The Future of Security: Navigating Change in Business
People overcome change in plentiful ways, often embracing it as adventure, joy, elation, and relief. Other times, change enters with great loss, confusion, hesitation and, most challengingly, grief. Change sparks a beginning and an end—the cessation of what we once knew, a last goodbye, a final look. We are emboldened to forge ahead, testing new ways of thinking, working, behaving, and existing. Many are driven to lead by overcoming confusing corporate environments, unravelling risk, or tackling new opportunities.
Today’s senior security executives (SSE) navigate a constant barrage of change. We share challenges, hardships, and experiences with common limitations stemming from the inadequacy of outdated programs, intrinsic incompatibility, and a lack of alignment or voice across the business.
In today’s maturing business landscape, change management has become a crucial aspect of any project, particularly those that cause significant disruption to people—not just processes and technology.
Change management provides tools for successful transformation as it navigates several internal and external forces. From personal growth and professional development to social, cultural, and regulatory factors, the list of forces at play can be overwhelming. Whether it is a merger or acquisition, a digital or business transformation, or a reorganization or realignment, organizational transformation requires careful planning and execution. As companies strive to stay ahead of the curve and adapt to new ways of working, change management will be a critical component of success.
First, consider executive priorities and what matters to leadership across an organization. Buzzwords like growth, acquisitions, revenue, and profitability are alluring at face value. However, at a deeper level, the meaning of such words often remains lost upon the security worker, because they neglect to consider the operational impacts and effects on the people surrounding the corporation.
As companies strive to stay ahead of the curve and adapt to new ways of working, change management will be a critical component of success.
For senior security executives, understanding the motivations of senior management is crucial, especially as peers. SSEs can gain a broader context of their responsibilities by referring to internal resources such as the annual report, strategic plan, and corporate communications. Corporate publications provide valuable insight into company ambitions, and priorities, which security ultimately protects, differentiating the SSE and the security function between being a cost center vs. revenue safeguard. Staying current with communications helps gauge the corporate strategy’s success and business performance, providing foresight into forecasting and predicting variables that may impact safety and security. As profitable operations drive growth and expansion, negative performance impacts human losses.
Negative change drivers (for example, downsizing, restructuring, or offboarding) influence decreased morale, with increased workload, stress, and tension on remaining personnel, a loss of institutional knowledge, reduced innovation, and diminished company reputation. SSEs must be aware of and involved with plans to mitigate such risks, because these factors can significantly impact the company's performance and profitability.
While many agree that security is a service provider, an effective SSE focuses less on downstream deliverables at the leadership level, shifting attention upwards to meet wider responsibilities such as planning, process, policies, equity, inclusion, legal matters, and alignment to corporate objectives. Conversations become less technical or tactical, and they center around financial management, commercial operations, business planning, analysis, and forecasting.
An SSE has arguably one of the most challenging jobs in the company. To excel in their role, they spearhead security measures and mitigation tactics while balancing business acumen, intelligence, and leadership skills, directly influencing the managers, workforce, and shareholders’ perception of security. It is imperative to establish a presence throughout the leadership levels of the organization because security has traditionally operated on the sidelines. A key consideration for the SSE will surround elevating the company’s security posture during and beyond periods of change.
To support the business more effectively, the SSE can implement and coordinate safeguards by creating inroads into other departments and gaining a deeper understanding of the corporation and its various business units. Security awareness policies are often brief and overlooked, so for the SSE, thoroughly understanding actual processes, workflows, systems, and people will improve security’s awareness of the organizational culture. The SSE can then incorporate this knowledge to create reasonable policies and improve existing standard operating procedures, ultimately strengthening value to the organization and its leadership team.
To understand the business, one must first grasp the concept of business. Business strategies are generally composed of three tiers: corporate, business, and functional.
Corporate. Corporate strategy involves high-level direction that affects a company’s market and reputation. Different approaches can be used, such as growth through concentration, diversification, integration, or internationalization; a stability-based strategy involving profit-earning, cautionary narratives; or maintaining the course with no major shifts. Turnaround or divestment may take a mixed approach, depending on corporate needs.
Business. Business strategies focus on achieving commercial expectations by analyzing factors such as the market, competition, supply and demand, trends, business models, and synergy. They implement a planned approach to delivering on corporate strategic expectations through developing tactics, tasks, or procedures for getting things done.
Functional. Enhancing competencies through the functional strategy is necessary to give a business unit an edge over the competition. Specifics of this strategy likely differ based on its business unit’s purpose; the functional strategy aims to enhance productivity and efficiency to achieve specific departmental goals.
Enterprise strategies target achieving corporate ambitions and objectives but tend to lack an essential element and most important asset—the people.
Influence and Resistance
To effectively start business planning for a change—whether an organizational change or a personal career choice—begin with your honest, current situation rather than an idealized version of yourself or your goals. Business planning is not easy; evaluate the present state and your aspirations for the future. Take the time to reflect on your thoughts, feelings, and long-term vision, because devising a solid business plan is the initial step toward fulfilling career goals.
After completing your business plan, compare it with the company’s overall vision. Does your plan align with the corporate strategy? Does it support and motivate you? Do you share the same values as the organization you work for? If so, you’re in the right place—this is a company where you can thrive, grow, and accomplish the great things you want to achieve.
