Riding the Fence Line

» add a comment

August 01, 2005 — CSO — When an enterprise undertakes a broad strategic transformation, it also ushers in an interval of maximum distraction. The CEO and relevant functional leadershipwhether whipped along by consultants or proceeding under their own steamwill be focused single-mindedly on bringing about change. In any organization so preoccupied, security and other day-to-day issues can be pushed further down the priority stack than in more stable times; such a transformation is thus an occasion when CSOs need to fight more resourcefully to be included in the process.

This is on my mind because my company is now in the midst of a healthy reconsideration of its business model, something that goes beyond mere tinkering. And I can see how focused we all are right now on the future's various exhilarating possibilities. It would be easy for seemingly less important matters to get away from us. Fortunately, our CSO, Bob Hayes, is a member of the executive committee and would not allow us to forget to include his perspective. But I imagine that quite a few businesses are not so well advised. How foresightfully do they bake security into proposed new business initiatives? Do they involve the CSO in relevant strategic discussions? Do they factor in the possible harmful consequences of the change process itself on the enterprise risk profile?

I put these questions to Dick Lefler, an expert on security's place in organizational dynamics. Lefler (a recipient of a 2005 CSO Compass Award) spent 16 years at American Express, including 12 as the head of worldwide security.

In his view, any business change that entails "downsizing of employee workforces, material union involvement or the possibility of production disruption" would require senior management to include security leadership in the change process. The same would hold true if the change involves moving into foreign countries for new markets, outsourced services or manufacturing.

But Lefler believes that in cases where the transformation centers on the development of new products and services or on brand-enhancement initiatives, security management is seldom consulted "absent a 'near-death' corporate risk experience." If that's the political reality where you work, he proposes a couple of creative options that stand a fair chance of bridging the inclusion gap.

The Outrider Option: The wise security manager, Lefler says, recognizes that "major strategic business change will result in most if not all of senior management losing focus on continuing business issues in order to concentrate on the CEO's major goals of change. (Makes sense, since that is where the bonus money is!)" To compensate, "the security manager then 'rides the fence line' to ensure that existing enterprise functions do not begin to unravel."