Lessons in security leadership: William Phillips

The 2011 CSO Compass Award winners discuss prioritizing investments, learning lessons the hard way, and much more

As the seventh-largest commercial insurer and 13th-largest property and casualty insurer, CNA provides insurance to more than one million businesses and professionals around the world. As vice president and chief security and safety officer at CNA, William Phillips is entrusted with ensuring the security and safety of CNA employees, facilities and assets, as well as with enabling business continuity and emergency planning. Phillips has a proven track record in national and international corporate risk management, having testified before Congress on safety issues and regulations, served on several American Society of Mechanical Engineers standard-setting committees, and given presentations at ASIS International conferences. He is active in the Security Executive Council, and has also been elected a fellow and has served as a national president of the American Society of Safety Engineers.

CSO: What is one of the most rewarding decisions of your career? Phillips: That has to be our global approach to facility security. We analyzed where we were with our baseline security six years ago, and we took the position that we wanted systems and processes that were very flexible and that could grow, move and change with the corporation, without having to incur new capital or substantial expenditures. We chose a network-based system and IP-based video. The entire system operates over our network, and we’ve been able to integrate and address a number of changing risks and threats using technology coupled with effective security processes. As it turned out, this decision put us years ahead and continues to demonstrate its value to the organization.

More lessons from the 2011 CSO Compass Award winners

• Jamil Farshchi, CISO Los Alamos National Labs
• Jennifer Bayuk, consultant and former CISO
• William Phillips, CNA
• David Komendat, Boeing
• Dwaine Nichol, City of Toronto
• Andy Ellis, Akamai

What are three fail-proof principles of security leadership?

First, have an in-depth understanding of the business you’re a part of. My business is not security, it’s financial-risk-transfer insurance products. Second, align and integrate the security strategy with the business strategy and processes. The more integrated the security processes, the more readily they will be accepted and acted upon by business units. Third, position yourself to be recognized as part of the business leadership, no matter what your level. You have to work from the position that you are part of the group and not a totally separate entity.

What has been the biggest change to the CSO role in the past few years?

The role has become less about investigations and reaction, and is now much more proactive. We’re focused on what can help identify and eliminate or control risks and threats, and if something does happen, minimizing its impact. The security role is now more open to different skill sets and educational and work backgrounds. The position doesn’t necessarily require law-enforcement training—while that can certainly be helpful, it’s more about being able to identify and evaluate indicators of situations that may change or arise. We need to be in front of where the organization is going if we are to be truly successful in advising and protecting.

What will be the next big topic in the security field?

How we identify, evaluate and control the various risks associated with expanding our business partnerships and the increased use of managed and outsourced services. That’s already here, obviously, but it’s still expanding and becoming more complex as it grows.

If a CSO could get budget approval for one security investment, what should it be?

Without a doubt, impeccable intelligence information and data. That might be social and political, much like what has occurred and is occurring in the Middle East, or environmental, as with water resources in some areas, or economic failings.When it comes to business stakeholders, what is their most dangerous misunderstanding about security? That security is an achievable state. We may reach an acceptable balance of risk and controls at a given point in time, but threats continue to evolve, the nature of risks change, and the business climate changes. As business decisions change and evolve to meet new challenges, security has to mirror that process.