Illustration by iStock; *Security Management*

Think Ahead with Future Proofing

By Matt Bradley

1 May 2023

Spanish-American philosopher George Santayana said, “Those who cannot remember the past are condemned to repeat it.” But if we forget the future, are we doomed to miss it? Perhaps. Why is it important for chief security officers (CSOs) and aspiring CSOs to plan for the future of the security department at their organization? What is future proofing, and how do we do it?

The core elements of successful future proofing are vision, strategy, and resources. Future proofing is about identifying the long-term vision of your department, developing a strategy to achieve the vision, and obtaining the resources required to execute the strategy. What’s at stake could be the very existence of the department. If leadership doesn’t buy into your vision, or you don’t have one, you become just another cost center where they can look for savings when times get tough.

Vision

Vision statements conjure images of where we want to go. We have them in our organizations. Why don’t we create one for our security department?

A good vision statement is aspirational yet attainable. It should require growth and perhaps a bit of pain to achieve. The vision should be easy to capture in a single sentence and inspire your team; additionally, it should be obvious when the vision has been achieved or at least simple to measure progress toward the goal. For example, “Our vision for the corporate security department is to become a world-class leader in security innovation, continuously improving our capabilities to protect our organization and stakeholders from evolving threats, and achieving measurable progress toward this goal.”

If you consider the vision the destination, you must be able to tell if you are on the right road along the journey. That is where the strategy comes in.

Strategy

Think of strategy as the roadmap to your vision. If the vision is where you want to be in three years, where do you need to be 12 months from now and two years down the road to get to the vision? Define those waypoints, and then develop the specific steps to get to each waypoint. Strategy is so important it merits its own layer of the CSO Development Pyramid, and we call it out here to demonstrate the integration of the layers.

Suppose your vision includes proactively anticipating threats to the business, and your strategy identifies the required capability is a global security operations center (GSOC) providing 24/7 threat monitoring and analysis. In that case, the waypoint might be to add analysts during year one to develop the proactive approach. Deliver the value in year two by demonstrating how your proactivity enables the organization to make better decisions that result in better outcomes, which leads to a request for resources to go 24/7 to deliver even better results.

Resources

The third leg of the future proofing stool is resources. You have painted the vision. You have identified the strategy to achieve the vision. Now you need the resources to execute the strategy. Resources often follow results, so be prepared to deliver incremental results as a proof of concept before getting full buy-in for your strategy. Organizations spend resources on programs that generate value.

This equation of vision, strategy, and resources sounds simple, but there will likely be challenges along the way. How do you find a goal to enable the business to make better decisions, and how do you measure the value you deliver?

The Value in Future Proofing

For many years, security departments have been shifting from reactive to proactive, from a cost center to a value center. Values centers generate revenue or directly enable revenue generation (or mission accomplishment if you work for a non-profit). To identify a way to enable the business, you must know the business. How do you generate revenue or accomplish the mission? What are the steps to revenue generation? Can you protect the supply chain? Can you open new markets in higher risk areas with risk mitigation programs? Can you identify the best location to build the new factory? Can you protect salespeople or engineers in the field so that they can perform their jobs? Those are all high-value tasks that produce tangible results, and a strategy-centric security department should be involved in delivering them.

Measuring progress is essential. Your organization is unlikely to give you additional resources to fund your strategy without some ability to measure your results. Develop key performance indicators (KPIs) before you request the resources. Measuring progress should be inherent to the strategy, not an afterthought. Once you identify the task you want to accomplish—for instance, enabling engineers in the field—identify the metrics to measure your success.

In a previous job for a telecom company, we lost revenue from cellular towers when thieves broke in and stole batteries and fuel used to operate the generators. The power goes out, the equipment stops running, and people can’t make calls, thus causing lost revenue. The company also had to replace the batteries and gas. These were all measurable things. We added them up, and the losses were in the millions of dollars annually.

The security team created a plan to install surveillance cameras, motion sensors, and alarms, as well as establish a quick reaction force so we could stop the theft. The program cost $5 million to implement, but it paid for itself in a year in recovered revenue and reduced theft. Remember: what business task can you enable for the business and how can you measure it? That is your path to demonstrating value.

At the telecom, we leveraged technology to reduce lost revenue and theft. We also reduced expenses by replacing more expensive guards with more reliable sensors. Enabling revenue is one way to generate value. Reducing costs impacts the bottom line.

Previously, newly appointed CSOs arrived at their post determined to demonstrate their merit. They would examine their existing operations and identify some inefficiencies. Their “value add” was often reducing staff or cutting costs—but at the expense of capabilities. Reducing the potential for positive outcomes by cost cutting does not increase value. It can put the organization at risk. Future proof your organization by leveraging technology to generate the outcomes that lead to value creation. Cost cutting has diminishing returns; eventually you run out of items to cut. Adopting a long-term, value-adding mindset is the way to make your program relevant to the organization for the future.

Where to Begin

Value creation, leveraging technology, enabling the business—it sounds like an MBA course. So, how can CSOs and aspiring CSOs educate themselves on the future of security and how to realize it without necessarily pursuing an advanced degree?

The ASIS International CSO Center has created the CSO Development Pyramid to guide you. One of the layers of the pyramid is future proofing, and the CSO Center has compiled ASIS and external resources to help you learn how to future proof your organization. CSO Center members can check out the resource center to learn more.

Remember, the future arrives whether we prepare or not. Running a successful security department is like running a successful organization. Achieving proactive security takes vision, strategy, and resources.

Matt Bradley is the senior vice president of Risk Solutions for Crisis24. He has spent the past 25 years adding value through security in the public and private sector. He specializes in teaching organizations how to leverage technology to improve their risk management outcomes.