Issue link: https://securitytechnologyexecutive.epubxp.com/i/870734
www. SecurityInfoWatch.com • September/October 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 17 It can be difficult to fully convey the value of a physical security function within an organization because many consider a security function as a cost-center. professionals have been more effective in capitalizing on the continual fear of IT security risks portrayed in the media, and the output of an organization's IT network intrusion detection system to the C-suite. Point in fact, likely someone reading this is passing the time waiting for their password to be reset because they can't remember or have incorrectly entered their 13-character alphanumeric password with symbols to gain access to their computer. It's amazing to the writer that an executive or employee can feel so inconvenienced by security staff or door access control, but will openly tolerate a 10-minute duration to log on to their com- puter because of a password reset. The IT/cyber group has done a much better job in positioning their value and implementing a culture that is so accep- tant of obtrusive security protocols. Understand the Business Environment A good security leader is knowledgeable about the business environment. He or she follows the same periodicals, news sto- ries that C-suite is following, and antici- pates business challenges and chang- es. This allows better adaptation and response to those various challenges. Take the business case of one of my clients - a security director who had built a rapport with their senior leadership and gleaned that the organization would be investing much more heavily in international real- estate and business transactions. While there was a steady flow of international security due-diligence requests, he theo- rized that the needs and demands could likely increase in the future. Output from third-party consultancy firms was too slow and costly. Using this opportunity to better support the organization, he built a job description for an internal analyst, and leveraged the organization's goals of hiring veterans to fill the position. He further reached out to his network, and assembled candidates that could deliver on the assigned position. Fortuitously, informational security due diligence requests began to pour in. The vendors stumbled and there were delays. Before the problem statement – "why is it tak- ing so long?" could be asked, the security director delivered a business plan, solu- tion and candidates to proactively solve the issue. The moral being that good networking , relationships and recogni- tion of business needs, comingled with a program that leveraged business interests to support our veterans, ultimately yields in rapid consensus and value. Amat Victoria Curam Those that are prepared are victorious, and those that are prepared are more likely to address one of the biggest functional risks that a security director can have - face-time with the C- suite. The writer has observed security directors who have been siloed from their C- suite - a dangerous position to be in, especially when the business landscape changes. Ideally, security leaders should endeavor to engage their team and themselves by taking active roles in corporate sponsored programs, charities, events, and similar initiatives. These are quite easy to identify within the organization and a great way to get indirect exposure with the C-suite. Beyond organizational involvement, consider proactively building plans and budget around high-impact threats that are likely to occur. These proactive plans will describe a strategy or program on how to solve a security challenge. I personally witnessed one security director's proac- tive planning in a meeting with a C-suite team regarding an incident that occurred while the writer was concurrently con- ducting an assessment. This security executive indicated the challenges, show- cased the reasoning for the issue, noted that he had identified the problem before the incident and had a plan. A member of the board asked – "Can you articulate this plan?" He then passed out a small binder, which identified the problem, the solution and costs associated with fixing vulner- abilities that allowed the threat to occur. He had indicated that the costs might need to be updated, but the program was solid. I have never seen a budget approval so fast in my life. Since that time, I call this strategy a playbook, because the prepared are victorious. Security leaders will also have to understand sales and know how to make an "elevator pitch" for their function. Another client described to the writer how he obtained funding for a business impact analysis and head-count for a business con- tinuity function. While in an elevator with an executive, the security director used the impact of events during Hurricane Katrina to showcase the need for a business impact analysis and business continuity position, citing information from the Wall Street Journal on the losses because of the lapses in recovery. Within a short elevator ride, he obtained interest and subsequent buy-in for the proposed solution and head-count. Maintaining C- suite visibility of the security function is sometimes as easy as embracing periodic communication through updates to senior leadership on noteworthy internal/external incidences, geopolitical issues, vulnerabilities, initia- tives and other relevant intelligence or security events. These briefings should be very direct and short to facilitate easy comprehension and are excellent for instilling confidence in the program/ leadership, but can prevent a potential- ly mundane event from escalating and negatively affecting security operations and reputation. Understand Functional Risks Security practitioners, can be singularly focused on the core responsibility of their organization and lose visibility for