Several years ago, I led the Corporate Security team for a company that transformed its global business model to one focused principally on North America. During that transition, which proved very successful, I picked up a term from the CEO that I have used many times since then. In a conversation about the risks associated with expanding in any market – North America or otherwise – he referenced a “fit for purpose” security strategy.
The term resonated with me so much that it continues to be part of my security-related conversations with clients and counterparts. Why did it make such an impression on me? Because a well-thought-out and right-sized security program is one that enables the company’s growth by helping it take strategic risks. Such a program aligns security with the enterprise’s business strategy and decisions on matters involving strategic risk – such as whether or not to expand into developing or emerging markets.
What is a “Fit for Purpose” Security Program?
Security programs differ from sector to sector and across industries. A ‘fit for purpose’ program is one that is tailored to the specific needs of the organization – since no two are truly alike. A corporate security program that works well for a global consumer products company, or an entity in financial or energy sectors is not going to be appropriate for a manufacturing entity or a pharmaceutical firm. For example, an industrial or energy company may regularly send engineers into high-threat environments to repair a pumping station or pipelines – and require robust travel security and in-country security risk management – whereas the vast majority of financial services firms do not.
Many factors influence how an organization’s security program should be designed. First and foremost is the broader risk, threat and vulnerability environment. Next is the entity’s business strategy including its appetite for risk and its expectations for revenue and margin. Also critical to the calculus are issues related to factors such as company and team structure and whether it is centralized or decentralized; competitive practices; ethics and international compliance issues; and many others.
Savvy security leaders can better mitigate risks by developing relationships and collaborating with business unit stakeholders to understand and assess their needs, goals and business objectives as an integrated team. In our work, we often help security teams visualize this through a risk assessment process model. This approach assesses possible risks, identifies how to mitigate those risks and incorporates cost-benefit analyses so organizations can develop security strategies that support business growth.
Think beyond “Gates, Guards and Guns”
It can be easy to allocate security budget to hardware. At a recent conference, our security risk management experts scheduled meetings with several corporate security teams who were looking for tangible security resources – crowd management tools, safety products and the like. Yet, as we engaged in conversation, it became clear that while the teams realized their security strategy is about more than hardware, they found it difficult to get funding for professional assessments and recommendations that could help them actually develop tailored security strategies.
To protect your company’s people and performance while becoming a business enabler, you have to change the perception of risks to the company – and help your decisionmakers understand the security’s value requires taking a holistic, integrated approach to strategy and structure as well as people, process and technology. By embracing this imperative – and shifting executives’ mindsets from gates, guards and guns – you and your security team will become valuable and relevant to the business.
5 Steps to Help Internal Stakeholders View Security as a Business Enabler
To position security as a business enabler, start with changing perceptions – and re-evaluating the role of your security team. Here are a few key actions you can take to get started.
- Identify the right risks, not only to your people and business assets, but to the company or business unit and its objectives. Prioritize and fully understand the risks and your options associated with risk mitigation, transfer, acceptance and tolerance. If working for a publicly-traded company, another place to help better understand the risks is to read the Annual Report and examine the 10K statement’s section on risks.
- Develop strategic partnerships with key business unit and organizational leaders. Put yourself in their seat and seek to understand how they view risks. Continue to learn the company’s business objectives and goals or issues by getting yourself invited to the business unit’s strategy or planning meetings.
- Take a collaborative approach, listen to other’s ideas or ask for assistance – through internal and external channels. Be open-minded; collaboration is key to success and developing a new approach and mindset.
- Research, develop and implement cost-efficient means to overcome or mitigate risks with a proven, preventative methodology or strategy. Think agility and scalability in developing programs capable of responding to the changing business environment.
- Continuous improvement. What worked well, what did not? How can you improve the program, process or the implementation? Reassess and adapt.
Some of the most rewarding work we’ve done has been helping organizations shift their view of security – from cost center to business enabler. What can you achieve if you do the same?