Home » Security Leadership » Exec. Communication

Ram Charan: The Business of Security

Lynn Mattice, CSO of Boston Scientific, quizzes the man Fortune magazine calls "the most influential business consultant alive" about how security executives can better serve the business

October 11, 2007 — CSO — What happens when you bring together one of the business world's luminaries—Ram Charan, whom Fortune magazine calls "the most influential business consultant alive"—and one of the country's top CSOs, Lynn Mattice of Boston Scientific?

Still a fair amount of disconnect. It turns out that even the most business savvy of CSOs (Mattice won a 2007 CSO Compass award for his work on business alignment) still looks at things on a profoundly different level than a globe-trotting consultant who spends most of his time with CEOs and boards of directors. That much became clear during a ground-breaking teleconference between the two men, moderated by CSO magazine's Sarah D. Scalet.

Mattice, for instance, seemed to take it as a given that information-technology leaders have made their way into the executive suite, serving as something of a role model for security leaders. Charan, on the other hand, cited IT as an example of a function that needs to do a better job of rotating its people into other business areas, to get better business savvy. Likewise, some broad, big-picture initiatives for strategic CSOs—such as the work of the Council on Competitiveness on business resiliency—are not even on Charan's radar.

Nevertheless, the two men found plenty to chew on, as the conversation made its way from how boards of directors view security (peripherally), to how CSOs can evolve (by leaving security behind), to how to implement change (without just latching onto the business fad of the day). Below are excerpts from the call.

Mattice: One of the failures identified in your book Execution resulted from the inability of individuals within an organization to envision where they needed to go. One of the things that security departments have been trying to do is evolve away from the "corporate cop" image. What are the expectations, as you see them, from the executive suite on the corporate security function today?

Charan: The most important part is the expectation about the reputation of the company. How does lack of security help or hurt the reputation of the company? Reputational risk is very important to companies today, so the security people, in addition to compliance, need to consider the appropriate focus on reputation. That should be a part of the annual report to the board on risk: how they are linking with the reputational risk assessment and what they are doing. Very clear, very simple, very direct. That's the key.

Mattice: We've seen other organizations throughout the years evolve and gain a more critical position within corporations, elevating up the levels of corporation to join the executive suite. We have seen this happen with IT, with audit, and in the old days with finance. What are your recommendations on how security leaders should change their focus to be able to move up the ranks?