Last Friday, I touched on the three strategic objectives that a new Chief Security Officer (CSO) or Director of Security confronts when he or she is recruited by a large enterprise to “fix, build and grow” an integrated security program that is currently in shambles – e.g., weak, nonexistent, poorly integrated across operations, decentralized after a series of M&A transactions, or simply in disarray. Think about how different these priorities are from those faced by new CSOs who inherit a fully established, mature security function.
Profile: Where These New CSOs Come From
Stepping into the spotlight solo can be a daunting experience. In many cases, these new CSOs are recruited or promoted from one of two arenas and networks.
- Government leaders entering the private sector: Some have earned exceptional credentials in public service for more than two decades – and are starting a second phase of their career in the private sector after retiring from U.S. federal agencies such as the Secret Service, FBI, DHS, ATF, DEA or State Department. But they’re not bringing with them the teams, systems and methodologies that supported them in their prior position.
- Mid-level, in-house executives “on the way up”: Other newly minted CSOs have either worked their way up the corporate ladder and have finally won the right to stand, sweat and deliver at the center of management’s security spotlight or have otherwise earned the trust and confidence of the executive suite in other roles (e.g., HR; Risk Management; Compliance; Environmental, Health & Safety). But they’ve never sat in the CSO’s hot seat before.
Day One Challenge: What to Do First
The single most important objective is to get a “big picture” view first. This should be a rigorous, comprehensive and detailed baseline that identifies:
- Your business’s requirements and the expectations for your security program;
- The principal risks, threats and vulnerabilities confronting the enterprise’s people, property, performance and reputation;
- Your current strengths and weaknesses across the five drivers of security program excellence – strategy, structure, people, process and technology; and
- The most urgent, critical or attractive opportunities to address these requirements, integrate and align current capabilities, and advance the security program over time – and the best practices and counter-measures to do so.
Outside Perspective: Why an Independent Review Is So Valuable
Some new CSOs attempt to undertake such an assessment by themselves. We think it’s critical, however, that this review be conducted by an independent team. Here’s why:
1. A team of specialists brings multi-disciplinary expertise to bear. Even a highly qualified senior, in-house CSO cannot bring to the table the insights of a multi-member, outsourced team of security, investigative and emergency preparedness experts and their depth and breadth of experience and domain expertise.
2. External advisors have their finger on the pulse of industry best practices. Since an advisory team is constantly reviewing and counseling other enterprises, it is continuously exposed to the latest security best practices under development in companies across industries – and can bring this expertise to the assessment.
3. Neutrality is crucial. The objectivity of the assessment and its key findings needs to be viewed as beyond question by all relevant internal constituencies, many of which have overlapping jurisdictions and sometimes contradictory agendas.
4. Outside experts may uncover more. Internal conflicts and resistance can often be more easily identified by external third parties. Sometimes internal issues – especially those involving sensitive or politically charged matters – are best captured by an independent assessor free from any association with past actions, events or people.
5. Changes that may be painful to some are sometimes best recommended by outside experts. This leaves room for the CSO and his or her team to “test run” these recommendations – by executive peers or the broader workforce – while maintaining an arms-length distance from topics that may be divisive.
What’s the second step the new CSO should take? Translate these findings into a concrete security strategy blueprint.