Created by the Security Executive Council
This document is a concise summary of the key elements you need to know before starting any new role or program. These practices have been identified by the Security Executive Council through our work with some of the leaders of the world’s most sophisticated and accomplished security programs.
This document covers topics such as:
- The Top Things You Need to Do If New to the Job, or If Revamping the Security Program
- The Top Practices to be a Valued Security Leader/Organization
- The Top Reasons Why Security Practitioners are Looking for New Opportunities
- The Leadership Practice Most Important to Your Success
- The Top Practices of a Successfully Run Security Organization
- The Top Practices You Need to be a Next Generation Security Leader
- The Most Important Characteristic of an Outstanding CSO/CISO
- The Ten Most Common Decisions Highly Accomplished Security Leaders Make
- The Top Backgrounds/Skills Needed to Excel in Security
The collective knowledge contained within has been tested and proven effective in the real-world by successful security leaders. Read through the information and identify the elements that resonate with you. Pin them up on your wall. Share them with your team. Commit them to memory. We hope this information will serve you well throughout your career.
If there is one attribute in common among successful security leaders it is that they know when a new situation presents itself they have to hit the ground running. The ability to quickly assess conditions and rapidly identify and respond to critical issues is crucial to leading an organization in times of crisis and it is what executive management expects from its security management.
To that end we have created a concise summary of the key elements you need to know before starting any new role or program. These elements have been identified by the Security Executive Council through our work with some of the leaders of the world’s most sophisticated and accomplished security programs. These guidelines cover everything from what makes a program successful to what makes you more valuable in the marketplace.
This collective knowledge has been tested and proven effective in the real-world by successful security leaders. Read through the information and identify the elements that resonate with you. Pin them up on your wall. Share them with your team. Commit them to memory. We hope this information will serve you well throughout your career.
Top Things You Need to Do If New to the Job, or If Re-vamping the Security Program
Stage 1: Program Concept
- Conduct threat/risk assessments
- Create vision and mission statements
- Establish and define the most appropriate service delivery model for the organization
- Establish and define a governance model
- Align business goals with the goals of the security program
Stage 2: Program Creation
- Establish executive sponsorship
- Form an executive advisory team
- Define and cultivate human and financial resources
- Define the key program elements
- Identify roles and responsibilities across the enterprise
Stage 3: Develop the Strategic Plan (Note: May be developed in tandem with either stage 1 and/or 2)
- Decide on an appropriate process
- Develop documentation
- Conduct document reviews with appropriate senior management
Stage 4: Program Implementation
- Develop a change management strategy if necessary
- Conduct a feedback assessment mechanism and gain customer satisfaction information
Stage 5: Program Value Measurements
- Identify key performance indicators (KPI)
- Measure programs against KPIs
- Develop metrics communications plan
Top Practices to Be a Valued Security Leader/ Organization
- Create and communicate the brand image for the security group; all staff should be well versed on this.
- Assure senior management knows what security offers. Catalogue your programs and services and current resources contributing to what security offers.
- Have regular discussions with senior management about their security/risk issues and how security can contribute.
- Always communicate in business risk terms (not security terms).
- Understand the organization's culture and adapt security programs to it.
- Never say no; find a way to mitigate risk without negatively impacting business goals.
- Demonstrate that security can be a bridging facilitator across all functions.
- Base security's goals on business goals; be ready to change plans if the organization shifts direction.
Top Practices for a Successfully Run Security Organization
- Don't let the Security Department be invisible to the rest of the organization.
- Run Security like the business units run their organizations - be accountable for what you offer, who uses it and how you measure effectiveness.
- Select and develop someone on your staff to handle all interactions with executives in your absence exactly as you would.
- Operate from a strategy - don’t let responses to day-to-day risk issues drive you. It's critical to success.
- Groom your staff to think and communicate strategically about security.
- Don’t focus on failures; analyze your, and others’, successes – what elements made it work? Then replicate that.
- Understand what expectations senior management has of you and present your case in a way that shows value to the organization.
- Recognize that if senior management demands benchmarking or metrics, it's often a sign of loss of confidence. Have the answers before they ask.
- Develop a clear way to communicate the value proposition for the Security Department.
- Successful programs have diverse and varied resources. The most successful programs have designated resources that help develop executive-level strategies and communications.
Top Practices You Need to be a Next Generation Security Leader
- Act like a leader.
Coaching, managing and influencing should go up, down and laterally for maximum benefit.
- Anticipate your manager’s needs and their manager’s needs in context.
What is their preferred method of communication? Ask. In-person, voice, e-mail and text messaging all have adherents. Get to know them. Let them know your intention to be a better helper.
- Support your organizational culture, values and mission...and enable them.
Delivering options relevantly, within the enterprise strategic plan, differentiates highly successful leaders.
- Start with board-level risk concerns and unified protection.
When stakeholders realize you think strategically, and are collaboratively helping them to design risk mitigation for the most consequential people, process and asset risks, your value perception grows.
- Help build cross-functional programs, not "territories."
Unified risk protection requires collective knowledge, resource and will. Our ability to influence peer risk mitigation groups before, during and after a critical incident is consequential to collective performance.
- Tell, show, do, and measure. Differentiate with metrics and operational excellence.
Program and personnel development investment and re-investment are unlikely without the persuasive business case or ROI story.
- Communicate persuasively without hyperbole or exclamation marks.
Share your data. Take the emotion out and build in confidence. Resist promoting a critical event to a crisis if it is not absolutely necessary. Frame your answers in the form of questions. Probe. Begin with YES and qualify responsibly. Credit and promote others whenever possible and be accountable for shortfalls.
- Run security as a business.
Knowing your business and its level of readiness for your strategies, communicating with and influencing internal customers, demonstrating how and where security resources are being used, and adding value to the organization is essential.
The Most Common Decisions Highly Accomplished Security Leaders Make
- They have the right tools/assets/people in place before an incident happens and these resources are focused on the right things.
- They built the right relationships – internally and externally.
- They foster an environment of sharing and create useable ways of documenting what they learn from others.
- They are lifetime learners and continually push programs to the next level.
- They focus on leadership issues.
- They discuss risks and mitigation strategies in terms that resonate with the Board.
- They run security as a business.
- They take care of staff and help them grow.
- They recognize their organization is different from any other, even from peer companies. They prepare for future trends.