by Ray Bernard, PSP CHS-III
After a decade or more of work to elevate the importance of security, all the while with security risks increasing, security risk is now a senior management and board level concern.
This means that security practitioners no longer have to “sell” management on the importance of security.
This is a big change—a good change and a long-awaited one—from the corporate security picture of 15 and 20 years ago.
With this big of a change, why hasn’t advancing the cause of security gotten significantly easier?
Here is one reason. Just because management is aware of the importance of security doesn’t mean that they have the information they need to understand security priorities, make informed decisions, and properly support the efforts of security. Another reason is that security practitioners still have the same responsibilities, and in 2020 they definitely have more – there’s no doubt about it!
The Basic Situation
The situation basically comes down to this:
While it is true that ownership and management are more aware of security and more willing to support it, they have also delegated the responsibilities for planning and implementing security to others, especially you. That part of the picture has not changed. It’s why security practitioners have a job!
And with your job responsibilities come certain rights. Failing to exercise some of those rights means that you may not be fully enabled to fulfill your security responsibilities.
The flip side of that coin is that by exercising your rights you can assure that you will be fully enabled, and properly supported, to do your job.
The Big Picture
The fact that ownership, senior management and the board are paying attention to security risks means that their thinking is consistent with the big picture for security, which is:
- Business assets are the property of the business owners, who have delegated the care and protection of those assets to the executive management team.
- Risks to business assets—and risk decisions—are the responsibility of executive management.
- Because executive management must make the risk decisions, security executives must provide security risk information and recommendations to executive management so that they can make informed risk decisions.
- The organization’s ownership, executive management, and security executives and managers are all stakeholders in corporate security, each with their own rights and responsibilities.
These rights and responsibilities are captured in these three Security Bill of Rights documents:
- Ownership’s Security Bill of Rights and Responsibilities
- Senior Management’s Security Bill of Rights and Responsibilities
- Security Executives’ and Managers’ Bill of Rights and Responsibilities
Do you insist on your corporate security rights?
Are you enabled to take full ownership of all your corporate security responsibilities?
Additionally, you should influence the other security stakeholders to become fully enabled themselves, so they can support and approve security initiatives and improvements.
Many security practitioners have seen through the myths that hold most people back from leaning into and developing their influence, thanks to The 360 Degree Leader book.
Auhor John C. Maxwell explains how middle managers can leverage their unique positions and become 360 degree leaders by exercising influence in all directions – up (to the boss), across (among their peers), and down (to those they lead).
It is very heartening to discover how easy it can be to overcome the challenges facing the vast majority of professionals, especially security practitioners.
Read more about this here.