​In this current era of enterprise security risk management (ESRM), there are no shortages of risks to contend with. Most surveys of the top global business risks identify several that are security-related, including terrorism, cyberthreats, pandemics, national disasters, water security, and government instability or collapse. 

But as ominous a backdrop as these risks may provide, they have not changed one of the fundamental realities of business: all functions within a company compete for a finite set of resources, and senior executives will fund those that are most likely to help fuel growth. 

Given this reality, the problem for support functions like security is that, certain exceptions aside, they are not seen as revenue generators. As a result, the security department must prove that its efforts are strategically aligned with the objectives of the company, and that they are part of the company's overall growth effort. This demands strategic leadership from the security manager.  

And such strategic leadership goes beyond being the subject matter expert on all things security. It is not simply about possessing the right kind of knowledge. It is, instead, about being someone able to make that knowledge relevant to, and an integral part of, the company's business goals. 

To succeed in this effort, security professionals must fully understand the myriad ways security affects the larger company. With that knowledge in mind, they must focus on creating relationships inside and outside the organization that will enable the security function to produce results valued by the company.

Delivering these valued results often requires the need to think and work differently–that is, to think and work strategically. It demands that security professionals become strategic leaders.

This article will focus on the need for strategic leadership by security professionals and what that leadership requires–namely, an alignment between the security function and the company's business goals that is only achievable through the effective execution of strategies. It does this by first explaining the concept of strategy, and then offering several examples of strategic leadership to demonstrate how it plays out in the real world of security.​

Vision and Execution

The concept of strategy emerged more than 2,500 years ago in ancient Greece with a one-dimensional perspective that focused on how generals waged war. Under this concept, a general is responsible for multiple units, on multiple fronts, in multiple battles, over various spans of time. The general's challenge is to provide the vision and preparation for orchestrating the subsequent comprehensive actions.

The general's strategy, then, consists of an integrated set of choices designed to achieve specific goals. But it is important to remember that strategy is not an accurate term for every important choice that the general faces.

This is where organizations fail in the business world. Many executives have begun calling everything they do strategic. Too often, strategy becomes a catchall term, used to mean whatever the executive wants it to mean.

And all too often, the result is that the organization undertakes a collection of business activities that create confusion and undermine credibility because they are not strategically aligned. Sometimes these executives confuse actions or tactics—which are the means by which strategies are executed—with strategies themselves. They are then left to wonder why they failed to achieve their desired goals.

Strategy addresses how the business intends to engage its environment in pursuit of its desired goals. Without strategy, time and resources will be wasted on piecemeal, disparate activities. Sometimes, managers will fill the void with their own (often parochial) interpretation of what the business should be doing. The result is usually unsuccessful initiatives that are incomplete, disjointed, and confusing. 

Strategic leadership rises above this confusion. But it does not come easy. Studies show that fewer than one in 10 leaders exhibit strategic skills, a woefully inadequate number.

It would be a mistake to believe that strategic leadership is only needed in times of crisis. During the good times, strategic leadership is just as important as during the bad times, because it ensures valuable resources are focused on the right areas and in the right ways.

At its essence, strategic leadership is the ability to learn, anticipate, challenge, interpret, decide, and align organizational capabilities and competing interests in ways that effectively engage the everyday opportunities and problems presented by the competitive environment. It is the ability to translate vision into reality by seeing the bigger picture and longer time horizons, then creating the strategies necessary to achieve goals that deliver valued results.

Here are five real world examples to illustrate strategic leadership. The first is relatively simple and straightforward, to ease into the concept. The next four are more involved and complex. ​

Honing a Process

A global security company once had a system for suggestions that required employees to fill out a four-page form each time they had an idea they wished to submit for consideration.

While the form was lengthy, executives believed the information it solicited was valuable and worth requesting. In a period of four years, 2,500 employees submitted 252 ideas for consideration, or about 63 ideas per year.

A lower-level manager in one business unit, who found the process frustratingly inefficient, successfully engaged the organization to change it. This manager realized that the information submitted on the four-page form had value to company leaders. But he also knew that if the submission process were made easier, the organization would ultimately receive more ideas, and it would benefit greatly from their implementation.

The manager's suggested changes were made. Today, anyone at the company can submit a description of an idea for improvement via email, instead of a four-page form. Moreover, rather than waiting for a time-consuming process to unfold, the submitter is allowed to act upon the idea if there is no response by management within 30 days.

