C-level business leaders are demanding that security departments pull their weight and contribute business value to their companies. But most security directors are failing to get with the program, as they continue to tinker with core security activities such as access control, guard staffs or services.
Support for this warning comes from a recent report by New York City-based The Conference Board, a business research group best known for calculating the leading economic indicators and the consumer confidence index.
“Security directors appear to be politically isolated within their companies,” says Thomas Cavanagh, senior research associate in Global Corporate Citizenship for The Conference Board and the author of the report, sponsored by the Department of Homeland Security. “They face a challenging search for allies when they need to gain support from upper management for new security initiatives.”
“It is a bit disappointing that security remains a function that is mired in operations in the eyes of senior executives,” says Cavanagh. “But if security executives could successfully relate security initiatives to the competitive posture of the firm — for example, enhancing the appeal of the brand — they might be able to bolster the case for such initiatives as part of a long-range strategy, giving them more prominence in the thinking of the board and the firm's senior management,” he says.
In other words, integrating or aligning security functions in ways that promote long-term company strategies has entered the job description of a security director in today's business environment.
“No, that's not true,” says Robert Hayes, CSO and managing director of the CSO Executive Council, a professional association of senior security executives. “Security directors have always had all of these responsibilities. Company officials have for years been demanding that security departments help add value to their companies by giving more thought to the strategic needs of the business.”
But only a handful of security directors have figured out what this request really means, Hayes says. It does not require graduate schooling. But it does require that security directors think creatively about business vulnerabilities and risks that go beyond core security practices.
Security professionals look at the world differently than business executives. When a CEO asks a security professional to think more about the business, he or she is not asking for ways to make it more difficult to get into the facility. Instead, the CEO wants the security executive to apply his or her unique security point of view to business issues — to find the risks, propose programs that reduce the risks and build value for the company. Just like a marketing director who alerts the CEO to demographic trends, a security professional is likely to encounter government programs such as the federal government's Customs-Trade Partnership Against Terrorism (C-TPAT) before other company executives.
The program grants C-TPAT shipping status based on a list of requirements that include implementing security standards related to shipping products into the country. U.S. Customs has a high level of trust in companies with C-TPAT status, and rewards the trust with expedited treatment when moving goods through customs.
A security director who spotted C-TPAT when it first came out and got his company certified contributed value to the company by helping to cut shipping costs and times and by improving the company's competitive position. Then again, a security director who hears about such a program from the company CEO will probably get another lecture on the importance of adding value to the company. Security opportunities that improve a company's prospects change and evolve.
“Today's global trade makes an elaborate business mosaic, within which there are many vulnerabilities,” says Richard Lefler, a CSO Executive Council Emeritus faculty member and the former CSO with American Express. “Maybe you have dealt with your company's direct risks, but what about the strategic partners that are manufacturing or carrying your goods?”
A security director might suggest that contracts with third party manufacturers of products susceptible to counterfeiting should include the right for unannounced plant audits to ensure against the development of gray markets, Lefler says. For example, security directors from fashion retail product design firms will often check suspect markets around the world for knockoff products. Lefler also suggests studying techniques used by security directors in other industries and considering how they might apply to yours.
Today, Craig McQuate is a principal with The McQuate Group in North Andover, Mass. His background includes a decade as security director with Genuity Inc., a software application vendor based in Woburn, Mass. While at Genuity, McQuate was asked to recommend a drug testing policy. He recommended against it.
“It didn't make sense for their business,” he says. “We did a survey with human resources that looked for drug use trends in the business. Were absenteeism rates higher among some groups of employees than others? No. There were no incidents of suspected drug use reported. There were no cases of drugs even coming up in conversations with human resource managers. There were no signs of drug use in the workplace, such as employees using the parking lot next to the cafeteria during lunchtime and coming back in smelling like drugs.
“We also evaluated our hiring practices, which included background investigations, and finally, we talked to drug screening companies,” McQuate says. The cost would have been $25 per drug test. Company managers told McQuate that fewer than 5 percent of pre-employment drug screens come back positive. “Certainly testing included some deterrent value. As a security director, it seemed to me that drug testing was a good idea. But the business case simply didn't support it, so I recommended against it,” he says.
