Does the leadership of your company give much thought to its security posture? They should. Security operations overarch and underpin successful enterprises. How well it is integrated into the company will determine its effectiveness and efficiency.
If your company is stove piped and the CEO/COO is the only integrator, you have a problem experienced by many companies. In our experience, the most successful companies are integrated in a fashion that enables each VP/Director to understand cross-company impacts and relationships. Coupled with this approach is a properly positioned security element that has direct access to the COO level of the company and cross-functional visibility and authority.
Accordingly, when we do a risk assessment and security system design we include the positioning of the security element. Is it buried with little or no visibility into the day-to-day operations and strategic planning of the company. (It is frequently an afterthought.) Is it independent of other competing cost elements? Is it placed properly within the company’s structure?
The poorest performing enterprises have the Security Manager buried several levels below senior management. The Security Manager reports to another manager or director who reports to a VP who, in turn, reports to the C-suite. The Security Manager has no visibility into the total workings and thinking of the leadership other than what is passed down from his or her immediate boss. The lack of overlapping knowledge can promote disparate approaches within the overall organization and can even create duplicative functions.
One company we reviewed used this approach and clearly illustrated the organizational shortcomings. Since there was no integrated company approach to security, HR made up its own security process. To gain access to HR, employees had to call from outside the HR door. An HR employee would come to the door to physically let employees in and escort them while there. This led to a tremendous loss of productive time for both HR staff and the waiting employees. There had been no thought given to the impact on efficiency when this process was implemented. Furthermore, it was questionable as to whether HR even needed that level of protection. The irony of the HR department doing too much because of lack of input from the security manager is that the $2 Billion trading and sourcing negotiation areas that were the fundamental to the company’s market advantage were freely accessible to anyone within the building for the very same reason.
Shifting security to a staff level that reports to the C-suite is a slight improvement. The difficulty here is that they seldom have any implementing authority for security processes and procedures across the company. They are also viewed as more of an “audit function” than the “line organization” they should be.
There is no specific best place in the company for the security manager. The best choice depends on such factors as size, risk and complexity of the company’s mission. There are, however, key fundamentals that must be applied. First, operations must be fully integrated across the board. Senior leaders and their sub-organizations must understand how their actions impact the efficiencies of operations of their peers. We have found companies that had 12 sharp directors reporting to the C-suite, but they did not function as a team. They operate independently and in a vacuum. For example, the Facilities Director did not know how his organizing options impacted company overhead and the finance department’s workload. Once all 12 started integrating their activities, their response times and cost efficiencies improved and company performance/profits improved by more than 10%.
Security has to be given the right seat at the table to allow it to fully participate in this integrated approach. Placement below the “entry level” diminishes the effectiveness and value of security policies, procedures and operations. Further, operational efficiency across the board will suffer.
Ideally, Security will report directly to the COO in a company conducting complex, dispersed and medium/high risk operations. Failing that, it should not be more than one level below the direct report. Security must also have direct access to the COO regardless of placement, when needed. This is the same concept as with safety and quality. Security Managers must be given full responsibility, authority and accountability (RAA) for security planning and execution. Only then can an enterprise insure that the company is secure and that security is a “value contributor” and not a drag on company profits.