Ask Heads of Security about the most challenging aspect of their work and they’ll tell you it’s to sell security to their organization and its decision makers. Decades of experience in military or law enforcement may have prepared you to manage a security force, to handle an investigation or tackle an emergency. However, it did not necessarily prepare you for discussions about return on investment (ROI), key performance indicators (KPIs), brand awareness, corporate liability, etc. To be able to handle these types of issues, you must tap into the Security Consultant inside you.
Very often, we are told by Heads of Security that their management “doesn’t get it.” Could it be that management is not “getting it” because the Security Manager’s unable to inform or sell to the powers that be? Is there another way to communicate the need for security so it makes sense to the CEO, the CFO and the entire “C” Suite? Security executives tasked with pushing the envelope and improving security for their organizations must learn to convince, inform and sell – traits that are part and parcel of consulting work.
Selling the Idea
Experienced salespeople would tell you that to sell, you must first know what the customer wants. The client may not be interested in the product you are selling but he may buy if everyone else already has it or, because having it means that he has something no one else does. If you try to sell the product by focusing only on how great the product is, you will likely fail. But if you concentrate on letting the potential buyer know the popularity or exclusivity of the product you have a good chance of success in selling.
Likewise, in security it might not get you far by explaining to the bean counters the merits of a new counter drone system or an upgraded security management software or the scalability of an upgraded security system. A better way would be to illustrate to management how far ahead of the curve the organization would be compared to other organizations. Or, you can point out that we are the very last ones to not have this and therefore need to come up to industry standards.
A Security Manager’s ability to convince management to act is contingent on his capacity to grasp what people on the other side of the conference room table really want. To do that, you cannot just think outside the box, you must also be able to evaluate the box from the outside. The executive must be able to carefully study his organization (“the box”) in which his recommended security measures would be implemented. He needs to understand the organizational culture and determine decision makers’ motives and their perspective on security, threats, and risks.
As the security manager assesses his organization, he may find that some decision makers have had little experience with crime and therefore do not see the need for security. Indeed, some of them draw a direct line between security and a “police state.” The very notion of a need for security scares them. Others may see security as a cost with absolutely no return on investment and therefore a waste of corporate resources.
A security professional may find these attitudes irresponsible and at times even demoralizing. Facing the enormous hurdle of trying to convince people holding this perspective one can easily give up and conclude, “unfortunately it will take a major incident for this organization to change” (a phrase we hear often from the Security Managers with whom we work.)
An experienced security consultant would quickly try to discern if the arguments against security measures stem from a lack of knowledge or are the result of ulterior motives. There are those who resist new security initiatives because they don’t see them as bolstering their own corporate position or because they cannot take credit for coming up with the idea themselves. These people are relatively easy to convince, as their motive – despite being self-serving – can be easily leveraged.
The more difficult audience to convince are those whose dissent stems from a lack of knowledge or experience or world view. With these audiences, a consultant has to use communication, coaching and teaching skills to bring them around.
Identify the Knowledge Gap
Consultants know that there’s a range of attitudes about potential threats. The ideas go from imagining a Hollywood blockbuster style epic attack to the stance that there is no threat at all. Therefore, one initial step is to identify that attitude and understand the perspective. Ask what they think the issues are. In other words, conduct a knowledge gap analysis. Those answers will help you know what training or coaching needs to be done in your organization.
Demystify the Threat
Often there is a fair amount of emotion around the subject of security.
While fears can be leveraged in some cases to secure more security budget, obviously fear can’t be the primary motivator. A clear headed, realistic approach is crucial to good security. A consultant would break down the problems, explaining them in a way that makes sense. And one of the best ways to do that is to put the client in the adversary’s shoes. Seeing the secured environment from the enemy’s point of view allows for two important things. The first is a clear understanding of the actual, realistic threats. The second is an understanding of the operational limitations and challenges facing the enemy. These are the foundation of the security mission and all related protocols and procedures.
