Functional Risks: Adapt or Die

This article delves into the security, or what the writer describes as a resilience function. The aims of this article are to establish a mindset and potentially an awakening around functional risks to the security organization. Functional risks are rarely discussed in a security/resiliency perspective, but are those that could create employment issues or an inability to support our respective goals from more direct threats, such as workplace violence, intellectual property theft and similar.

Survival of the Fittest

Survival of the fittest, Darwinism and its evolutionary theory does not only apply to nature, but it also applies to the physical security personnel and more broadly the security function within an organization/company. In my travels over the last two decades, I have had the pleasure to work with security leaders, those that are uniquely alert to their environment, those that are distracted and a few that are naïve. In some instances, I have witnessed those that are distracted/naïve reacting too slowly to a functional risk, change in environment, culture, company/organizational mission and etcetera only to have it quickly escalate beyond their control with similar negative outcomes described in the theory of Darwinism.

Adaptation, a key component to Darwinism and it is a leadership trait that I have witnessed in proactive security leaders who are intrinsically connected to their environment/business/culture, and more readily recognize and are more likely to adapt to functional risks/threats to their security function. The following represents broad thinking around the need for security personnel to constantly have a mindset around adaptation to functional risks.

The security function within an organization is one of the most misunderstood parts of a company/business and I tip my hat to companies/organizations that recognize the benefits of a finely tuned security function.

For those in a security function, the following is not something new, but rather an affirmation that a competent, proactive security leader(s) can wear many hats in an organization in support of their objective of preventing threats to organizations assets, and moreover responding to events with the goal of minimizing the recovery time and impacts to the organizations brand and image. Beyond the multi-disciplinary responsibilities that a security leader has, they will be the person that everyone in the organization will seek guidance and direction from during a crisis.

It can be difficult to fully convey the value of a physical security function within an organization because many consider a security function as a cost-center. This is reactive and naïve. Somewhere in the world, right now, as you read this, a security program is effectively deterring an incident before it escalates. It is impossible for the writer to capture the value of this statement, because it is unfounded . This is one of the root problems with what many refer to as the physical security program. Security does not receive the visibility within the organization because the outcome of the event is not continually realized. It is like the philosophical statement – “if a tree falls in the forest, and no one is there to hear it; does it make a sound?” Comparably, how do we know the effectiveness of a security program without an actual occurrence. IT/Cybersecurity have been more effective in capitalizing on the continual fear of IT security risks continually portrayed in the media, and the output of an organization’s network intrusion detection system to the C-suite. Point in fact, likely someone reading this is passing the time waiting for their password to be reset because they can’t remember or have incorrectly entered their 13-character alphanumeric password with symbols to gain access to their computer. It’s amazing to the writer that an executive or employee can be so inconvenienced by security staff or door access control, but will openly tolerate a 10-minute duration to log on to their computer because of a password reset.

The IT/cyber group has done a much better job in positioning their value and implementing a culture that is so acceptant of obtrusive security protocols.

Understand the Business Environment

A good security leader is knowledgeable about the business environment. He or she follows the same periodicals, news stories that C-suite are following, and anticipates business challenges/changes. This allows better adaptation and response to various challenges/changes. Take the business case of one of my clients - a security director who had built a rapport with their senior leadership and gleaned that the organization would be investing much more heavily in international real-estate and business transactions. While there was a steady flow of international due-diligence requests, he theorized that the needs and demands could likely increase in the future. Output from third-party consultancy firms was too slow and costly. Using this opportunity to better support the organization, he built a job description for an internal analyst, and leveraged the organization’s goals of hiring veterans to fill the position. He further reached out to his network, and assembled candidates that could deliver on the assigned position. Fortuitously, informational security due diligence requests began to pour in. The vendors stumbled and there were delays. Before the problem statement – “why is it taking so long” could be asked, the security director delivered a business plan, solution and candidates to proactively solve the issue. The moral? Good networking, relationships and recognition of business needs, co-mingled with a program that leveraged business interests to support our veterans ultimately yields in rapid consensus and value.

Amat Victoria Curam

Those that are prepared are victorious, and those that are prepared are more likely to address one of the biggest functional risks that a security director can have - face-time with the C-suite. The writer has observed security directors who have been siloed from their C-Suite - a dangerous position to be in, especially when the business landscape changes. Ideally, security leaders should endeavor to engage their team and themselves by taking active roles in corporate sponsored programs, charities, events, and similar initiatives. These are quite easy to identify within the organization and a great way to get indirect exposure with the c-suite.

Beyond organizational involvement, consider proactively building plans and budget around high-impact threats that are likely to occur. These proactive plans will describe a strategy or program on how to solve a security challenge. I personally witnessed one security director’s proactive planning in a meeting with a C-suite team regarding an incident that occurred while the writer was concurrently conducting an assessment. This security executive indicated the challenges, showcased the reasoning for the issue, noted that he had identified the problem before the incident and had a plan. A member of the board asked – “Can you articulate this plan?” He then passed out a small binder, which identified the problem, the solution and costs associated to fixing vulnerabilities that allowed the threat to occur. He had indicated that the costs might need to be updated, but the program was solid. I have never seen a budget approval so fast in my life. Since that time, I call this a playbook, because the prepared are victorious.