I call this the “Kool-Aid” syndrome. You don’t want to drink too much of your own stuff. But as a security advisor to business leaders, I’ve seen it happen often. After all, as a recent Deloitte report pointed out, many of the world’s most prominent enterprises have endured major market losses over the last 10 years – “often [as] a result of the failure to predict, hedge and manage various risks.”
Executives regularly engage independent counsel on issues such as legal matters, compliance and tax advisory issues. But what about security risk management? Many rely too extensively on their in-house team to protect their workforce and executives, physical assets and key operations. Then, when a crisis occurs outside their bandwidth, they put in an emergency call to outside security experts – and end up spending far more than prevention would have cost in the first place.
7 Ways an Independent Security Advisor Brings Value
Where a trusted outside party brings the most value depends on the business’ priorities. In my experience, these are the most common:
- Insight: Expands the pool of experience and expertise of the decision-making circle, often because the security advisor can share best practices engaged in other corporations.
- Productivity: A faster, focused approach to a decision is more efficient for everyone.
- Agility: Sometimes problems can’t wait for the ideal occupants to fill the seats around the table. Identify the right security advisor early. Have them in place.
- Discovery: The outside view may uncover some undiscovered challenges.
- Prevention: An outside advisor can be a critical resource in helping drive a prevention-based approach to security risk management – via strategy, planning and metrics.
- Multiplier: Trusted partners become an immediate force multiplier that enhance response capabilities, especially for rapidly evolving, escalating events.
- Assurance: Independent validation of approach and expected outcomes can often avoid indecision and dilute internal resistance.
Connections or Partnerships?
There is a distinct difference between having a book of contacts and developing security partners. A cold contact doesn’t know your business, or your priorities, or the many touchpoints across your global operations which need the most critical business support from security. Building that insight takes time. As CEO Arnette Heintze points out in his blog “Trusted Security Advisor: An Inside Look at a Noble and Honorable Relationship”, your security advisor needs to understand you and your business before a crisis erupts. And you need to develop trust in their perspective and insights, well before the Kool-Aid pitcher cracks.