From CSO to SSE: Expanding Leadership Roles in Security

The publication of the ASIS Senior Security Executive (SSE) Standard represents an extraordinary step forward for ASIS International from a strategic point of view. It integrates the enterprise security risk management (ESRM) concept as a critical part of the security function. The use of the SSE term also opens the scope to many other senior security professionals beyond strictly those with a chief security officer (CSO) title, which may be a smaller pool of people than it initially appeared. This represents a career and learning opportunity for a wider range of security professionals.

The statement of the limited number of CSOs may sound subjective. To confirm it, we can use the 2022 report from the ASIS Foundation, The State of Security Management. Of the 545 professionals who completed the survey, only 34 percent belonged to the C-suite level, 19 percent defined themselves as senior security executives, 13 percent were regional security executives, 21 percent were mid-level security managers, and 13 percent were classified on another level. It could be interpreted that the new SSE concept would accommodate more than 66 percent of the sample or even higher.

The publication of the CSO Guideline in 2004—followed by the publication of the CSO Standard in 2008 and again in 2013—can be considered a turning point in the corporate security profession. First, it elevated CSOs to the strategic level of organizations—the maximum echelon of the chain of command, up to the C-suite. This group of very selective senior directors is very much focused on strategy, operations, sales, finances (profit and loss and balance sheets, investments, ROI, etc.), and investors—all matters not particularly related to the regular working environments in the armed forces, intelligence services, and law enforcement, which are traditional career origins for many security professionals.

Second, it identified the CSO as a potential manager of a series of different activities linked to risk, and not only security risks.

Finally, it summarized in a table with high added value the three fundamental elements of the CSO’s position: the functions or areas of risk, the processes in which it participates, and above all the competencies and characteristics of executive leader necessary to perform this function. These core competencies included organizational agility, customer focus, problem solving, decision quality, managerial courage, political savvy or dealing with ambiguity, and motivating others. Few were related to traditional security-related capacities.

At the time, the preponderance of soft skills over hard skills was surprising, and the guidance emphasized the importance of business acumen as a nuclear element of that role. This is understandable considering that higher-level positions require greater interpersonal and fewer technical skills, requiring the executive to know the fundamental subjects of a senior manager: finance, strategy, negotiation, and leadership. And this is not the first time that business acumen came out as a key area of learning for these CSO and now SSEs.

In 1995, Ira Sommerson, CPP, wrote in his article “The Next Generation” for Security Management magazine: “…Today’s security executives must expand their educational and management skills to prepare for other staff management functions.” In addition, he wrote, “Security management as a curriculum must be taught as part of a business programs.”

In 2006 the think tank Demos published a report, The Business of Resilience: Corporate security for the 21st century, that stated that the security business has gone from protecting companies from risks, to being the new source of competitive advantage. The executive summary included two noteworthy statements. First, "this requires security departments to work through trusted social networks, which places more emphasis on people, management, and soft skills than security expertise." Second, “security departments have abandoned old assumptions about where their power and legitimacy come from. Their position is not based on what makes them different, their content knowledge, but on business acumen, people skills, management skills, and communications expertise.”

I have experienced the need for that business acumen firsthand. In 1993, I was appointed regional security and risk manager for southern and eastern Europe of a global freight carrier, and I was tapped to join a management committee (a kind of C-suite) consisting of five senior executives: the regional vice president, financial director, operations director, sales and marketing director, and myself.

During our first two-day meeting, 95 percent of the matters discussed and reviewed were about business. I just had 15 minutes to present the risk and security management strategy, but they actively requested my participation, opinion, and feedback in the rest of the matters. I still remember my last conversation with the regional vice president during my annual appraisal; he told me: “No one doubts your security matter expertise, but you will never access the top levels until you show your business acumen capabilities.” I came back to Madrid afterward determined to attend an executive MBA program, which I did during the next 12 months.

What has happened in the three decades since? The definition of a position this concrete and defined quickly led to a learning opportunity related to business acumen and other related soft skills that are now part of the training baseline of any senior executive: leadership, communication, financial knowledge, conflict resolution, negotiation, strategy, change management, innovation, and creativity, among others.

At the same time security professionals identified three strategic areas of development that remain. First, security leaders need to obtain competencies on IT—at least enough to understand the extraordinary effect it has on businesses. This is yet an unachieved goal; the ASIS Foundation report The State of Security Convergence shows evidence of this.

Second, being part of the C-suite or at least directly reporting to someone in it is the best way to be part of the organization’s strategies and align them with corresponding security strategies. Third, security leaders must strive to make corporate security be seen as an investment instead than a luxury and a cost center. All three of these elements require a strong executive education and enterprise focus.

The SSE standard defines multiple essential competencies, including:

• Be a security matter expert. This includes expertise in physical security, personnel security, information asset protection, investigations, loss prevention, and other areas.
• Cultivate business acumen, including a solid understanding of business strategy, markets, financial matters, production methods, and distribution.
• Foster leadership skills, including strategic thinking, effective communication, integrity accountability, influence, delegation, decision making, ability, and motivating others.
• Boost emotional intelligence through self-awareness, self-regulation, motivation, empathy, and social skills.

The last three are hardly security-specific and largely match skills required of any senior executive today. Why should they be different? Remember that the hard skills will open the door for an interview, the soft skills will earn you the position.

The main and most urgent training need for SSEs is executive education programs that combine the last three competencies, which are the ones that will allow SSEs to get to know their organizations from a pure business perspective, participate in the strategy design of their organizations, integrate into that knowledge the specific security strategy, speak the same language, and transform the corporate security function from a cost center to a value-add.

During the hiring process, it is very difficult for most organizations to assess security professionals’ technical capabilities. Hiring managers take security professionals’ backgrounds—often with law enforcement or military experience—as a reference. They are often unaware of the need for a transition period between public and private security, nor of the need for additional technical training. They are often incapable of evaluating specific elements in depth or recognizing what certifications such as the Certified Protection Professional (CPP) signify. It is surprising how many security departments are still isolated cells within their organizations today.

However, these same organizations can identify and recognize a series of skills and competencies directly related to management. Security leaders’ skill sets need to meet those requirements as well.

More than 70 years ago, ASIS International formalized the foundation of the corporate security profession, and now it may have found the right tool to reach and consolidate itself at the highest level of organizations. The security function is undergoing an evolution—today’s threats come from many different sources, and their variety and severity have rocketed risk management to become one of the basic pillars of organizational strategy.

There is a new competency model: shifting from guardian to business manager, from protecting business to a source of competitive advantage—showing security is part of a company’s overall growth effort. The old 3G (guns, guards, and gates) concept should go, leaving space for this new model where the SSE must be an architect of ideas, project manager, innovator, survivor, and manager of funds and resources.

Even though the road is anything but easy, the path for SSEs to step forward is clearer than ever before.

Juan Munoz, CPP, MBA, has been an ASIS International member since 1990, and he has more than 40 years of experience in corporate security, crisis and risk management, and business intelligence. He has occupied senior positions on the three sides of the function triangle: services provider (nine years), client (15 years), and consultant (16 years). Munoz had operated in more than 40 countries on four continents. Moreover, he has served as the director of the ASIS/IE Effective Management for Security Professionals program since 2015.