For Effective Governance, Start with Why
This is the second in a four-part series on security governance. Read the first installment, “Setting the Bar for Strong Governance in Security Management,” here.
In his landmark TED Talk in 2009, author and inspirational speaker Simon Sinek introduced the world to Start with Why, a premise that people don’t buy what you do; they buy why you do it. As of this writing, it is the third most watched TED Talk of all time. His book of the same title has sold millions of copies.
In both, Sinek says that every single person and organization on the planet knows what they do, some know how they do it, but few know why they do what they do. By “why,” he asks: What’s your purpose? What’s your cause? What’s your belief? Why should anyone care? Why does your team, group, or organization exist? Sinek argues that we go from the clearest thing (what we do) to the fuzziest thing (why we do it). In contrast, inspired leaders and organizations—regardless of their size or their industry—all think, act, and communicate from the inside out.
As physical security risk managers, we tend to be very clear as to what we do on a daily basis—we safeguard people, property, processes, and information. Most of us know how we do it—we implement pragmatic, risk-driven, high-value controls to mitigate near miss and loss events. But when was the last time you asked yourself why you do it?
It’s a simple question, isn’t it? So simple, perhaps, that you’ve never taken the time to ask it. If you’re struggling to answer this, it should then come as no surprise that your peers and senior leaders may have the same questions of you, your department, and its position within your organization.
Several years ago while meeting with a regional business leader I was challenged when he asked, “Once we have our security standards and governance program developed, why do we need you or your department?” I was both stunned and a little humiliated. If his objective was to provoke emotion and to revel my discomfort, he almost succeeded. But in a rare display of wisdom and candor, I replied, “One could ask the same about your legal, HR, or finance departments. There are plenty of options for outsourcing those responsibilities, yet you don’t. Why? Because nothing beats a trusted in-house advisor with skin in the game who is invested in and understands the organization, the strategy, the product, and the people.” He seemed satisfied with the answer, and I managed to avoid walking into a minefield.
This should not have been an issue for him to raise nor a challenge for me to answer. If he was genuine in his curiosity—and it wasn’t just a cheap thrill to see how I tap-danced—there was a gap I needed to address. I needed to make it abundantly clear why our department needed to exist.
“The corporate security graveyard is littered with the corpses of failed security programs in which roles weren’t defined, terminology wasn’t established, and methods for measuring success weren’t disclosed,” says Ray O’Hara, CPP, former president of ASIS International. “If we don’t define this early, clearly, and often, we’ll be misunderstood at best and dismissed at worst. Alignment with your internal customers is critical for success.”
The most foundational governance products every department should first establish are program standards. This is the “why” document. At a high level, it establishes credibility and trust and answers the questions: “Why do we need a security department within our organization,” “What are our responsibilities,” and “How do we intend to achieve success?” It’s an impactful document that establishes your jurisdiction and tells the organization what they can expect from you.
What might a department standard look like? This is by no means a comprehensive listing, but your why might be codified within the following elements:
- A high-level leadership statement outlining the importance of the security program and your security governance products. It tells a casual reader why the department exists and what the organization can expect from you.
- Application of the document. Explain where within the organizational ecosystem this document applies, doesn’t apply, or may be in conflict with other governance products. It also describes the process for determining what to do if other guidance is in conflict.
- Terminology defining titles of the members in the department and regularly used industry terms.
- What are the roles, responsibilities, and members of the members of the department?
- How is your department structured?
- Who is responsible for similar functions like cybersecurity, safety, and/or risk management? Chances are it’s not your department, so make it clear early on because it might be one of the first questions of a casual reader.
Security Standards Management
- Who is responsible for writing and updating your standards and procedures?
- How often are these governance products updated?
- How and when are your governance products distributed?
- Are your governance products intended to be global? If so, what are the expectations of regional, area, and site teams? What are the limitations of these products?
- What are departmental responsibilities for major categories like design reviews, training, executive protection, investigations, audits, technical security, crisis management, workplace violence, and special events?
