How security demonstrates return on investment has long been a key question for the profession and one that security professionals have been discussing for decades. Despite these discussions it isn’t clear that security teams consistently manage to be viewed as an essential function for a business leader; it is too often viewed as a cost-centre, executives don’t understand what we do, security practitioners don’t communicate effectively – the causes are legion.
However, the evolving operating environment that many businesses are now dealing with – even without the profound change that COVID-19 has driven – creates opportunities for security professionals that bring an enterprise approach to their role.
To add value, think strategic
In a 2011 article in the Harvard Business Review entitled “Why HR Really Does Add Value” it was identified that on projects that Human Resources professionals had been able to demonstrate the most value to the business, “the work was strategic in nature and created a structure that allowed the business to succeed”.
With that in mind, to add significant value to a business, security professionals must be able to support and enable the execution of the strategy of the business. This requires security professionals to know and understand the strategic objectives of the business and to understand how they can enable this.
In a 14 April 2020 article in Bloomberg titled “Risk Manager Is Suddenly a Hot Job”, Jonathan Bernstein talked about the role of a risk manager being “complex and demands a wide range of skills”. The article described how Chief Risk Officers need the analytical mind to evaluate everything from supply chains to staffing; the ability to maintain many relationships; the power of persuasion to sway fellow executives; the communication savvy to handle a crisis; and financial literacy. All this while answering to the government regulators and investors. Bernstein describes the role as being about managing “wars you didn’t start, which will require immense resources to win, with domino-like consequence that contain a whole list of potential sub-crises”.
However, the same could be said for security risk managers too.
How do we think about security?
Security professionals serve their client – so they must know what that client wants and help them make that happen. They must understand the business objectives, the long-term vision, the strategic plans. Security leaders understand risk tolerance – how much risk is the client willing to take to achieve these objectives. Without that information you cannot build an effective security programme.
Good security isn’t about securing everything, it’s about knowing what needs to be secured at given times and focusing other times on advising, on facilitating, on reassuring.
Security must appreciate risk and opportunity and understand that enabling the business is about ensuring the client is in the position to mitigate risk and maximise opportunity.
Can we aspire to Perfect Security?
Is it possible to create Perfect Security? Typically, we say not, but that’s based on an illusion that it is possible to create an environment where there are no incidents.
The definition of perfect is “having all the required or desirable elements, qualities, or characteristics; that something is as good as it is possible to be”. If we accept that there will always be security incidents, either deliberate or accidental, either malicious or not, then a perfect security programme is one that:
- Supports the business and is viewed as being valuable to the business objectives by leaders.
- Is robust, but also practical and scalable – it is friendly and discrete when it needs to be, but strong, clear and visible when it needs to be too.
- Is built on policies and procedures that are realistic, understood and updated when necessary.
- Employees are trained, informed and empowered.
- It gathers information, that is timely and is communicated effectively to relevant stakeholders.
- It can react effectively, taking swift action to support the business’ most important assets and works to restore business as usual as safely as possible.
Security’s role as business enablers
Many security professionals would consider themselves to be subject matter experts within a specialised field that supports the business. However, it’s time for security professionals to focus on identifying as business leaders with an expertise in the same way that legal, human resources, finance professionals within an organisation would. To be effective, security leaders must take a strategic approach to their roles.
Shifting to a strategic security approach isn’t something that can happen overnight and it is a constant process that requires the management of stakeholder expectations and communications, training and awareness and may also require process redesign, job redesign and competency model development to the security function.
By James Morris, Head of Security Services EMEA at Aon Business Services
Connect with James here