Restructuring Security: Here We Go Again

Throughout the years, the diverse corporate security function at my company has been parsed, consolidated, amalgamated, reengineered, insourced, outsourced, downsized, right-sized, started, invigorated, celebrated, berated, molded, melded, digitized and formalized. And, by all accounts, we’re ready to do it again. It now seems that the CEO wants to consolidate the governance, IT, risk management and other functions to narrow the span of his direct reports.

We’re now under an executive vice president of the new business services group. This guy is an egocentric, highly placed idiot. Don’t get me wrong—he’s no dummy. He is obviously tight with the CEO. He’s a retired Army Reserve Colonel who has been here since the doors first opened. He prides himself on having always managed functions on the profit side of the business. In fact, he brags loudly that he knows more about leadership in general than anybody else in the company. But I’ve heard he’s a reengineering freak and uses it to zero-base everything. His MO has been to use a certain outside consultant as his smiling assassin.

Our first few meetings are mostly pleasantries and the usual probes one should expect from a new boss. He claims to be a supporter of security and says he has heard good things about my team. But I’m not persuaded he’s on our side. “It should be interesting being over here on the cost side,” he says, his voice dripping with irony. Interesting for whom, I wonder?

Reengineering never comes up during our initial meetings. “Just keep on doing the great job you folks are doing,” he promises, “and we’ll be in good shape.”

I’ve put my heart and soul into building this security organization, and now I have to wonder if my future is on the line here. I think it is.

At our first staff meeting a couple of weeks later, things seem very relaxed and even collegial. I know his other directs really well and have regular interaction with most of them. Our fearless leader announces that the CEO is really cranked up about “all this Enron and Sarbanes-Oxley crap.” And he’s made it his goal to get the Board of Directors to calm down and the governance team to “stay in neutral.” At this point, he hits the intercom and has a guest join our meeting.

Hey kids, say hello to the Guru of Reengineering. He’s the smiling one in the clown suit over there.

In the first few minutes, I deduce he is a graduate of some late-in-life business school epiphany. However, I can’t get past the fact that he’s wearing a couple of past meals on his tie and lapels. According to him, all business processes can be boiled down to a transactional time-logging system that will enable us to “systematically cut out the fat that so easily creeps into our daily routine.” He’s assembling a team to “work with us” on the process reviews. My radar is working overtime, but I smile and nod so much that every muscle from my shoulders up is frozen for a half hour after his self-satisfied exit.

I’m feeling abnormally pessimistic about the absurd lack of substantive leadership we are receiving from Colonel Cretin on virtually everything. Several of his former subordinates have told me that almost everything he did in past lives has been undone by those who followed. He plays favorites to the hilt and hasn’t a clue about issues such as diversity and respectful workplace etiquette. He openly bad-mouths his peers and seems particularly intrigued by the who, what and how of our internal investigations. Comparing notes with my Internal Audit friend, we both conclude that this guy won’t be satisfied until he has scalps hanging from his office door. One of my most senior investigators reminds me that a few years ago we were instrumental in the investigation of one of our new leader’s most-valued whiz kids for serious Internet time and content abuse. That couldn’t affect our leader’s perception of the security team, could it?

Then, the “team” descends. No one on it knows how to spell security yet they want to “help” us redefine our jobs so we can more productively perform our tasks. They believe if you’ve seen one business process you’ve seen ’em all. It’s simply a matter of documenting each one and then applying a value proposition to each. A couple of months later we are into business process documentation up to our eyeballs. Nearly a quarter of our resources are involved in documenting what we do on an hourly basis. I direct my people to also log the time devoted to reengineering. A silly voice in my head advises me that this will be a good statistic to throw at the jury before they are sent out to consider our fate.

As time goes by, I’m getting even more negative about this process and the absurd lack of substantive leadership we are receiving from Colonel Cretin. For the senior executive leading all of the governance functions in this global enterprise, he’s totally disengaged in the substance of our collective work and seemingly possessed by this reengineering business. It’s a sorry day when you reach the point of really disrespecting your boss.

Our meetings increasingly focus on why there is a central security function “when it’s just good management to hold individual business units accountable for all that stuff.” My pulse quickens and I explain that there is value in independence of governance functions. I ask if he truly believes that individual managers will reliably oversee their operations for integrity. “What would it look like if every manager established and maintained his own set of internal controls?” I ask. “Isn’t that what we’ve seen with Enron, Adelphia, and a number of other companies out of control?” As a last-gasp effort, I point out that he now owns all of the business functions that are supposed to be able to detect and alert the company to things that go bump in the night.

No answer. Philosophically, we are night and day. (I’m day, by the way.)

Several months into our “relationship” comes my annual performance review. I do OK but I’m struck by one of my leader’s admonitions: “You are too close to your people.” Rather than thanking him for the compliment, I only nod, waiting for the other shoe to drop. “You need to have the guts to pull the trigger when it’s time.” I’ve been around the block enough times to get the drift of this exchange.

And at this point there isn’t a damn thing I can share with any of my staff. They can’t know my concerns, and I conclude that I have to keep a positive face on the process and its outcome. Except, underneath it all, I struggle because this, after all, is the security organization. My team gets paid to know what’s going on. Nevertheless, I wear a smile for my own protection as well as the morale of my team.

Other biweekly management treats are supplied by quality time with the Smiling Assassin. Over the months we have filled several huge, three-ring binders with internal customer interview notes, time studies, cost-benefit analyses and benchmarking results. We are now focusing on some conclusions. “Your organization has incredible customer-satisfaction scores given the negative business you are in,” he says. I respond with my own curt negative: “We weren’t aware we were in a negative business. We’ve obviously lost our way because our customers seem to feel we are adding value to their operations.” He looks hurt.

While I’m focused on a particularly colorful stain on his shirt, out comes his real agenda. “We’re about to start our annual business planning cycle, and the boss wants each of his directs to build a financial plan around a 30 percent reduction in headcount. Every function that can be outsourced for financial advantage should be.” He lives for these moments of drama.

I don’t miss a beat. “So, let me get this straight: Through this internal review process we’ve documented several new or expanded services the business wants from us, business is strong and growing, you’ve seen the new threats in our technical and business conduct areas, we’re expanding into high-risk markets, and you want me to gut the program?”

That is what this whole damn thing was about. It wasn’t a process to uncover opportunities for improvement. It was a cover for our leader’s simple-minded, cost-cutting agenda.

Somewhere in my heart, I know I can’t work for this man. But neither can I walk away from my team, most of whom I’ve personally hired over the past decade. Am I confirming the perception that I’m too close to my people?

In the months that follow, the Colonel plays out his strategy; several of his directs (my peers) are handed either pink slips or packages, and I attend more bitter “retirement” parties than I can stand. His collective organizations go into two separate reductions-in-force characterized by selections for the door. They are stopped at the 11th hour by a human resources department concerned about gender and age discrimination. Much of the outsourcing results in the arrival of people who have zero loyalty to our company and who individually cost more per hour than those they replaced.

I know from insiders that I will survive this bloodshed, but I’m tired as hell of fending off this playground bully.

When the smoke clears, the deed is done. About 20 percent of my team is history, most having found better employment elsewhere. Colonel Cretin has just announced his own retirement to someplace warm with plenty of golf courses. The Assassin takes a letter from the Colonel to an old Army buddy at one of the Big Four and is making enough money to buy stainproof suits.

And me? Due to customer demand, I’m in the process of bringing back most of the things the dodo undid. And I have a new boss that seems to get it. I’m hoping he’s someone I can respect and learn from.

Until the next reorganization.