The global threat environment is impacting businesses more profoundly than ever before. ASIS’s recent State of Security Management study put it this way: “In some respects, global issues affect every business and organization today – there is no avoiding it, and it will only expand in the future.” In contrast to decades past, when global threat considerations were the domain of multinational firms with operations in the Middle East, Africa, or other regions deemed high-risk, we now live in a world where no company – regardless of its size or physical location – is immune from the global threat environment.
Global threats stem from myriad actors and forces, including adversarial nation-states such as China, Russia, Iran, and North Korea, terrorist and extremist groups, and criminal enterprises. And attacks can impact businesses through a range of vectors, including physical attacks, cyber-attack, information operations, espionage, or the co-optation of a trusted insider, any of which could cost an organization significant cash and thrust the company’s name into the headlines. Colonial Pipeline, for example, has become synonymous with the devastating 2021 ransomware attack that shut down natural gas along the East Coast – a frightening prospect for any organization that wants to keep its brand associated with its product or service rather than calamity.
While these threats can understandably seem overwhelming to any security leader, the volatility of the global threat environment also provides an opportunity for Chief Security Officers to elevate the role of corporate security and enhance their relationship with the C-suite. By seizing the initiative to become a trusted advisors in the global threat environment, CSOs can reduce their organizations’ risk, enhance the reputation of the security department, and advance their own careers.
Growing Attention From the C-suite
C-suites are aware of mounting global threats and are in search of answers. When asked what should be at the top of the agenda for C-suites in 2022, a group of experts from Boston Consulting Group identified geopolitical risk and cyber-attacks as two of the top concerns. In the time since that survey, Russia invaded Ukraine and President Biden signed into law new legislation requiring critical infrastructure companies to report cyber breaches to the government within three days of their discovery.
Recognizing the tightening relationship between security risk and shareholder value, corporate leadership teams are practically begging CSOs to take on a larger role. The ASIS report notes, “The perception of C-suite executives toward security management is changing . . . In the past, many CEOs didn’t want to know anything about security, and now they are far more interested and tend to view security executives as consultants or trusted advisors.”
However, becoming a trusted advisor on global threats is not an easy task. In such a complex environment, C-suites could seek guidance on anything from land wars in Europe to online extremism. Most security departments weren’t built for this, and so the CSO must be a changemaker to fill this role for the C-suite. They need to develop a deeper understanding of global dynamics, emerging threats, and government policies and they need to foster and encourage strategic thinking and proactive engagement.Fundamentally, CSOs need to become visionaries – recognizing the significant role that security and resilience will play for the great companies of the 21st century and helping C-suite leaders appreciate the value the security department can bring in helping them navigate a dangerous world.
How CSOs Can Seize the Opportunity to Work with the C-suite
Prior to my work in consulting, I was a career State Department officer, where I spent countless hours helping senior officials understand the dynamics of the global threat environment and chart courses of action. There were three areas of particular importance: assessment, strategy, and engagement. These three areas of focus will be similarly critical for CSOs who want to meet the C-suite’s expectations and become trusted advisors on global threats.
Assessment -- In her 2018 article for Harvard Business Review, Sabina Nawaz provides some pointers on engaging with the C-suite. The first is explaining the problem at hand before presenting a recommended solution. For CSOs, this might seem like a good opportunity to discuss recent security incidents. Unfortunately, this can cause eyes to glaze over quickly.
Instead, CSOs should focus their analysis at the strategic level – starting with macro threats, like those identified by the experts from Boston Consulting Group. A clear and concise analysis of the strategic global threat environment, and potential impacts on the organization’s assets, will be more likely to tap into issues that C-suite leaders are already thinking about. Operational and tactical threat information should be used as supporting data.
Providing strategic analysis requires preparation. Whereas operational and tactical threat assessments may focus on a certain type of crime or the most recently circulating malware, strategic assessments should provide a comprehensive picture of a company’s position in the global threat environment. These assessments should capture the full range of adversaries who may pose a threat, their intentions and capabilities, how they might attack, and indicators that an attack is becoming more likely. Ideally, the assessment should cut across all security disciplines, providing a holistic picture of threats to the organization from physical, cyber, intelligence, and informational vectors.
While this may seem labor-intensive, it will pay off by providing an easy way to frame challenges that will resonate with senior decision-makers. This type of assessment can also be used to support strategic planning, resource prioritization, organizational design, and stakeholder engagement.
