To Security Convergence (and Back)

What's the risk of leading a successfully converged organization? That a new CEO will see your department as a dangerously high-profile cost center.

The moment I realized the extent of the change was when the new CFO was indicating to the chief risk officer that there would be changes in risk management. Once I heard that, I realized that the new leadership really didn't like the transparency we had. Culturally, my security program was the same as the CRO's risk management program. I thought the same way he did. If he was going down, and his program was structured the same as mine, that was bad news.

Sure enough, several changes were announced. An internal non-risk management person was taking over a smaller risk management organization, and I was told that the new leadership wanted to transfer me into the shared service organization. Those groups are usually ones that other business units opt intoâ¬like with IT projects, you could go outside into the market, or you could go to the CIO. From a security perspective, though, you can't opt in or out of security. It was pretty clear to me, uh oh, here it comes.

I was still the CSO, and I had my first meeting with the head of shared services. At the end of the conversation, that person basically said, your last day will be X days out. The new CEO's view was that IT security is an IT issue, and physical security is a facilities activity. They said, Let's figure out a conversion plan to integrate those pieces back into the different parts of the organization. To deconverge. I had a director for physical security and a director for information security, and management wanted those people to take demotions. It was very difficult.

The new attitude was, "Why are we hearing about this security problem? Here's an issue that we have to deal with now that it's down on paper."

The security department had incredible executive support before the leadership transition. There had been nothing but accolades. We had done lots of things that had cost savings. We had gone out and nationally competed our guard-force contract and saved more than $1 million a year. We were much leaner and more efficient than many of our peers. We had one training group and a common voice to the employees. We had caught incidents, returned property, recovered dollars and stopped internal fraud. We were out there solving problems, protecting value and getting rid of bad apples.

But under a regime where the leadership doesn't like the transparency of risk, those are all bad things. The CEO doesn't want to hear about a serious fraud, even if you brought the money back and caught everyone involved.