by Michael Nossaman
How would you counsel a CEO who says, “Our security professionals have to make some tough decisions? I don’t think I should be reaching down and making those decisions but we need to do a better job with the professionals charged with making the decisions so that the information can all be evaluated and the resources that are needed can be asked for and deployed to the best extent.”
So, what security responsibility does the CEO bear? Is it enough just to hire competent practitioners or contractors?
What responsibility does the CEO bear if resources were requested but denied and then something bad happens?
What security situation or circumstance does rise to the CEO level?
Who IS ultimately responsible if something bad happens?
These are not hypothetical questions. Furthermore, the answers presage far-reaching consequences.
Here is a real-world example: CNN “State of the Union” host Jake Tapper’s interview of Hillary Clinton on Sunday, October 18, 2015.¹
TAPPER: I covered the Benghazi situation, the Benghazi tragedy when I was a White House correspondent and there’s something I just never really understood and that is why did the State Department deny all those security requests? The former regional security officer in Libya Eric Nordstrom recalled in testimony asking for 12 new security agents and he was talking to a regional director who said he was asking for the sun, the moon, and the stars. It got so bad Nordstrom said, that he said that he was fighting members of the State Department. It was like having the Taliban on the inside of the building.
CLINTON: Well, the accountability review board that I commissioned went into this in great detail, and they made some recommendations.
TAPPER: I know, but I guess the question is why, though? Why didn’t the security requests, why weren’t they made?
CLINTON: Well, that was left to the security professionals, Jake. And in the reports, the ones that have been done that were nonpolitical and independent in their efforts to try to sort this through I think concluded that the security professionals in the State Department had to look worldwide and had to make some tough decisions. That’s why we don’t inject politics into it. That has to be what the professionals are deciding. And there were a lot of different opinions and that’s understandable. There’s tough decisions that have to be made. So I can only point you to the very thorough review that several committees have done starting with the accountability review board that have gone into this in great deal and made recommendations about how we can better make those assessments. Not at the political level, because I don’t think a secretary of state who may be there for four years or two years should be reaching down in and making those decisions, but we have to do a better job with the professionals charged with making the decisions so that the information can all be evaluated and the resources that are need can be asked for and deployed to the best extent.
The use of this example should not be construed as a political statement; it merely reflects the stark reality of the everyday business of managing risk at the highest level, that of the CEO.
Mrs. Clinton abdicated direct responsibility as CEO for security decisions and failures, re-directed it at the “professionals,” and only vaguely hinted at managerial shortcomings of others, saying, “…we [not I] have to do a better job with the professionals charged with making the decisions…” At most, she admitted only that others in the organization she led had failed to hire the right security people.
Admittedly, the role of security director or contractor usually does not include or afford the opportunity to lecture a CEO on his or her responsibility for security. That is hardly a formula for vocational longevity. Moreover, the ability of a CEO to run far and fast from direct responsibility is breathtaking.
However, that does not mean it is inevitable that security professionals must always take the fall, nor is it inevitable that incidents of tragic magnitude cannot be avoided.
The last, and most important, questions are:
What tools and skills do you command to avoid a similar outcome?
What is it that you need but do not have, and how will you get it?
How can you change the nature of the dialogue with power, and make them welcome it?
These are not questions designed to shield against or divert blame, they are central to the task of protecting people and assets in response to those who claim not to be responsible.
Feel free to drop a copy of this article in your CEO’s inbox.
Photo credit: imagerymajestic-FreeDigitalPhotos.net