Then, take a step back and consider the culture of that organization. Remember that corporate strategy and culture are different things; even if some align closely, others may be further apart. Determine if the culture of your work environment aligns with what you want out of life personally and professionally. That is incredibly, crucially important to know.
Enhancing the security function and long-term career of the SSE relies on clear alignment between executive expectations, value, and strategy. Developing a strategy enables effective time management and business acumen, allowing for better control, informed decision-making, and positive outcomes.
Conversely, poorly managed change leads to increased stress, absenteeism, turnover, decreased motivation and trust, or a return to bad habits. People often fear the unknown, such as job stability, confidence with new systems, workload, and new reporting structures. Change is perceived as extra effort and may require people to alter their beliefs. This is especially relevant in the context of diversity, equity, and inclusion (DE&I); here, individuals may resist, believing they are not a bad person so there is no need to change. Learning, relearning, and unlearning may have to occur. Whether objective or subjective, losses have emotional consequences and recognize that others, including oneself, may not understand subjective losses.
To navigate organizational change successfully, prioritize preparing, supporting, and equipping individuals through a structured approach that puts people first. When considering security organizational change management (SOCM) and modern security, consider it in terms of:
- What are the burning topics or concerns impacting your organization?
- What are the top challenges or opportunities concerning your team?
- What are the top issues affecting the security industry?
Various factors impact security businesses, driving lasting effects on people, processes, policies, and organizations. Changes in opportunities, regulations, and requirements are constantly and rapidly evolving. However, an SSE’s progress in upper management could be undone by turnover, leading to budget cuts or reorganization, which can be frustrating.
Having a well-planned and well-executed change management strategy is fundamental for success. SOCM can lead to faster adoption, improved stakeholder engagement, and more efficient operations. Proper training and effective communication help organizations avoid unnecessary costs and improve access to information.
Consider the power of people’s comfort zones, because the natural reaction to change is habitually to resist.
That aside, do not underestimate the power of comfort with the current state. When resistance rises, the objective is not to eradicate resistance but to comprehend it, absorb feedback, and incorporate it for resolution. Understanding why people resist change is imperative for your initiative’s success; consider the power of people’s comfort zones, because the natural reaction to change is habitually to resist.
Several influences, including power, politics, and personal experience, come to light. Additionally, career aspirations, budget constraints, narrow-mindedness, a compulsion to retain current business models, and readiness or unwillingness to embrace true diversity may also be at play. Exploring the spectrum of positive and negative motivating factors is worthwhile when making determinations in this context.
When preparing for change, also consider the consequences of not changing to anticipate areas where resistance may arise. To overcome these challenges, implementing varied approaches supports mitigating resistance. Raising awareness will confirm that you and your team have the necessary knowledge to implement the change successfully.
By anticipating resistance and accepting feedback, consensus-driven requirements are adequate to align stakeholders on the same page. This approach involves collaboration and agreement on organizational or departmental needs. By spending time on this at the outset, you’ll minimize any blind spots or gaps by capturing benefits that include improved communication, better quality requirements, and increased stakeholder ownership.
Communication Through Change
Security at the leadership level involves a broader approach for processes, policies, and alignment with corporate priorities over the day-to-day operational tasks. Maintain pace with peers by keeping conversations simple and non-technical to preserve your audience’s attention. Consequently, be prepared for high-stakes negotiations by understanding the potential business costs and wider operational impacts of security decisions.
To effectively communicate key information in a limited timeframe, link the situation to the immediate impact on operations through a story. Avoid small numbers or technical jargon; instead, focus on the company’s bigger picture, relating patterns or negative consequences to immediate impacts using statistics and metrics to create a business case that executives will understand. As the security expert, people look to you for guidance. You must make a recommendation, whether it involves more investigation or evaluation time; that recommendation should include scenarios with forecasted outcomes.
Aligning with the business is especially important when seeking approval or funds for security initiatives like modernization and transformation. Demonstrating how expected benefits align with and support the business objectives outlined in the strategic plan and annual report will begin to yield a notable shift in results.
Correspondingly, remember that results are purely performance measurements. They are the output of inputs and not the sole focus. Instead, keep an eye on achieving desired results by focusing on what you can control: your efforts, intentions, performance, and attitude. Be strategic in your approach to avoid getting hung up on the results. If results are positive, take a moment to reflect on what went well and how your team can improve upon them to achieve even greater outcomes in the future.
If the results did not meet expectations, examine what went wrong. Identify areas for improvement and reflect on what factors may have been overlooked or hindering positive outcomes. Apply these insights as a strategic tool by learning and leading from failures to turn around for success.
In this era of rapid change and constant innovation, the role of security executives has never been more critical. From workplace violence and cyber threats to recruitment risks and insider threats, today’s security challenges are vast and varied. However, by embracing change and utilizing effective change management techniques tailored for security professionals, SSEs can navigate these challenges and elevate functional positioning. As we look to the future, the role of security executives will continue to evolve, and those who embrace change and adapt to new ways of working will be best positioned to succeed.
Ter Govang, CPP, CCMP, is an ASIS Certified Protection Professional, ACMP Certified Change Management Professional, and ISC2-certified in cybersecurity. She owns Portcullis Modern Inc., an advisory firm specializing in management consulting for security professionals.
