How to Analyze Your Business
American business magnate John D. Rockefeller once said, “If you want to succeed, you should strike out on new paths, rather than travel the worn paths or accepted success.” This quote is apt guidance for chief security officers (CSOs) and aspiring security leaders seeking to understand how to analyze the business—the second element of the ASIS International CSO Center’s Development Pyramid.
Analyzing the business is an extremely important concept for seasoned and aspiring CSOs because aligning the security department’s mission to that of the organization’s mission, vision, and values statement is crucial. Often CSOs are coming into their role due to a need—whether to fix a department or in the hopes they will provide new and refreshing insight into the program. In order to grow and build value for the security department, it is imperative to understand the language of the business you are in or moving into. Understanding the vision and direction of the organization will help CSOs sell security in the language and context that organizational leaders understand. This is often needed when wanting to blaze new trails and try new strategies.
To effectively connect with leaders, you truly need to know the business itself as well as the state of your security department to develop the path forward, increasing security’s efficiency and impact.
One of the hardest concepts I struggled with as a new CSO and now as a deputy CSO was how to quickly analyze a business prior to stepping into a role. When I started my new deputy role, I realized how quickly my vice president was able to assess the security department and culture during his interview process. His recent replacement was able to do the same. It allowed them to develop a quick outline of their first six months and start to enact change within their first 90 days.
I quickly realized how important this skill was not only for longevity in the role, but also to set oneself up for success prior to officially starting in the position. Coming from a role where I had long term institutional knowledge as a CSO, I never truly appreciated this art.
This method of quickly and effectively familiarizing yourself with an organization and your place in it is an essential strategy for security leaders. It helps you quickly identify needs, tie efforts into a broader organizational strategy, and understand how to manage change—including the temptation to change too much at once.
Analysis and Change
There are some key principles for CSOs to be aware of while they analyze the organization. Each leader will have their own thoughts on what the priority ones are. The three main ones that stick out to me are: use an assessment to develop a security roadmap to sell to the C-suite as well as your team members; get buy-in for that vision on both sides of the reporting structure to move the dial in the right direction for the program; and help set realistic goals and measures.
Change takes time; don’t try to tackle every problem or need all at once. As Michael Watkins suggests in his book The First 90 Days, find small easy wins to start with. That will demonstrate the value and impact the larger changes can have, and it sets your colleagues up with a purpose and sense of accomplishment.
Learn the language of the business. How do organizational leaders measure the return on investment (ROI) of a project? Are they more concerned about the financial picture or the ideal of staff’s physical and mental security? Each business and C-suite varies in how it responds to certain messaging styles. Identifying that early will help you achieve approval of your plan. I urge CSOs to use the CSO Center's library of resources (available to CSO Center members through ASIS Connects) if they are not strong in this concept and determine what strategies and principles they should follow.
Pitfalls to Avoid
The process won’t always be easy; there may be some challenges that arise during this process. One of the top challenges when analyzing the business is trying to change too much too quickly. At times when the culture or department are operating at a lower level, the urge is to fix everything all at once or to oversell your change ideas to the C-suite. To guard against this, develop a good change management strategy and identify the most important changes to make immediately and what changes can be pushed down the line. Managing expectations both up and down the chain of command is crucial.
Well-established departments pose challenges as well, so CSOs need to continually analyze the business and the direction it is heading so they can align the department’s security posture to meet the organization’s needs. Often, we get static in our jobs when things are running smoothly, and we forget to look ahead to what the future entails. It is also hard to introduce change into that environment, so a good change management plan is essential.
Measuring the success of your analysis can be difficult. Depending on what you are choosing to change will determine how to measure. If you have set smart goals with measurable outcomes, then key performance indicators (KPIs) and metrics will be invaluable to determining how well you are doing. Some other measures that are harder to measure but show a positive response to your plan are things like C-suite engagement or staff feedback on how impactful your department is. If you have set your roadmap correctly, you will see both tangible and intangible results.
We always say in security that KPIs can be difficult because if we do our jobs correctly there is nothing to measure. Selling the success in the terms your business can understand is pivotal to the continued success of your roadmap.
CSOs who are not strong in this concept can find some great resources in the CSO Center library. There are links to various books, as well as some great webinars that refer to different aspects of this topic that range from ROI to talking the language of the business. There are also tools and strategies available—such as strength, weakness, opportunities, and threats (SWOT) analysis—to help you frame your decisions.
Adam Smith, CPP, CHPA, is director of security operations for UCHealth in Aurora, Colorado. In this role, he works with both contractors and hospital-based security staff, systemwide, to ensure the safety of patients, visitors, staff, and providers. Smith is responsible for day-to-day security operations, as well as developing and deploying educational sessions for UCHealth staff and for the physical security operations of the system. Before joining UCHealth, Smith was employed with SSM Health for more than 10 years. He has Masters of Criminal Justice Administration from the University of Wisconsin Platteville and maintains certifications from ASIS International as a Certified Protection Professional (CPP) and International Association of Hospital Safety and Security (IAHSS) as a Certified Healthcare Protection Administrator (CHPA).