Many clients we meet have issues with deploying armed security officers because of liability and political concerns. They anticipate backlash.We ask: how do you feel about U.S. Secret Service agents being armed, are they okay? Yes, that’s fine. So, from that question we learn that it’s not so much about the gun, it’s about the guy. A very well trained armed professional does not evoke the same concerns. Understanding this mindset helps us remove the emotion from the equation, demystify the threat and propose the best possible solutions.
Learn to Teach
Think about some of the teachers you had in school. There were those who were obviously smart and knew their subject well but just couldn’t deliver the message. They were knowledgeable but not good at conveying information or instilling enthusiasm.
It is so important to educate your boss, your team and your clients. Among other things, it assures that more people are on the same pages. To this end, metaphors are a great tool. They are valuable at explaining a security situation in a way that everyone can accept. For example, when we introduce red teaming, we point out that IT departments regularly do adversarial penetration testing. That’s an operational security function with which people are already familiar. Security red teaming is no different. Likewise, in manufacturing, Quality Assurance is a common (hopefully) and necessarily mechanism to make sure that processes and product are correct. Likewise, we explain, security also deserves to be tested for quality assurance.
Teaching about adversaries helps the threat be understood. What is the level of adversary being defended against? Are they defending against common opportunistic criminals or state sponsored terrorism? Because in the case of the latter, insider threat would be amongst the top concerns. Once a consulting client is educated to understand the threat, they are in a better position to understand what solutions should be aligned against it. The same approach works for security executives in any organization.
Challenging the Top Brass
The most constraining decision making process is one where decisions are made by committee or god forbid, by consensus. Security is a strategic decision or at least, it should be. Strategy is most easily set by the head of a given company or agency. He or she sets the mission statement. From there, setting expectations is so much easier. This is why when we conduct a Threat, Risk and Vulnerability Assessment (TRV) or other consulting job, our very first meeting is with the head honchos. Your job as a security manager is to inform management so that they can make informed strategic decisions on risk. That risk decision in turn informs the budget that is allocated to mitigate that risk.
As consultants, in that first meeting, we challenge the top brass with making a critical risk decision about security and the organization. We ask: what is the adversary that this organization is trying to protect against. Is it a spy working for a foreign government? Is it a local, neighborhood thief? A terrorist? An insider. Naturally the resources and security structure would be completely different if you are protecting against threat from run of the mill criminals versus a state-sponsored terrorist/spy. These decisions that a consultant requests in the beginning of an assessment are the kind of decisions that a security manager must likewise ask. If not, you are setting yourself up for failure.
One thing to avoid is blame. We hear a lot of this: the CEO is to blame for a situation, regulations are to blame, the budget committee is to blame, and so on. What a consultant tries to do is figure out a solution despite the challenges and blocks. The blame game is a cement wall to be avoided at all costs.
Be a Chameleon
You have to fit in. The organization is not going to change to fit you or your department. The solutions you learned in the military and law enforcement or in other organizations do not necessarily work and will almost always not work because of budget, legal issues, liability, or organizational culture (marketability). You may find an organization that is very opposed to the idea of armed security, or is even legally prohibited from using armed security. You must find a way to use available resources (unarmed security) in the most efficient way possible to reduce the need for armed response. I’ve seen many heads of security who resigned because management did not let them arm the officers. Rigidity does not work. Better to be flexible. A consultant is hired to find innovative solutions in the face of limited resources. We have had clients who say it’s against our culture to close the perimeter with fences and access control. But this doesn’t mean that an open environment cannot be secured, one just needs to use other resources and more manpower.
Do Not Bullshit
A good consultant shoots straight and puts their cards on the table. If you don’t shoot straight, management can smell BS from a mile away. Let management know your vulnerabilities. And the only way to find those vulnerabilities is through an ongoing robust red team program. Management is more afraid of being blindsided by a vulnerability that they didn’t know about than hearing about the vulnerability from you ahead of a potential incident.
So, we recommend that you tap into your inner security consultant. Use education and training, strategic thinking and salesmanship to garner support in your organization and insure your success and job security.