New CSO Challenges: Data, Visibility, Knowledge
As a senior leader steps into a new role in a new organization, they will ask themselves a few common questions: Where should I invest resources? What should I improve now, and what can wait? Chief Security Officers are no different. Their decisions will have a significant impact on the organization’s culture and effectiveness.
New Roles, New Questions
Like risk and compliance, the security function provides a service to the whole business: they empower the business to move faster. They are there to make sure the company achieves its objectives. So, where should the new CSO focus their attention, and which choices will have the most significant impact?
I recently spoke with Jill; a CSO hired to implement a global security function for a multinational. We talked about her role and the challenges she faced stepping into a new organization. Jill and her organization have chosen to remain anonymous, but the issues she experienced are pervasive, and many security leaders face similar problems.
We Only Know What People Happen to Remember
Jill quickly realized that her new company lacked a history of serious incidents, investigations, and other essential data. She told me: “I wanted to assess the security risks at different plants and distribution centers, but the only way to find the history of the site was to ask HR. We only have the data that people can remember.”
The most critical aspect of maintaining data about recent incidents is to make sure everything is clearly and efficiently organized. Jill said that her company “didn’t have an up-to-date database for new and sensitive investigations. There wasn’t a single system for keeping track of how any situation was handled by legal, security, or HR. We had scattered Word documents in different folders, and that’s no way to run things.”
Jill is correct to be concerned. She wants to build a mature security function and help the business achieve its strategic objectives, but she can’t do that without the data. What will drive measurable improvements? Should she implement new cameras or an access control system? Which policies and procedures need her attention? If she doesn’t have the proper data, there’s no way for her to know which of her decisions will have the most significant impact.
What Are You Missing?
Resolver’s Corporate Security software helps collect all of this data and organize it so that Jill and her team have immediate access to the information they need. The information is clear, transparent, and easy to find so that they can make informed decisions. When an organization starts using Resolver, they typically see an increase in the number of incidents in the first year. Why do you think this is? Now that incidents are consistently and efficiently logged, the accurate data is visible for the first time.
Two recent case studies highlight how organizations used Resolver’s incident reporting portal to build a data-driven approach to security and gain full visibility into all security incidents.
Collaboration That Respects Privacy
Jill commented that in order for her team to make the right decisions, she needed context about the individuals involved. She needed to see records of how legal, security, and HR had engaged with that employee in the past. Jill told me that there are “certain things HR doesn’t need to share with me…but knowing that someone had an allegation of sexual harassment is critical when evaluating an incident involving a manager and a female employee in the parking lot”.
Employee information sharing is challenging for multinationals. “We have offices around the world, and the employee behavior and culture at each location can be very different.” Every location has its own norms; for instance, an employee showing up with a gun in their vehicle might be common in some places, less so, or even unheard of in others. The documentation of that event and the response may be quite different depending on the location. The decision of whether to share that data with other teams may also vary.
Jill’s final note on employees was is that it should be easy for people to report incidents, complaints, and risk events without guessing where the reports should go. Everything needs to be efficient, and the chain of information needs to be easy to use for everyone involved.
Making an Impact
I spoke to a colleague, Jack Miller, who works closely with CSOs, VPs, and Directors of Security, and he echoed this concern. “The first two challenges for a security executive looking to build up a mature security function are Policy Writing and Standardization. Policy Writing is mostly about establishing what policies are in place and who they need to work with to get sign-off and enterprise buy-in. Standardization is about the challenge of identifying and bringing together all the various systems and contracts that are in place at each location.” Think back to our new CSO above; each of those global offices is likely to have different guard forces, access control systems, video systems, alarms, and more.
The main challenge for the new security executive, whether they are already a CSO, or trying to grow to that role, is to be able to make an impact in the organization. Their job is to empower the business to move faster by managing security risks. Their job means spending money, often large sums, to protect their people and assets. The hard part of their job is identifying which investments will make the most significant impact and proving it to the rest of the organization with data.