- Are there other documents which support these? If so, what are they and where can they be found?
- Risk drives programming, so tell the audience how you determine risk for your sites. Is it an amalgamation of various sources? Is there a risk registry? If so, where can it be found? How often is it reviewed? Who does it?
- Risk is dynamic. What’s expected when risk temporarily elevates? How is this determination made? Who determines a return to normal operating posture?
- Despite our best efforts, there will always be residual risk. What might that be?
Facility/Area/Regional Security Standards
- What are the responsibilities of your regional, area, and site security teams? Outline who is responsible for and what is the expected conduct for investigations, special events, transportation, training, drones, medical emergencies, law enforcement requests, visitors, persons of interest, cargo inspections, moving violations, parking, courtesy escorts, lost and found, cash handling, key control, lighting, glazing, barriers, firearms and weapons, personal protection and court orders, media requests, duress alarms, workplace violence, video management and access control systems, and alarm monitoring.
- What are expectations for reporting of security incidents? How is this done? Who does it?
- How are records maintained and personally identifiable information protected?
Facility/Area/Regional Security Department Staffing
- How is it determined?
- What are the minimum qualifications of team members and/or leadership?
- How are background checks conducted?
- How is training conducted? Who does it?
- How is performance evaluated?
- What is the authority of your team members?
- What equipment is required and prohibited of your team members? Who provides and evaluates it?
Operational Procedures and Technical Standards
- Who is responsible for establishing and maintaining them at the corporate, regional, area, and site levels? How often are they reviewed?
- What are they based upon? How are they benchmarked?
- How are they enforced?
- What are they and why do you need them? How are they conducted? Who is responsible for conducting them?
- How does your audit program complement and compare with other types of audits (e.g., internal, external, regulatory, and special purpose audits)?
- What determines failure or success and what can be expected for each?
- How are audit results reviewed and reported?
- What does a mature program look like? What is the end state?
- What are the categories in your evolutionary continuum? What does it mean to be at risk, foundational, performing, or excelling?
It’s critical to take a collaborative approach when creating program standards, so enlisting the support from colleagues in departments like legal, HR, cybersecurity, risk management, and safety will aid in buy-in and deconfliction, and you might be able to even borrow similar style, terminology, and processes from them. After all, few of us can claim our standards, procedures and governance products are truly proprietary. They are usually blends of other products from various organizations which can apply best for our industry, organization, location, and culture. Consult codified standards from organizations like ISO, ANSI, NIST, and ASIS. Benchmark drafts with peer organizations.
Further, you will likely be sharing risk with various departments, so it’s critical to understand existing jurisdictions. Finally, to have any status, this document should be reviewed and approved by senior leadership. There will be challenges to your authority and you will need support to defend against this.
This sounds like a lot to consider, but remember, this is not a prescriptive “how-to” manual. Those are your security procedures, a separate governance product. This is a high-level manifesto of sorts which is intended to tell the world of your organization’s purpose—your why—and it should be written such that non-security colleagues and the lowest common elements within your organization can understand it. I’ve found department standards can be adequately communicated in 100 pages or less.
Once you have established why you need a security department within your organization, the next logical question is “How should your associates carry out their responsibilities?” This tactical and operational product will likely be the most consulted governance document within your arsenal, and the establishment and contents of this are the subject of the next article in this series.
But first, start with why.
Erik Antons, CPP, PSP, is the chief security officer of Whirlpool Corporation, where he leads the physical security risk and crisis management programs for the $22.3 billion enterprise of more than 77,000 employees across 170 countries. Previously, he was vice president and CSO of Hyatt Hotels Corporation and the manager of international security and executive services with Sempra Energy. Antons began his security management career as a special agent with the Diplomatic Security Service with the U.S. Department of State, where he safeguarded the people, property, and information of Americans overseas, often in critical-threat environments.
The comments and views expressed in this article are the author’s alone and may not reflect those of his employer.