Under the streamlined submission process, employees sent in more than 6,000 ideas for improvement within the first year. When some of these were implemented, organizational performance was enhanced and operating costs reduced.

This is a textbook example of an individual who looks at the bigger picture, and sees an opportunity to change a process that would lead to a positive outcome. This is strategic leadership.

Advancing on Many Fronts

A security executive sought an opportunity to show that security was aligned with his company's transformational efforts in ways that would help produce clear and valuable results.

To do that, the security executive engaged in a brainstorming session with his staff, eventually arriving at a consensus decision to improve the company's access control systems.

 The executive knew this was no small undertaking. However, to have the desired outcome he needed buy-in from employees involved in a range of functions that were both inside and outside the business. 

He began the process by meeting with people. He met with the finance department to work through the numbers and arrive at a reasonable capital expenditure budget. He met with legal to identify any liability issues that might arise from the new system. He met with human resources to develop a training program in support of the effort. He also held a joint meeting with human resources, operations, and legal to create a new policy to ensure that there would be progressive discipline for any violations.

 He then met with outside suppliers to engage in an open bidding process and ensure the effective delivery of the approved products. He also met with his company's business development group to ensure that the systems would be installed during site redevelopment to enable the costs to be capitalized, and thereby reduce the overall financial impact on the company. Finally, he met with senior management and presented the strategic plan. It was approved.

What this security executive's experience shows is that the security function must position the business to succeed in a larger sense, through the involvement of the many, not the few. He realized that the new access control system would result in threat reduction combined with increased security visibility, while controlling costs.

To achieve that positive outcome, the security executive showed an ability to think, act, and influence others in strategic ways. Like the military general cited earlier, he designed a plan of integrated actions, working on several fronts—budgetary, legal, employee training, and logistics—and, in so doing, demonstrated strategic leadership.

Imitation is Not Strategic

When given the same challenges to improve security, managers may take actions that are not always strategic.

For example, in an effort to improve security, a manager undertook a formal benchmarking process. In his benchmarking effort, the manager compared the overall security at his company to that of another well-known company, one with a long-standing, well-respected, and well-funded security department. 

Since this second company was a competitor within the same business industry, a benchmarking comparison seemed apt, and so the manager expected the findings to be relevant to improving security. Flush with information and data, the security manager met with senior management and, in a highly professional set of Powerpoint slides, presented the logic for his budgetary request. 

Now if we stop there, we might expect that the security manager met with success. After all, it is a common practice in business to identify processes and practices used by other successful firms to understand and recommend competitive positioning. One reason this approach is well regarded in business is that it can be efficient—it can help managers make effective choices by avoiding approaches already judged to be failures by other companies. 

But contrary to expectation, the security manager's proposal was rejected.

Although the analysis was logical and the findings sound, the competitor's values, culture, and operational capabilities were drastically different from the manager's company. Senior leaders realized that, although something worked at a competing company, it would likely not work in their company, given the operational differences guided by their company's strategies, core values, and organizational culture. These are important differences because they determine how a company chooses to grow through its current or desired product and geographic markets. Unlike a larger company with greater financial and operational capabilities, a smaller business is often less willing or able to fund new ventures.

So to imitate another company, particularly an industry leader, is to chase a moving target that captures what was effectively yesterday's success. As mentioned above, identifying practices used by other successful firms can be valuable as a means of understanding competitors. But merely copying other firms, even those of industry leaders, is not strategic. Where a benchmarking effort becomes strategic, however, is when it seeks an adapted approach tailored to the individual needs of the organization. ​

A Piece of the Puzzle

Those in security who come from law enforcement, the military, or government service should recognize that the strategic role they are expected to play will be different from the one they previously fulfilled. 

As one security executive once said, things improved when she recognized that success in government life did not necessarily translate into success in a business setting, because business offers fundamentally different challenges.

In her new business setting, this executive's credibility came by demonstrating an ability to think and act strategically. This occurred early in her transition, when she was asked to help provide input toward improving the background screening process for new hires. This seemingly small-scale involvement actually had the potential for a large-scale impact across the business.

From her experience in government service, she knew the importance of hiring well, and how it provides longer-term employees who, over time, possess greater institutional knowledge. Consequently, rather than merely offering a single bit of input, she asked for and was given a place on the working group that was developing a better background screening process.

