Butchko Inc. had the opportunity to engage with approximately 100 executive leaders in security at The Next Generation Security Leader (NGSL) Program that preceded The Great Conversation in Seattle.
The NGSL, originally founded by the Security Executive Council (SEC), is one of the foremost CSO member communities. Over the last 10 years it has created a collective knowledge base of the emerging trends and best practices in the security industry. The Sage Group, a value transformation consulting company that has a focused practice in the security market, produces the event in conjunction with The Great Conversation.
We kept track of the lessons garnered from the forums to share with our partners and clients. The key insights fall into the following three areas:
- Program Guidance and Garnering Executive Support
- The “Army of One” CSO Office
- Organizational Resilience
Program Guidance and Garnering Executive Support
Increasingly, physical security has become part of a functional matrix which goes hand in hand with a flattening of the corporate structure. Successful strategies drive the ownership of risk back to the line of business, with the role of security as manager of a service related to those functions. The measures that are captured, as a result, can be tracked over time with the promise of alignment with the business, a more streamlined and efficient program model, and an increased ability to predict and proactively respond to risk.
This is a paradigm shift. We have managed by threats and loss in the past, not by value. Now we are looking for the core processes and assets in our field that make money for the organization and create a more adaptable and resilient organization.
This is manifested through JIT (Just-in-Time) personnel and asset management leveraging technology and outsourcing services. The service level agreements are based upon process or procedure Time to Value (T2V). To take advantage of this, you must know your processes well. And they must be documented and measurable or your outsourcing programs fail.
Key Points
- Find solutions that enable the business – if it doesn’t, rethink the direction of the solution
- Provide other organizations the tools and guidance so they can solve problems in a crisis rather than relying on security personnel as the knight in shining armor
- Justify programs and manage by value and vision, not by fear of loss
- Key question to answer for the program: How is the security organization removing risk and cost from the production areas of the business?
The “Army of One” CSO Office
Organizations are continuing to outsource many of the program elements of security. There is an increasing trend towards what the SEC termed “Army of One” organizations. The outsourcing seems to be targeting a perceived need for an increase in efficiencies (value delivered) linked strongly to the over-all budget/cost of the program. Although budgets are not declining as steeply and may be recovering in some areas, the money is not going to employees but to contractors. This is providing the office of the CSO the ability to staff to need and to value. It provides a more adaptable and flexible workforce as long as you have the right SLA’s (Service Level Agreements) in place.
- Increasing trend towards One-Man Security Organizations (Army of One)
- Increased focus on managed outsourcing for security function execution
- Spending authority decrease
- Budgets coming back, but not FTEs
- Continued trend to matrix organizations – flattening of corporate structure
- Added responsibilities through acquisition or function – we live in a world of information glut (what info do I need?)
- MSAs and flexible staffing
- Managing the “Information Glut” is a key challenge
- Anticipation: Corporate contractions and acquisitions require nimbleness. Does finding a way to predict events add value?
- Successful strategies include driving risk ownership to the business and creating a service index and total cost of security
- Alignment of skill sets (mainly outsourced), program, and business objectives
Organizational Resilience
Not many security organizations or vendors serving these organizations have business process backgrounds or have automated the data collection, analysis, and response appropriately. Therefore they may be hiring contractors that simply “do” and may, because of the lack of experience or knowledge, not be able to perform during a crisis.
Organizational Resilience Management (ORM) and Business Continuity Planning (BCP) programs help define what information is needed by whom and when. This will help infuse and inform the contracting and hiring of personnel and the acquisition of technology.
How all of this industry advice, well-articulated at the NGSL, is turned into actionable intelligence is the business of Butchko Inc. Velocity, Value, and Veracity (the integrity of any program) will become the future scorecard for any service provider or security advisor.