inform a proactive security strategy. It’s always easier in the moment to put out small fires than to engage in comprehensive fire prevention and fire safety education.
Pushing a proactive — instead of reactive — approach should be part of every security engagement. Organizations generally will not hesitate to bring in security support if a crisis is imminent or underway. The best providers not only deliver assistance and counsel in that moment; but also articulate the value of a more comprehensive review of a client’s policies and procedures before a crisis occurs. The resulting gap analysis — recommending where an organization should be relative to where they are today — can form the basis of an effective strategic security plan. The job of the security professional is to convey to current or future partners that they do not and should not have to wait until there is a true crisis to get that process underway.
The role of advocacy in developing a comprehensive security strategy
One of the reasons that the COVID pandemic caught so many organizations unprepared and scrambling is simple human nature. It is a quintessential human flaw to think that a crisis will not happen — a misconception that, frustratingly, can even become more pronounced in the wake of a crisis. The “we were unlucky once, what are the odds something like that happens again?” mindset is pernicious and dangerous. For security experts, this touches upon one of the core ironies that complicates their work: The better they do their job, the less likely their corporate partner is to think that they need their services.
Which is why the final ingredient in developing, refining, and sustaining a proactive and comprehensive security strategy is to be a vocal, convincing, and compelling advocate for necessary change. Overcoming ingrained organizational lethargy and security inertia often means being the irritant that ultimately develops into the pearl of a good crisis management program.