In this role, she helped develop a screening process that produced strategic and valued results by minimizing turnover, reducing overall costs, and limiting liability exposure.

With what appeared to be a small involvement in process improvement, this security executive helped deliver a larger benefit to the company. In so doing, she also created relationships that enabled security to meet other challenges that delivered value to the company. Without fanfare and without question, she was a strategic leader. ​

Adjusting to Realities

A senior security manager had overseen the growth of his firm's security function from humble beginnings. Once part of a small cadre of people responsible for investigations at a company aspiring to get bigger, he had seen the company grow through acquisitions into a business powerhouse. His responsibilities as a security manager grew accordingly.

As the company opened more offices and plant locations throughout the country, the manager's budget and capital expenditures increased dramatically, in keeping with the need to secure the growing number of sites, assets, and employees.

However, a companywide satisfaction survey revealed that employees believed the security department was impersonal, bureaucratic, and unresponsive to employee needs. In turn, employees treated security procedures as mere suggestions.

Based on these findings, the security manager sought to determine the source of the dissatisfaction. He completed a strategic review of the security function, including a small but significant "employee as customer" survey.

What he discovered was surprising: the problem was rooted in the everyday interactions employees had with the security department, specifically the security officers.

This struck at a long-standing concern. Controlling costs was one of the company's competitive strategies, and so the decision had been made to outsource the security guard function. But the security review discovered significant problems with this approach.

Over time, the number of security services firms providing guard services had grown. The company continually sought the lowest-priced local provider, but managing this operation became more and more problematic.

Hiring and retaining quality officers was particularly difficult; many were poorly paid and inadequately trained, and they felt disenfranchised from the company they served. This all contributed to a costly turnover cycle.

Recognizing an opportunity for positive change, the security manager recommended to his company that they forgo the use of contract services and make the security officers full-time company employees. He presented a strong argument, complete with sup­porting data.

Nonetheless, senior management decided that this proposal was counter to the company's cost control strategy. The security manager was told to consider another approach to solve the problem.

Rather than being defeated by this setback, the manager sought approval from senior management to increase the security services budget to obtain better quality services and reduce the confusion that stemmed from juggling multiple contracts.

Senior management agreed to a reasonable increase in the security budget, so the security manager began the improvement process by putting the contract out for bid, seeking a single company capable of providing nationwide service in various settings.

Subsequently, a new security company was awarded the nationwide contract to manage guard services based on a range of factors, including adherence to more professional business attire and a commitment to a process designed to develop and retain effective officers. And the selection of the new services company kept the contract within the budgeted increase provided by senior management.

A few months after the new services firm was in place, the security department conducted a new survey. Employees reported feeling that company security seemed more professional, more respectful of their needs, and more helpful. Gone was the adversarial attitude, replaced by a feeling of business partnership. And the company maintained its desired level of security, as evidenced by fewer security violations and fewer security issues.

At its essence, this story illustrates strategic leadership in action. Despite setbacks, the security manager adapted to the situation and aligned security efforts so that they were consistent with his company's cost containment strategy and business needs, and fulfilled the firm's protection and customer service requirements.

The Future

The only certainty about the future is that it is uncertain, and past success does not guarantee future success. These two maxims, sometimes applied to business in general, certainly apply to the security field.

Some of the factors driving this uncertainty include advances in technology and the quantity of information being produced; shifting customer needs; internal competition within companies for resources; struggles to maintain profitability as the economy changes and evolves; and the new normal of doing more with less for countless business operations, including security.

But we also see markets offering greater opportunities to those able to adapt. The ability to influence others to engage in efforts that enable organizational success, while acknowledging the constraints of time and resources, is at the heart of being strategic. It is why security leaders must prove they are capable strategic leaders.

These leaders recognize situational constraints and adapt to their environment. By necessity and design, they are flexible, and able to adjust their strategies to achieve the stated goals. What they do is measurably tied to goals.

Their attributes go beyond charisma, experience, and expertise. Aspirations are not enough; businesses want to see results. And results, more often than not, take strategic leadership. 

 

Chris Walker, D.B.A. (doctor of business adminstration), is a management development consultant and a longtime member of ASIS International. A former law enforcement officer responsible for high-level financial investigations, Walker served as the head of global security for a multibillion dollar division of a Fortune 50 company. He is former executive professor of strategy for Northeastern University. ​ ​