Exclusive: Formulating a security strategy – Part 1

I’ve decided to write a series of three articles to share some thoughts and ideas around strategy, operations and team architecture in the security industry. Strategy and operations are sector agnostic and I am deliberately using the term “security industry” as a generalisation. I should begin by saying that the amount of literature out there is monumental. There are thousands of publications and opinion pieces on these topics. To give an example, a quick search on Amazon.com for “business strategy book” will show over 50,000 results! And I admit, I own quite a few of those. Now, a really interesting finding is that, when I typed “security strategy book” in the search box I found one, yes only one semi-relevant book that looked more like an operational manual on corporate physical security best practices. Most of the existing security-related literature examines strategy and strategic management in the context of cyber or national security.

In previous articles I’ve argued that, with some exceptions, when it comes to innovation our industry is fairly archaic and if we want to see a true disruption and effectively tackle complex challenges, we may require a refreshed mindset. One of the elements that could be contributing to this lack of innovation might be our relationship – or lack thereof – with strategy and operations. I will use analogies and informal examples that I hope will help to soften the topics. The first article in this three-part series is an attempt to share some thoughts around strategy and strategy formation that may help future security leaders challenge their own assumptions and digest the content differently. The second and third articles will forecast operations and will argue that a project economy and future crises will require highly customisable security, risk and crisis management architectures in which generalists and functional teams will likely retake the front seat.

I hope you enjoy them.

Episode 1: On Strategy

Like many other parents out there, I have a morning routine that usually includes preparing bottles, changing diapers, school drop-offs and making beds to military perfection. I would usually pour myself a cup of coffee, walk outside to greet my daughter’s four hens, Pepina, Selena, Lucy and Ruby. This last part might be accompanied by a “good morning ladies, here you go!” as I sprinkle feed around the coop like a dictator giving cash away from my presidential balcony. That is exactly how I think the word “strategy” or “being strategic” is used by some. Like a treat or a decorative item to draw attention to a project or idea or, like Richard Rumelt says, a verbal tic. Big job titles, illusory superiority and little knowledge regarding strategy formulation has often led to the accidental discharge of these terms. Similar to COVID-19, the strategy disease is highly transmissible and there are many variants out there that continue to spread as you read.

Lesson #1: Be on the lookout for strategy deepfakes.

The sad truth is that convincing people to support an idea is not all that hard. A PowerPoint presentation by the popular boss titled “the next big and cool strategic thing” will almost certainly draw the attention from a group of zombies that, without any rigorous analysis whatsoever, will be quickly hypnotized and nod their heads at the idea. This effect is particularly prominent in highly hierarchical and hermetic organisations (think cults) in which a blind obedience to authority is the group’s norm. You don’t have to read Philip Zimbardo or Stanley Milgram to believe what I say. Open Tik-Tok and watch the Dancing Trucker and you’ll quickly realise that, in order to gain popularity and to have people embrace an idea, a smartphone, black sleeveless shirt and lots of personality may just do the trick. Another important aspect to keep in mind is that the social context in which strategies are presented may affect the degree to which an idea is challenged, or not. Research in social psychology has shown that, in closed and isolated groups, for example, group dynamics will take over and members are less likely to challenge the leader. A work environment may have variations of these biases that can manifest in a very subtle, almost undetectable manner. However, this is actually dangerous territory that could lead to unwanted behaviour and we have seen plenty of examples in which good people in our industry have made bad or unethical decisions, right? But that’s a topic for another article.

Lesson #2: When the boss says strategy, you say?! Hold my beer, let me think.

Too many choices and over-complication of ideas may also contribute to the confusion. Have you ever walked into a store to pick up white paint for your next home project? You were likely met by a giant colour chart and choices like: Incredible White, Swiss Cream, Ivory Palace, Origami White, Pearly White, Polar Bear, Moderate White, etc. That’s what sometimes happens when, for some reason, all projects in your organisation are being called “strategies”, which makes it difficult to decide which is which. There have been many studies on biases in decision-making but the Jam Experiment conducted in the year 2000 tested the very idea around choices. Researchers concluded that “too many choices can paralyse consumers” and that, when it comes to options and decision-making, less is more. We need to remember that corporate strategy and business strategy are two different things. Unless you own a security shop, most security, safety and resilience organisations sit on the service-level layer under a larger corporation. Our strategies (business) must be aligned with a much larger strategy (corporate) that is unique to your company and its market. Therefore, as Harvard’s Michael Porter argues, “being the best” at x or y is not a strategy.

Lesson #3: When it comes to strategy, less is more. Strategies are simple and always unique to your organisation. 

Young security leaders may also believe that strategy creation is a formal top-down process. We may picture strategy formation like the situation room: A very large table, clocks on the wall and so-called super managers wearing fancy suits, flanked by a stack of binders, chatting one by one. I see strategy formation as a discovery process in a controlled chaos in which logic, creativity, openness, feedback, participation and rapid iteration are the rules of engagement. In business settings it is indeed not uncommon to see people with good intent inadvertently injecting unnecessary biases, including ambient bias, that make things look more confusing. In service organisations like security and resilience teams, experiencing strategy formulation through human-centred design (i.e. Design Thinking, Agile, etc.) could be a game changer. So, if we know all this, why do we keep having closed meetings and calling a re-org wild names like “strategic framework for future organisational posture” when, in actuality, the strategy might not be the re-org itself but how that adjustment uncovers something and creates a uniquely desirable organisation that leads to superior performance and a sustainable advantage? My theory is quite simple: I think most security leaders mean well. However, most of us have operational backgrounds and an innate tendency to blend operations and strategy.

Lesson #4: Strategy formation doesn’t have to feel like a VIP gala in Monte Carlo. It’s not Lake Havasu on Spring Break either.

These topics are complex and I have a profound admiration for those who make a living teaching, writing and thinking strategy. I am none of those, but I believe that there is always room to take some risks, innovate and fill gaps to better our relationship with strategy and the process of strategy formation. In an interconnected world, business leaders are already dealing with highly complex environmental, man-made and virtual events that directly or indirectly impact their organisations. Crises will only become more acute and will require simple, innovative and effective approaches to strategy and operations to include hyper-agile team architectures. The one thing that, without exception, all safety, security and resilience organisations have that set us apart from everyone else is the ennobling purpose of keeping people safe and helping organisations mitigate, respond and recover from crises. I’ve heard numerous times “we don’t generate any revenue for the company, it’s all expenses” To that I say, whether you are a company or a business unit within a company, focus on the purpose and sole reason you exist. The commitment we’ve undertaken to protect human beings is our stake in the ground and our strongest pillar. How we execute a strategy and inject it in our day-to-day routines is the role of operations. Stay tuned for Part 2.

By Ricardo Segovia, Global Security and Resiliency Manager at Google

Bio: Ricardo Segovia is a Global Security and Resiliency Manager at Google. He is based in the San Francisco Bay Area and completed his graduate education at the Middlebury Institute of International Studies, Naval Postgraduate School and the Stanford Graduate School of Business. He writes about innovation, strategy, crisis management and security.

You can connect with Ricardo on LinkedIn here

Disclaimer: The analysis, views and opinions expressed in this publication are those of the author and they do not necessarily purport to reflect the opinions or views of Alphabet Inc. or its entities.