Getting The CEO's Attention

• By Joseph P. Freeman
• Jul 23, 2007

One of the most difficult challenges for today’s security users is getting senior management to pay attention to the serious issues affecting the continuity of a well-managed enterprise.

Anyone with physical security experience knows that the challenge of attention-getting is now more serious than ever. Management was once comfortable with guard services patrolling a facility’s sensitive areas after closing time, and since everyone else was trusted, that was the security program. Meanwhile, PCs, modems, routers, servers, coax and fiber became powerful information conductors in the organization, and management invested lots of money in IT resources without too much immediate concern for security of the “sensitive” areas they had created in the virtual world.

As the trust factor declined, knowing who was where, accessing what asset, looking at what information, became more difficult to determine. Yet all the while, the security management function continued to be a little like the sales chart -- unless the trend line turned down, management paid little attention. So how do we capture management’s interest in something that protects life, assets and even cash, yet is so difficult to evaluate that it draws little interest?

Here are some tips for the chief security officer to consider—especially when it’s time to invest corporate funds in program upgrades.

Compliance

There are lots of regulations to deal with today, from state and local mandates to the Securities and Exchange Commission (SEC) and Sarbanes-Oxley. If the security budget needs new funding to comply with new “regs,” the CSO should call for a meeting to inform the corporate finance committee of the investment requirements. The message here is that compliance is not an option. It protects the firm against legal as well as physical attack.

Accurate Risk Assessment

Risk assessment is not an exact science. Nevertheless, it affects the premiums that organizations pay to their insurance carriers. Yet communication between CSOs and insurance carriers is often limited. If CSOs are brought into the risk assessment process, there could be significant savings in more coordination between the presence of threats and the methods of countering them.

IT Use

Management often overlooks the security department as a major user of company information technology. Yet today it can be clearly documented that strategic integration of security and IT can produce significant savings in security department operating costs while simultaneously raising enterprise protection levels. After all, wasn’t productivity the whole spending rationale for the IT department? Security is not just guards and mechanical locks any more.

The CSO needs to show management a technology plan with budget requirements in order to secure the funding for a highly productive technologybased enterprise security process.

Enterprise "Sensitivity"

Banks, insurance companies, chip manufacturers, nuclear power stations, defense suppliers and the like have traditionally been regarded as “sensitive” enterprises with particularly strong security programs and welltrained CSOs. But 9/11, wars in Iraq and Afghanistan, insecure southern borders, unprotected seaports and a generally more nervous world now make everything “sensitive.” As a matter of good governance, every CSO should be sending regular reports throughout the organization about new risks and the importance of extra care in dealing with “sensitive” assets like controls, databases and protected information. Managed well, security should not be secret and totally invisible, but routinely reinforced to remain in every employee’s mind.

Employee Awareness And Participation

Every employee has a stake in a productive firm and a safe working environment. How about a short, friendly security awareness bulletin sent by email once a month? During World War II, President Franklin Roosevelt had signs installed in front of every post office in America. Slogans like “Loose lips sink ships” reminded the citizens that information has value. It might not be the CSO’s most polished professional discipline, but the employee communications department can help. In addition to getting employees on board the security program, it would also create management awareness and very possibly pave the way for a requested meeting.

Productivity And Cost Control

Two of the most magical words to senior managers are cost reduction. Jack Welch produced earnings increases of 5 percent for years largely through cost reductions. Departments in all enterprises are annually asked to recommend cost reductions to improve corporate productivity and earnings.

The security department now has a big one available in the form of security/IT convergence. It’s more involved than people think, and the fastest way to understand it is through a membership in the Open Security Exchange. OSE resources can help CSOs create a comprehensive management presentation for funding to modernize a firm’s security program while showing how costs can be reduced. The savings are significant, so a grasp of return on investment (ROI), technology and teamwork with IT managers are musts before asking for the meeting.

Life Safety And Asset Protection

Security and protection will be more vital as growth in the global marketplace is accompanied by new international tensions. If management doesn’t understand the subject, help them gently along.While it’s true that security contributes nothing to sales, it does prevent possible interruptions to sales. And it definitely contributes to earnings when all the technologies now available are used in conjunction with good security management practices. Your work is no less important than the human resources, legal and facility departments.

Getting face time with senior management can be difficult when the subject is poorly understood and regarded as unexciting. Many senior managers fail to see how a sound security business process can contribute to shareholder value—until its protective design is clearly juxtaposed with the rising risk premium that every enterprise in the industrialized world now pays for asset replacement and legal vulnerability.

Your claim on management time can address all or any of the topics above. Threats are present 24/7/365, employee awareness is important and management should know how you protect them and what they can do to help you stay current, if not on the cutting edge. On Wall Street they say “buy on the rumor and sell on the news.”You may have to buy the meeting by publicizing new threats in order to sell the funding for new protections. However you do it, getting that meeting is a major responsibility.