In Part 1 we focused on identifying some of the key elements that were hopefully useful to understand what security strategy formulation should look like. Now it is time for action! Welcome to Part 2.
Have you ever wondered what the term “operations” really means? Seriously, before posting that “strategy and operations” role, for example, have you ever reflected on the terms and on how operations actually manifests within your own team or organisation? Let me help. An easy way to describe what operations entail is to picture yourself as a grocery store owner and think of all the actions you and your team might have to undertake on any given day. You may want to order produce, check in with your suppliers, audit your inventory, restock items, clean the store, have staff at the registers, etc. There is probably a good set of activities that, like a good jet-fighter pilot, you methodically check and periodically do to ensure your jet is ready to fly. You may also have specific procedures such as sanitation standards and licensing requirements or regulations that you have to follow. There may be specific protocols that you have developed, such as checking how much cash you have at the registers or the optimal temperature for the meat refrigerators. It is indeed this set of day-to-day activities that keeps your business or organisation running, what, in business terms, we know as operations.
In the security industry “security operations” is what you do routinely to keep people, property and information safe, preventing bad things from happening and mitigating risk. Operations could also be defined as all the things that, if you were to stop doing them, would greatly impact your organisation (or security company if you own one), right? Performing all these activities consistently and perhaps better than the competition, is what is referred to as, in business lingo, operational excellence (OE). Operations represents the largest percentage of what your team or company does and, in short, is what’s keeping your business afloat.
You may or may not agree, but I kept crisis management off the operations list. The main reason why I think crisis management is different is because of its uniqueness. Some portions of the process (response and recovery, for example), its cross-functional nature and the short-duration aspect of it put crisis management in the category of non-routine events. We could argue that it is indeed the risk mitigation processes and teams that perform that kind of work that may be part of your routine day-to-day operations, but not the management of a crisis per-se. However, you would likely agree that responding to a non-routine and short-duration crisis is an outlier event and not part of your daily duties.
What is interesting is that, more and more, safety, security and resilience organisations are being asked to perform highly complex tasks and that these functions are being permanently (not sporadically) added to your list. Think about this – if your executive protection division has an aviation component, flying planes will now become a routine event and therefore part of your day-to-day operations, right? Operational diversification always has a learning component. This often leads to senior security executives having increasingly more complex organisations to manage. That also means that, over time, your organisation will be required to develop or acquire specialised knowledge and expertise to meet new demands. Similar to what’s happening in the geopolitical landscape, most challenges in our industry are becoming asymmetrical in scope and nature therefore changing what we know as day-to-day operations.
This very notion of a rapidly changing org ecosystem actually contradicts the idea of what most people in our industry envision as a “mature security organisation”. Having a GSOC, an investigations team, intelligence capabilities, etc. have almost become the honey-do-list on how CSO success is gauged. Oddly enough it has also become the way in which security leaders show tangible returns on their investments. We tend to think of org maturity in a linear and static fashion, which may prevent true innovation and future-looking capacity building from happening in the first place. Somehow, we have stopped thinking logically on how we add value to the company and how that naturally changes over time. While this approach may have worked in the past, that rigidity also leads to large, slow-moving divisional structures that will be inefficient at addressing complex, dynamic and localised crises.
I look at operations and org design a bit differently. I like to think that new, never-seen-before, challenges often lead to a state of constant organisational immaturity, which is not necessarily a bad thing. In the same way generative adversarial networks (GAN) learn from one another, organisations will also have to learn, regenerate and reinvent themselves regularly. Intelligence teams that once monitored security threats may have to develop capabilities to analyse pandemics, migrations trends or other more targeted threats. Large divisional teams and never-ending contracts may soon become obsolete. The project economy will be followed by highly specialised teams and localised organisations in which ad-hoc and on-demand services will reshape what we understand as day-to-day operations.
Similar to how the use of special operations teams, as well as short duration surgical military operations and irregular warfare have re-shaped armed conflicts, the security warfare landscape has also changed. Service providers will have to adapt to a new era in which lean, agile and diverse teams, as well as plug-and-play services may become the norm. In the next episode we will explore the future of team architecture and the role of generalists. Stay tuned for Part 3.
By Ricardo Segovia, Global Security and Resiliency Manager at Google
Bio: Ricardo Segovia is a Global Security and Resiliency Manager at Google. He is based in the San Francisco Bay Area and completed his graduate education at the Middlebury Institute of International Studies, Naval Postgraduate School and the Stanford Graduate School of Business. He writes about innovation, strategy, crisis management and security.
You can connect with Ricardo on LinkedIn here
Disclaimer: The analysis, views and opinions expressed in this publication are those of the author and they do not necessarily purport to reflect the opinions or views of Alphabet Inc. or its entities.