Editor’s note: This is the second in a series of interviews with the session leaders of the upcoming GSO 2025 event being held August 16-17, 2023 at LinkedIn’s global headquarters in the heart of Silicon Valley, Calif. The event is named with a future date because it takes a 3- to 5-year look ahead at where security leadership and security technology are going.
Registration is open now.
Managing Editor John Dobberstein recently spoke with Derric Wright, who started in security at a large pharmaceutical company, and over 30 years went from a site security team employee to a national leadership position as Senior Director for EHS, security and DEA compliance at Hikma Pharmaceuticals USA.
Based on his strong record of success, this year Derric was asked to create and head the diversity, equity and inclusion function, which is of critical importance to Hikma’s strategic objectives.
SIW: Derric, haven’t you been a session leader at several previous GSO events?
Wright: John, I have been, and I always look forward to participating in the GSO events. I am one of the business leaders who has had excellent success applying the leadership principles presented at GSO. People’s capabilities are generally greater than they are led to believe. And I was in that situation myself when I first started in security. Learning more about what personal leadership is and what leaders can do in the middle levels of an organization, I discovered that there are many opportunities to lead every day in small ways that really do matter.
SIW: Looking at your career path, would you say that you have been given many opportunities for leadership and advancement that aren’t typical for people who start out at the entry level of security?
Wright: I agree with your assessment because I have been very fortunate to work in companies who valued good management and leadership at the middle level of their organizations. However, I want to expand on what you said, because it’s my observation that in many companies there is a shortage of leadership at the levels where it is needed most, and that’s not because of a shortage of capable people. It’s because the concepts that we have about leadership aren’t as helpful to those of us in middle management positions as they should be.
Oftentimes leadership is thought of in two ways. First, famous world leaders such as Charlemagne, Napoleon, Simón Bolívar, Sitting Bull, Winston Church, Franklin D. Roosevelt, Mahatma Gandhi or Dr. Martin Luther King Jr., or Nelson Mandela. Few people are in such positions, and the dynamics of that level of leadership simply don’t apply to us.
Second, leadership by position, which is where people are required to follow the direction of mangers or executives simply because of their position. That’s more familiar to us. Included in that concept is the idea that you have to rise to a high position before you can lead.
The truth is that you can lead from whatever position you are in now. As John C. Maxwell has written and spoken about, leadership is influence. Ninety-nine percent of actual leadership in an organization happens in the middle. You can and should lead people up, down and across the organization chart and there are so many opportunities to influence people in valuable ways that you could never act on them all.
What’s wonderful about this leadership concept is that all of us can do it. It just requires a bit of different thinking than what we’re used to. When you influence people in ways that make their jobs easier, that help them be more effective, that influence is very welcome and it ends up making your job easier. You get a greater level of organizational support at all levels.
We dig into this in great detail in our GSO 2025 sessions.
SIW: Your career has been one of taking on increasing managerial responsibility. Do you credit experience in security as preparing you to walk that path?
Wright: Although I didn’t initially realize it at the time, in several important ways my security work did prepare me for advancement.
To effectively safeguard a business and its assets, it important to understand the way that each functional are of the business works, and what the critical assets and critical processes are. This provides insight into the way the business works and how business value is created or added by critical business processes.
Security is the only function whose staff not only have the opportunity – but also the requirement – to gain that kind of operational insight into all parts of the business. In the process of collaborating on risk identification and risk treatment planning in the various parts of the business, you can also establish initial relationships with the leaders across the business. You can share successful practices from within other parts of the company. This is a welcome influence.
It can also put security leaders in a position where they know more than most others do about the parts of the business, and if they build leaders beneath them so that they can all step up, this qualifies the security leader to fill other positions that are important to the company.
SIW: Can you describe some of the practices and approaches that were critically important to your successes?
Wright: I think there are several important perspectives involved in being successful at the overall job of security, which is to reduce security risks to acceptable levels, at an acceptable cost, in a manner harmonious to the business.
A very important concept is risk ownership. The first thing to understand is that the security function doesn’t own the risks. Security risks are a part of business risk and the business owns them. It’s management’s responsibility to address business risk.
What the security function does own is the discovery and documentation of the physical security business risks, the analysis of the risks and the development of options and plans for risk treatment – for example, whether reduce it, insure against it, or simply accept it.
Often security proposals are turned down by people who have the authority to say “No” to the expenditure, but not to say “Yes” to the risk that results from saying “No.” Security’s most important task once the business risk picture is understood, is identifying the true risk stakeholders and effectively engaging with them so they understand the risk factors and can make well-informed decisions about risk treatment.
SIW: Is there another important factor that you can tell us about?
Wright: I think that security practitioners should think of themselves as business leaders who are focused on security, rather than as “security leaders” per se, meaning that they can only focus on security. By doing a visibly good job at informing middle and senior management about the business risks, and working with them to make the risk decisions, you demonstrate good planning, good thinking, and caring about other functions not just your own.
These are good general leadership qualities. They are not security specific. Many organizations are on the lookout for potential leaders in various functional areas. Being a good leader within a Security functional area can open doors in other business areas. That’s been not only my experience but also the experience of the team members who have worked in various positions within our security function.
It’s not necessary to keep moving up the ladder but it is nice to be invited and have the option. I’ve been asked to consider moving to higher positions, and I do understand the level of strategy and planning that’s involved. I just like being closer to “where the action is” – it’s fun and very rewarding.
SIW: Will you be at the GSO 2025 event for both days?
Wright: I have attended and also spoken previously at GSO events and I’m really looking forward to this one, and to talking to the other attendees at dinner -- and especially in the afternoon on Day 2.
SIW: Derric, thank you very much for sharing your ideas. it was a pleasure talking with you. Best of luck and we look forward to hearing more from you at GSO 2025 this fall.
Wright: Thank you John, I am honored to be a part of GSO 2025 summit and I’m looking forward to experiencing the event again.
