Security Leadership: 2007 CSO Compass Awards

This year's CSO Compass Award honorees have achieved alignment of security and business goals, through advocacy, active engagement and, in some cases, a sense of humor.

There are many paths to alignment. This year's CSO Compass Award honorees have sought alignment—and found success—through very different means. Their strategies vary from sagely anticipating and preparing for business risks, to humanizing the often austere security function, to advocating metrics and numbers as a common language to bridge the communication gap between business and security leaders. We asked each honoree to share with us his or her thoughts on, experiences with and strategies for achieving alignment.

Metrics Might

George Campbell

Current position: Managing Partner with the Business Security Advisory Group, a consultancy composed of several former CSOs from global corporations.

2002–2003: president of International Security Management Association

1998–2003: ISMA board of directors

1994–2002: CSO, Fidelity Investments

Despite the strides that security organizations have made post-9/11, George Campbell believes that CSOs can still do a better job of communicating their core value to the business. "When it comes to seeing security as really connected to the brand and a fundamental part of the value equation, the corner office still hasn't crossed that bridge."

But surprisingly, Campbell's remedy doesn't depend on getting more face time with the CEO. In fact, he believes that security executives focus too intently on how they are perceived by the board or the CEO to the detriment of building relationships with the many other constituencies they serve throughout the organization. "Whether it's from the top down or the bottom up, you've got to get in their face and understand their business," says Campbell, who is 64. He exhorts CSOs to engage their business colleagues by saying, "Here are the skills we have; where can we contribute to making you more successful?"

Campbell believes that metrics are fundamental tools for CSOs who want to influence policy, effect change and communicate their value to the organization. He recently wrote "Measures and Metrics in Corporate Security: Communicating Business Value," published by the CSO Executive Council, an affiliate of CSO. In the book, Campbell discusses what data one should track and present, how to present it and to whom. He suggests that CSOs need to develop a three-part "dashboard" of metrics: one section for items like a safe and secure workplace that are seen as the direct responsibility of the security department, another for metrics that are unique to their business constituents and one for metrics that are unique to the organization's success. Some need constant monitoring. Others (like internal misconduct cases) develop trends over time.

Security is often seen as a nebulous function with its own obscure language, so metrics can be a tremendous communication tool for bridging the gap with business. For example, if a CSO can go to a business unit and give them the leading indicators that show that they are heading in a risky direction with the vendors they've selected or the people they are hiring—people are getting into trouble more often, there are more business interruptions, more problems with workplace violence—that is a powerful thing, says Campbell. CSOs need to remember that "we don't secure the company, we are facilitators," says Campbell, "and metrics help us tell a story."