by Michael Nossaman
An all too common response in the aftermath of a security incident serious enough to draw scrutiny and criticism is for the organization’s CEO to declare, “I take responsibility.” If this mea culpa is proclaimed boldly enough and with an air of authenticity it might actually be viewed as noble and possibly garner enough sympathy to get them off the hook.
But, if the CEO had not previously been committed to security, what does “I take responsibility” really mean? It means, “I screwed up. I wasn’t paying attention to important stuff I should have been.”
Assuming the organization survives the incident, the CEO then has two options.
One: blame other people, lop off some lower level heads, cancel a supplier contract, and move on.
Two: take responsibility and commit to do the things that will eliminate, or at least reduce, the risk that a similar incident will ever occur again.
Security failures and lapses are a serious and costly risk to businesses, organizations, and governments, and threats continue to increase daily. On the other hand, by implementing proper security measures for threat defense, security is the easiest of all business risks to mitigate and manage. We already know how to reduce security risk and all the tools we need are available. What is lacking is the willingness and commitment to solve a solvable problem.
Here are some suggestions for what an enlightened CEO would do to demonstrate a serious commitment to genuinely taking responsibility for security.
I consider the security implications of every action and decision.
Too often, security is an afterthought or ignored during the planning and decision-making phase. Security is an integral part of the equation for pursuing business opportunities and making decisions about the deployment of people and other assets.
I include security professionals in executive level discussions and decision-making.
Security personnel have a critical role in providing the elements necessary to assure operational success. Their participation at the highest level, early in the planning and execution phase can enhance the probability of successful implementation and operation. In fact, security can function as a revenue driver, not just a cost.
I actively seek the advice of security professionals.
Marketing, Finance, and Operations executives are not qualified to recognize or assess the security needs of an organization and implement proper safeguards, period. Security is outside their core skill set. Therefore, the CEO must directly, and continually, engage with their security experts just as they would in those other functions.
I do not overrule security professionals.
Successful leaders hire the best experts to run the various functions of the organization and rely on those people to manage those functions without interference or micro-management. The same principle applies to security.
I maintain first-hand contact with security professionals.
Security must not be relegated to the control of a non-security executive such as CFO, COO, or HR. Once or twice removed from direct contact with the ultimate decision-maker is a serious gap in timely security effectiveness.
I am accessible to security professionals.
Security matters are frequently time-sensitive, and therefore, high-priority. Delays in attention or action can exacerbate problems that might otherwise be minimized or avoided.
I consider quality security an essential business function.
Security is not a “checkbox” function. Security makes everything else the organization does possible and is a key ingredient in all the other key functions.
I ensure that security is adequately and properly staffed and funded.
Quality in products and services is what most organizations strive for. Producing a quality product requires giving preference to quality input over the lowest bid. Hire the best security personnel and acquire the best security products and services available. Give final authority for security staffing and procurement to the security experts, not the purchasing department.
I commit to protecting all our stakeholders and assets.
Security is an emblem of the character and culture of an organization. It reflects the brand image that consumers perceive. Stakeholders include employees, suppliers, vendors, investors, customers, and the community. Neglecting the security needs of any constituency will affect all the others.
I expect everyone in the organization to put security first.
Whether it is local or global, a safe and secure workplace and organization is a competitive advantage. It results in higher productivity, continuity and resilience, and stakeholder loyalty and retention. Moreover, as security beneficiaries, everyone has a stake in, and an obligation to adopt and actively participate and implement all appropriate security measures. Security is not an afterthought, add-on, or elective activity; it is part of the product, culture, and brand.
These commitments are stated as affirmations, not objectives to be achieved. They are not stated as “I will…,” or “I intend…,” or “I plan….” They are declarations of the way things are now.
There may be a temptation to wait before making these declarations until all the new security changes are in place. Resist that temptation because it will unduly jeopardize implementation. It will take time to change the security landscape of an organization but that’s OK because security is an ongoing, dynamic function that evolves and adapts to a constantly changing threat environment.
Boldly taking authentic responsibility and tangible action now will be viewed as noble because it is.
Related article: CEOs not responsible for security. Leave it to the professionals.
Photo: stockimages, FreeDigitalPhotos.net