Security and Business Leaders: A Communications Gap

When I find myself talking to a  group of security professionals, eventually the topic will turn to whatever security breach was in the news that morning, and how easily it could happen to us. From there we might discuss how people outside the security profession do not see these obvious risks in the same way that we do. Then we will ask each other how we can convince our executives to give us the proper resources to protect our organizations from the threats that we see so clearly every day.   How can they expect me to protect the company if they cut my budget? Why don’t they think about security before the incident happens? How do I get “a seat at the table”? Why does procurement have more say about my program than I do? Why won’t they do what I know they need to do to protect the (insert important thing here)? These questions, although natural to people who are driven to protect and defend what we are responsible for, are, in fact, not the questions that are going to get our security programs where they need to be. Why not? Because we are not speaking the language that our audiences understand.

Bridging The Gap: Whose Job Is It?

We tend to believe that it is the business’s responsibility to understand the importance of security. Therefore we don't recognize the need to invest in security. But in the world of business, that’s just not the case.  Business leaders have operations to run and missions to fulfill, and as security leaders we need to understand that it’s up to us to bridge the gap between the security way of thinking and the business way of thinking. Just as we would learn the language if we setting up a security shop in a foreign country, we need to ensure that we are speaking the language that business executives understand.  This is critically important when we are discussing the needs we have for the the enterprise security program.  It’s not a large gap to bridge.  But you have to recognize that gap if you intend to cross it.    

Building the Bridge: A How-To Guide

There are a few relatively simple things to keep in mind as you begin the process of bridging the communications gap that seems to exist in many organizations between the security team and business leaders.

Engage as a partner to understand what the business needs

You cannot build a bridge if you do not know what is on the other side of it.  The most critical piece of the equation when engaging business executives in a discussion about the importance of security is understanding how they look at the world and what is most critical to them.  In most cases, the easiest way to find out what is important to people is to just sit down and have a conversation Simple questions like:

• What are your responsible for?
• What does your group do?
• Is there anything you are particularly worried about?
• What are the critical needs for your group that if something happened to them you would not be able to do your work?

Answers to these questions can all go a long way to building your understanding of what the business cares most about protecting, allowing you to focus your efforts.  They will help transition from being the department that tells the business what they can and cannot do, to being the team-mate to help them protect what they care about.  Open conversations go a long way to building trust.  A critical point to communicate is that you are there to help the business complete its mission.  You are not going to stand in the way of getting  work done. Once you understand what is important to the business, you can then begin to discuss security risks affecting those areas.

Treat security risk the same as any other business risk

Framing your discussion of the security issues and risk will help build your relationship on a common platform.  Business leaders are used to having critical discussions about risk.  They deal with risk every day in all areas of the business.  Financial risk, operational risk, resource risk, regulatory risk… These are all topics that your executives think about every day.  If you are going to talk to them about security, frame your discussion in the language they understand… risk. The risk-based conversation looks a little different than the old-style security conversation.  In a risk-based approach:

Security conversations are based on:

• Quantified risk measures
• Identified risk tolerance thresholds
• Resource owner agreement
• Measurable evidence

Security decisions are NOT based on:

• A “gut feel”
• “What everyone else does”
• “Fear, Uncertainty, and Doubt”
• A “best practice”
• Anecdotal evidence

In a risk-based conversation, you and your business partner have a chance to clearly understand the role of the security department in helping the business continue to carry out its mission, ensuring that critical resources are continually available.  You will have the chance to understand the acceptable level of security risk tolerance for business resources because you have asked what is important to them and ranked their importance.    And you will both have the capacity to make quality, educated decisions on security risks to resources.  These decisions will put an agreeable level of protection in place for those critical resources.  Even better, having made those decisions together, your business partner will now have a stake in the results of the plan, because they had a say in crafting it.

Measure and Report Your Results

However, it’s not enough to simply have a risk-based conversation.  Once you are engaged in a risk-management approach, you must continue to engage in the business process, just as any other business function would.  That will require ongoing reporting of the effectiveness of your program in quantifiable ways.  Identify metrics that show trends in risk, not just tasks completed or hours of work accomplished.  You must tie meaningful data to your security activities if you want to measure the impact of a mitigation on a security risk.    A few examples of risk-management metrics:

• A reduction in the number of vehicle breaks-ins in a parking lot after an increase in patrols
• An increase in reported security concerns following a campaign of security awareness for employees
• An increase in the number of visitors to a facility processed per hour when implementing a visitor management system
• A decrease in the time to deploy credentials to new employees in response to a streamlined procedure.

None of these metrics discuss the hours worked.  They show that an impact resulted from a response to a mitigating activity.  More importantly, if the trend is outside the business tolerance, or the desired impact is not seen, you have clear metrics to discuss with your executives a change in the original plan.  And this is based in fact, not simply experience or opinion. These few simple changes in how you approach and discuss security with your executives will go a long way in furthering the goals you have for your security program and your business partner’s goals for the business.  You business partner will have a better understanding of how to functions in an  environment of daily security risk, knowing that risk mitigation plans are in place to protect their critical resources.  

About the Author: Rachelle Loyear

Rachelle Loyear is the VP of Integrated Security Solutions for G4S Americas. In this role, she leads the G4S Security Risk Management and Integrated Practices management office. Her main task is to help G4S customers take advantage of the powerful risk management business approach. She wants these customers to integrate the approach as part of their holistic security programs. Rachelle has spent over a decade managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. Rachelle is PMP, CISM, and MBCP certified, is active in multiple security industry groups, and volunteers as the program manager of the Enterprise Security Risk Management program management office at ASIS, International. Additionally, she is the author/co-author of three books in the security risk management subject area: Enterprise Security Risk Management: Concepts and Applications; The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security; and The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity.