How to Make Security Less Tactical and More Strategic? Start with a New Description
It is a deceptively simple suggestion: If you want security directors to be seen primarily as strategic business enablers instead of tactical responders and rule monitors, then change the position’s job description.
The suggestion came from Gigi Agassini, CPP, an ad hoc volunteer for a recent ASIS research project on security risk management, when discussing one of the research findings: that 43 percent of respondents said security was viewed by others in their organization as entirely or mostly tactical as opposed to strategic.
“Everything starts with [human resources]; the job description is very tactical” Agassini says. “Companies hiring someone to lead security are looking for someone who is very tactical.”
“That’s such a good point,” Diana Concannon, PCI, associate provost at Alliant University, says in response. “When I am consulting, I think a lot of the time I’m the one who comes in and provides the strategy and I think that’s because oftentimes they don’t support the in-house team to do it organically.”
The ASIS research report, The Current State of Security Risk Management: Benchmarks and Effectiveness Measures, which was sponsored by LifeRaft, has additional evidence supporting Agassini’s assertion. When asked how much time senior security executives (SSEs) spend on matters of strategic importance as opposed to tactical operations, 32 percent said they spend less than a quarter of their time on strategic issues. However, only 9 percent said that the SSE should spend less than 25 percent of their time on strategic issues, showing a significant disconnect between a real and desired state of security management.
Looking at the full bar chart, the ideal state is for the delta between the actual and ideal states in each category to be within the margin of error. In the study, only the 25 to 50 percent category was. All the other categories show SSEs spending less time on strategic issues than what is ideal.
The reality is that an effective security department is always going to be both tactical and strategic.
“I think it’s a matter of accommodating both and living in both worlds in a way that is very complex,” Concannon says. “At once we’re executing on the tactical needs and constantly being mindful of the strategy, and the strategy evolves as we implement the tactics in a way that is extremely dynamic—more so than other aspects of the business. I would say we are iterative in a way that other strategic elements of a business are a little more static.”
The question then is this: How can organizations alter security job descriptions to make the job more strategic?
ASIS’s Senior Security Executive (SSE) Standard and Enterprise Security Risk Management (ESRM) Guideline are very instructive in answering this question, and fortunately, it’s not enigmatic. Security has been talking about the concepts for years: executive (or soft) skills, business acumen, and risk. Weaving these concepts together into a security director job description is the key to attracting candidates with strategic capability, the kind of person who can, as Concannon says, execute on tactical needs while constantly being mindful of evolving strategies.
It is also instructive to think of Agassini’s idea from a wider HR perspective, not just as a commentary on security job descriptions. After all, for anyone who has been in their position for more than a year, it’s probably been a long time since they read their job description. However, most have some type of formal performance review process at regular intervals. The job description is important for attracting candidates with specific attributes and for setting initial expectations. Agassini notes that performance reviews are the perfect time for security directors to try to establish goals with their HR teams that build a better balance between strategic and tactical.
Showing the importance of executive skills, also known as soft skills, the SSE Standard lists the following “essential SSE competencies” under leadership skills and emotional intelligence: effective communication, integrity, accountability, influence, self-awareness, motivation, empathy, and social skills. It goes on to say SSEs should have the “ability to understand, interpret, analyze, and develop consensus within an organizational climate of diverse operational activities and often-conflicting regulations.”
Security Management has published many articles over the years about honing executive skills. More than five years ago, several security recruiters discussed why executive skills were becoming more and more important in “The Hard Truth About Soft Skills.” In November 2023, Security Management featured a package of articles on the topic, including “Power Skills: The Soft Skills CSO Cultivate and Use Every Day,” which featured wisdom on the topic from several different CSOs.
“The most important soft skills I’ve found over my career specifically for building and leading teams are emotional intelligence, active listening, and empathy,” Anders Noyes, CPP, head of security for the Honolulu Museum of Art, said in that article. Richard Widup, CPP, president and founder of the Widup Group, LLC, followed up with, “Self-awareness and empathy form the basis of your ability to effectively manage interpersonal relationships and develop a high level of emotional intelligence.”
For Agassini, the most important way to capture executive skills in security job descriptions—and performance evaluations—it is to include a heavy dose of “collaboration.”
“To me, the most important thing is how well you engage with others,” she says. “How many of your stakeholders understand the importance of security? Are you able to build allies? Security is really a service provider, and you’re serving internal clients. The rest of the organization, they are your clients. So, you have to have the skills to collaborate with them to understand their needs and their point of view. It’s a critical skill, and one that doesn’t get developed if people think of the security guy as the guy in charge of the CCTV or who manages the contract guards. It has to be much more than that.”
The SSE Standard also leads the way in championing business acumen as a critical success factor for corporate security.
“The SSE should understand how the organization measures success based on its strategy, business objectives, and established metrics,” the standard explained. “The success or failure of the security functions rely, in part, on the SSE’s ability to demonstrate [return on investment] of security in relation to the organization’s bottom line.”
“Security professionals who regularly speak and write in the language and style of the military and law enforcement run the risk of being valued differently from those who have MBAs and can communicate in the language of a modern business executive,” Eugene Ferraro, CPP, PCI, wrote in a 2020 Security Management article, “Leading Through Language and Listening.” “Regardless of the ultimate value of their contributions, if security professionals communicate more like law enforcement officers than business executives, they will eventually be treated as such.”
The standard offers a short list of traditional business values and metrics that have a direct relationship to the services that security provides the organization, including time saved, reduced costs, improved efficiency, reduced labor, reduced losses, lower liability or insurance payments, and greater customer satisfaction.
The real trick—and the real value that security directors need to bring—is to develop an understanding of what factors contribute most to the time saved, reduced costs, improved efficiency, etc., of the organization’s other business units. And this is where having business acumen overlaps with executive skills. Security directors will only acquire such an understanding by collaborating with other business units, and collaboration requires those key executive skills. Finally, the language and practice of risk management is what ties all of it together.
When it comes to how security saves time, reduces costs, and improves efficiency for all other business functions, risk and risk management provide the contest that ties the security function to business goals. According to the ESRM Guideline, ESRM “is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles.”
One of the real innovations of an ESRM approach is that it calls for security to work with other business units to understand the assets they oversee and the value they represent. Together they assess vulnerabilities those assets have and design security solutions to protect the assets. Crucially, the asset owner—not the security director—is ultimately responsible for the risk management of the asset.
“The security professional’s role is not to own security risk, but to guide asset owners through the security risk management decision-making process,” the guideline said.
“I consult with companies on implementing ESRM, and when I present it to them, it’s like I’m from NASA or something,” Agassini says. “It’s very hard for them to comprehend. So, I invite HR and other departments in. It’s very important for them to be there. They need to hear that the security person is not a policeman… they are an advisor, there to help them achieve their goals.”
Whether using the specific discipline of ESRM or the more broadly understood concept of security risk management, leveraging risk as the context for how security relates to and works with other parts of the business is the most natural way for security to transform from a purely tactical function to one that delivers strategic value.
Scott Briscoe is the content development director for ASIS International. He served as the project lead for the research and was the primary author of the resulting report.