Strategy -- To become the trusted advisor to the C-suite, it is not enough for CSOs to become well-versed in global risks. They must also show that the organization’s security program is aligned with those risks. A written strategy that clearly articulates security priorities in this context enables the CSO to make sound business decisions and recommendations to the C-suite.
When developing a strategy, CSOs should consider four key drivers. The first is global threat, and a strategic assessment like the one described above will provide an excellent starting point. Fundamentally, security should be threat driven. Otherwise, it risks becoming a black hole in costs.
The second is the C-suite’s priorities. As noted above, cyber threats are top of mind for many business executives. For security leaders who oversee the cybersecurity function, this will be a natural area of focus. For those who don’t, it’s still important to show how other security functions can reduce the C-suite’s anxieties about cyber. Business continuity and crisis management, for example, play a critical role in preparing for, responding to, and recovering from cyber incidents. Beyond cyber, CSOs should always be attuned to the C-suite’s priorities and ensure those are reflected in the security strategy.
The third is regulatory and compliance requirements. As the security and resilience of private companies continue to grow in importance to government agencies, security-related regulation is likely to increase. Beyond accounting for existing compliance requirements, the strongest security departments will invest more resources in reading the tea leaves. Government policy documents like the Interim National Security Strategic Guidance can provide insight into what major threats are on the minds of senior policymakers and provide a window into the concerns that may drive future regulation.
The fourth and final driver is the return on investment. The CSO should focus on two categories of ROI when developing a strategy: costs avoided through the prevention of a major security incident, regulatory scrutiny, or reputational damage; and revenue gained through more informed risk-taking. Expenditures that can be linked – or better yet quantitatively correlated – to one of these will strengthen the strategy and help fireproof it against potential criticisms from the C-suite.
Strategy will become especially important in the coming months as economic challenges continue to force cost-cutting. The more easily a program can be linked to real-world threats that are well understood by C-suite, the fewer challenges the CSO will have in making the case for its retention. In a tight budgetary environment, CSOs should prioritize strategy over everything else.
Engagement -- Assessment and strategy are necessary building blocks, but the CSO must adopt a default posture of proactive engagement to earn trusted advisor status. CSOs should try to engage regularly with the C-suite, keeping in mind that listening is more important than broadcasting. Engagement with the C-suite is an opportunity to be an internal consultant rather than to justify existing programs.
To be of most value to the C-suite, security engagement needs to expand to other stakeholders, including other offices within the company. Successful attacks by sophisticated global threat actors will have an impact on every part of the business, from public relations to human resources, legal counsel to finance. CSOs should proactively convene these stakeholders to discuss top threats to the business, advise on mitigation steps, and think through scenarios for crisis management. Not only will this strengthen the resilience of the organization, but if done tactfully and in partnership, it will also enhance security’s reputation with counterpart offices.
Relationships with government stakeholders are also increasingly important. Principal government contacts for security departments may always have been law enforcement, but the new global threat environment requires that CSOs have their finger on the pulse of government policymaking that could create new compliance requirements or, better yet, opportunities for meaningful and innovative public-private collaboration that could reduce risk. By developing and nurturing a wide network of relationships, CSOs can provide even more value to the C-suite.
Finally, CSOs need to invest in the quality of their communications with the C-suite. This requires dedicated time and resources to develop messaging and talking points, build compelling presentations, and ensure careful tracking of senior-level engagements and any required follow-up.
An Enhanced Role for the CSO
In such a dangerous and complex world, the CSO has the potential to be a critical player in every C-suite. A CSO who has become a trusted advisor on global threats will be able to unlock significant benefits for their organizations and themselves. Requesting resources or increased staffing will be easier. They will have a seat at the table to weigh in on enterprise-wide decision-making more regularly. The security department may enjoy an improved working relationship with other offices. And of course, increased visibility from senior management – under the right circumstances – can be hugely beneficial for career advancement.
In March, President Biden called on the private sector to harden their defenses immediately in light of the potential for major Russian cyberattacks amidst the invasion of Ukraine. Such warnings – directly from the President to security executives everywhere – are only likely to increase. The question now is whether CSOs are ready to step up and guide their organizations through such a challenging global threat environment. Their standing with the C-suite may depend on it.