Emma Shaw, pictured, chairman of the Security Institute and managing director of Esoteric Ltd explains why enhancing the perception of security within a client organisation, and ensuring that any proposals are given due consideration, requires the use of language that senior management can identify with.
The way that business is conducted in both public and private sector organisations has changed significantly over recent years. Statistics and research have identified that procurement is generally motivated by either “pain” or “pleasure” – the “pain” a buyer may incur if they don’t, or the ‘pleasure’ they may gain if they do procure an item, solution, product or service. Unfortunately, the motives for procuring security related solutions and products are generally based upon ‘pain’ and therefore it is the responsibility of security professionals to ensure effective communication with key decision makers in order to advise and support them on key issues surrounding security.
Defining moment
The Security Institute defines security as the protection of people, information and other assets through the prevention, elimination and mitigation of risks and threats. People, information and assets are the lifeblood of any organisation and therefore, the protection of such should be high on the agenda of all board level executives – the C-suite – so called because top senior executives’ titles tend to start with the letter ‘C’ for chief, as in chief executive officer, chief operating officer and chief information officer.
In a perfect world all companies would have a chief security officer (CSO) at C-suite level, responsible for the organisation’s entire physical and digital security. CSOs participate closely in related areas such as business continuity planning, facilities management, resilience, and crisis and disaster management. Unfortunately, they are a rarity and amongst the rest of the C-suite security is often viewed as an expensive luxury, a hindrance and/or something that adds little or no value to the business.
Research carried out by Prof Martin Gill FSyI of Perpetuity Research and Consultancy International highlighted this attitude and his 2008 survey – ‘Organisational Perspectives on the Value of Security’– found that 69 per cent of those questioned agreed that the closer the head of security is to the board, the higher the status of the security function overall. Rather more worryingly, 87 per cent of people rated the attitude towards security from the head of the organisation as crucial, and although 65 per cent agreed that security professionals were experts in their field, only nine per cent recognised them as being business leaders.
Influential decision
Much of the problem stems from the way that security professionals approach their own roles, which can be defined as traditional or entrepreneurial. The former view their job as being aligned to a service function and a cost to the bottom line. This lends itself to a situation where simply reducing the amount of money spent on security becomes a key objective.
Conversely, those in the entrepreneurial category see security as a discreet supportive function that supports each area of a business enabling it to conduct business effectively whilst underpinned by proportionate security practices and measures; It also requires an integrated interdepartmental approach. For example marketing: Security & marketing professionals should be working together to ensure routine competitive intelligence gathering and analysis is gathered in an ethical and legal manner. Similarly, there are also business benefits for human resources and security professionals to work together to implement adequate pre-employment screening of staff and contractors.
All too often security is perceived as a ‘grudge’ purchase rather than an integral part of a company’s strategy. This is due to mis-conceptions on the part of the C-suite combined with the fact that too few security professionals are able to present ideas in a way that is based upon a broader understanding of the business needs.
Mind over matter
Addressing this relies on the ability to get into the mindset of C-suite personnel and converse in a language that they will react positively to. Directors can be held personally accountable for their company’s actions and can be the target for espionage and even kidnapping. Therefore, presenting this in a way that clearly outlines risk, probability and potential impact as well as the fiscal and business benefits will ensure that any proposals are taken seriously.
Many business models and analysis tools are used at a strategic level and it would be useful for us as security professionals to understand these and how and why organisations structure themselves in a specific way. Developed in the early 1980s by Tom Peters and Robert Waterman, The McKinsey 7S Framework identifies seven internal aspects of an organisation that need to be aligned if it is to be successful. These are categorised as ‘hard’ and ‘soft’ elements.
Hard elements are easier to define and management can directly influence them. They are strategy – the plan devised to maintain and build competitive advantage over the competition; Structure – the way the organisation is structured and who reports to whom; and Systems – the daily activities and procedures that staff members engage in to get the job done.
Soft elements, on the other hand, are less tangible and more influenced by culture. These are shared values – the core values of the company that are evidenced in the corporate culture and the general work ethic; style – the style of leadership adopted; staff – the employees and their general capabilities; and skills – the actual skills and competencies of the employees working for the company.
Competitive advantage
As stated earlier, the C-suite is focused on achieving competitive advantage and any security-orientated proposal should focus on this. Michael Porter’s book, ‘Competitive Strategy’, outlines five forces that determine competitive power in a business situation.
These are supplier power, which looks at how easy it is for suppliers to drive up prices, and customer power, which involves ascertaining how easy it is for buyers to drive prices down. Next is competitive rivalry, which is important in identifying the number and capability of any competitors.
This is followed by the threat of substitution – the ability of customers to find a different way of doing things – for example, if a company supplies a manned guarding service, could CCTV replace it? If substitution is easy and viable, this weakens power. The final factor is the threat of new entry, which is the ability of people to enter a market. If it costs little in time or money to enter a market and compete effectively, new competitors can quickly weaken the positions of those already operating in it.
The generation game
It is also necessary to consider the addressee and how they might wish to receive the information being presented and how they might respond to the different types of communication. While a 55-year-old is more likely to prefer to be addressed in person or through more traditional methods, a 35 year old could be much more receptive to communication using more technological methods. Whatever method is used, a comprehensive cost benefit analysis should be provided, with considerations detailed that support the organisations current fiscal appetite. For example in the current economic climate an organisation, given the option of a range of security solutions to meet their needs, may well choose the solution which has least impact on the bottom line and can be detailed as a capital asset, thus contributing to the value of the balance sheet. This ensures that “cash spent” is still detailed as an organisational asset and thus adds value.
Once the relevant information is provided, it will then be scrutinised to see whether what is proposed is viable. A better understanding of this procedure is described in John Dewey’s five-stage purchase decision process. This appeared in his book ‘How We Think’, which was first published in 1910 and is still used today.
The stages he describes are need awareness, information gathering, evaluation of alternatives, purchase and post-purchase evaluation. All purchasing decisions begin with the recognition of a need or a problem. Once aware of a need or problem, the customer then proceeds to gather information and once the research is done, it is time to evaluate the options and make a decision. Once a decision has been made, the customer purchases the solution and then, after a certain period of time, they will review whether the problem has been solved.
Think ahead
It is naïve to assume that senior management will automatically understand the important role that security plays in a modern organisation. It is therefore crucial to approach any procurement issues and the strategic direction of security in a way that clearly describes the business case, identifies the key motivators for embarking on a course of action, and outlines the potential return on investment. This requires security professionals to both speak in a language that the C-suite is familiar with, while understanding the methodology these individuals use when making decisions. Those that do so will not only positively influence the role of security within their organisations, they will also elevate their own positions.
Visit www.security-institute.org
