One of our core pools of clients is the new Chief Security Officer (CSO) – such as a senior leader fresh from the ranks of government who has been engaged by a major corporation to build an enterprise-level security program from scratch or fix a broken one.

I’m not talking about the CSOs who oversee fully developed, large-budget, international corporate security programs – although we serve them as well.  I’m referring to the CSO who is recruited precisely because the corporation’s security program is weak, nonexistent, poorly integrated across operations, tasked with aligning security in the wake of a series of M&A transactions, or simply in disarray. It’s a tremendous responsibility and an awfully difficult job – particularly when the mandate for change does not include critical drivers of long-term program success.  Like a strong board or executive championship.  A stable source of long-term funding.  An appropriate level of authority on the corporate organizational chart.  A clear reporting channel to the right executive leader.  An established structure and resources.  Just having one or two of these drivers in place isn’t even close to sufficient; you need all of them – like strong and steady gusts of wind at your back. Imagine the job, on the first day.  Imagine the enormousness of the task as you stand at the door of your office for the first time.  As we know from direct experience and as we hear, day in and day out, from these new CSOs we support – the mission is expansive:

1. Build and expand a newly emerging global security program – as effectively and efficiently as possible;

2. Protect a wide range of people, property, performance and reputation – at a strategic enterprise level, in terms of business support and global integration; and,

3. Deliver stable and sustainable positive security outcomes in constantly changing business operating environments – ones characterized by increasingly higher and more complex sets of risks.

What do you do first?  I’ve been asked this question countless times.  And I’ve never varied my answer.  First, determine your baseline – by conducting a comprehensive assessment of your security operations, capabilities, resources and requirements.  Then, second, use these findings to build a global security strategy.