At his next job, with ModusLink Corp., a supply chain and warehousing company based in Waltham, Mass., McQuate offered a different opinion on drug testing. ModusLink had begun pre-employment drug testing shortly before McQuate arrived. His first assignment was to determine if it was a good idea. Taking a cue from his experience at Genuity, McQuate ran a survey and discovered that accidents on the floor of the company's 25 warehouses had been reduced since the program started. Reports of suspicions about drug use had also declined. “By looking at the business case for this company, you would come to an entirely different conclusion — that pre-employment drug testing is worth it,” he says.
Security directors should perceive their responsibilities in terms of managing strategic risks, says Lynn Mattice, vice president and chief security officer for Natick, Mass.-based Boston Scientific, Mattice insists that the responsibilities of corporate security go far beyond physical security and cover a range of topics and dynamics that affect a company. “What we do is manage risk,” says Mattice, who also serves on the Board of Advisors of the CSO Executive Council.
Boston Scientific is the world's largest manufacturer of a category of medical and surgical devices designed to be less invasive than traditional devices. Managing risk at Boston Scientific does not mean managing access control and CCTV systems. Instead, it means managing outsourced companies that install, maintain and monitor access control and CCTV systems.
“My entire staff is outsourced,” Mattice says. “Everything from access control, video, alarms, our programmers, investigators and physical security specialists — all are outsourced. I don't spend time doing tactical things. I work on strategy.”
For example, Boston Scientific typically delivers its products via air cargo. Mattice has always worried about what happens when an earthquake in California or a hurricane in Louisiana closes airports. Working with other senior executives, Mattice has figured out alternative delivery systems using ground transportation companies and even drawing on consignment inventories in hospitals located in regions with air transportation problems.
On Sept. 11, 2001, the federal government grounded air traffic everywhere in the country and caused economic dislocation throughout the commercial world. Boston Scientific, however, was delivering product on the ground within eight hours.
When Boston Scientific brought an innovative new stent to market, Mattice and other senior executives decided to deviate from conventional manufacturing business plans. “Typically, manufacturers centralize operations,” Mattice says. “One kind of manufacturing will be handled at one site. But with our stent, we didn't want to put all our eggs in one basket. So we built redundant manufacturing facilities in different parts of the world: one facility is in Ireland, and another is in Minneapolis. This way if something happens to one plant, we're not out of business.”
Mattice decides what risks to manage by conducting what he calls Process-Assets-Resources or PAR reviews that categorize every company process, asset and resource as critical, priority or desirable.
“Critical elements are those that you absolutely have to have to keep the business running,” Mattice says. “You can limp along without priority items for a short period, but you need to get those back up to operate at peak efficiency. Desirable items are nice, but you don't have to have them to run the business.”
A PAR review is one way to structure and define the responsibilities of a modern security department. At the very least, it promotes the kind of strategic risk management thinking with which Mattice has built his department at Boston Scientific.
In a way, the term security may have become a misnomer for the kind of risk management work expected of today's security managers and chief security officers. In the business world, however, it is not unusual for assignments to grow over time.
Eventually, the strategic thinkers will end up in the executive-level positions, probably with a new C-level title such as chief security officer — or something else. Will you be one of them?
The Conference Board report, titled “Navigating Risk: The Business Case for Security,” surveyed 213 senior corporate executives not directly responsible for security and risk issues. The survey aimed to gauge the influence (or political position) of security managers among senior executives by profiling the alignment of security activities with business objectives.
The most effective alignment was found on issues involving operational risks:
79% of the respondents said that security activities in their firms effectively aligned with the task of complying with government regulations;
74% said that security activities aligned with the process of protecting confidential information at their firms;
72% made the claim for meeting certification standards;
71% cited maintaining business continuity and ensuring customer safety;
60% of the executives said that security activities at their firms effectively aligned with limiting financial risks and defending against litigation.
On the other hand, the executives reported much lower levels of alignment between security activities and business activities related to long-range strategic company objectives.
56% of senior executives believe their company security operations aligned with the need to keep pace with competitors;
44% felt that security was helping enhance the value of the company brands;
36% saw a connection between security and supply chain management; and
35% perceived any security influence over new business opportunities.