From Subject Matter Expert to Business Leader: Security Risk Management

Security and risk management is like many other professions such as legal, finance, engineering, construction, medical, etc, whereby you start out as a subject matter expert, practicing your craft but at some point you have to reduce your role of subject matter expert in lieu of that of a business leader, ensuring the business runs continuously and efficiently.

It is therefore no surprise that just like all these other professions, where many subject matter experts think they can set up their own general business or simply assume the role of general management, they fail or deliver sub optimal results. 

I’m often asked by many security professional, especially those that have just left the services, police or government sector

“what security courses should I do”,

to which I reply to the vast majority of them

“you have sufficient security and risk management development and practical experience for now, you need to invest in business courses and experience….this is where you are most deficient”. 

Everyone who has served has sacrificed a portion, or significant portion of their “career” doing something extremely unique and often very “un-business like”, putting them behind their peers who may have entered into university or the commercial sector immediately upon leaving school.

It has been my experience that individuals are not disadvantaged by their service but more so a culture of businesses not taking time/caring to understand why many of those coming out of service life are less developed in some areas but certainly don’t need to start an apprenticeship or traineeship again.

This culture is further reinforced by ex-service men and women that play into this flawed belief and take lesser roles, junior positions or work for less money than their commercial contemporaries. 

It is also a further belief, and in some instances a fact, that many security professionals have given their “best” years in service to their governments, local/national authorities or military.

Alternatively, there are those that have become too “comfortable” in a system that takes a lot of the general administration/management and other responsibilities encountered by commercial managers away from the individual and is serviced by a multitude of roles and departments within the military/police/government.

This is seldom the case in the commercial world, where managers and supervisors have to do a lot of the management and administration themselves.

Some never make the transition or ascension.

I’d recommend every individual who considers themselves a subject matter expert in the realm of security or risk management to attack these perceptions from the outset and don’t let these assumptions impact your capacity or ability to deliver….with the caveat that you can hold your own when it comes to the commercial side of things, which you can learn or be humble enough to study before the inevitable battle requires you to sell yourself. 

In any profession, if you don’t contribute to the growth and profit of the business, you are considered a cost centre.

If each and every year, you seek ever increasing budgets and cite a growing list of challenges to the delivery of your services, you will again be considered a cost centre.

If none of your predictions come true or the business doesn’t suffer a minor or significant loss by not following your advice, the expenditure and budget you once had along with your management standing within the company is at risk.

This has been a growing trend amongst security and risk management professionals post-911 when fear, concern and the potential for losses within the security and risk management space where seemingly apparent to everyone, especially multi-nationals.

The investment in security and associated professionals was at its peak.

The same phenomenon is repeating with cybersecurity.

There are less-and-less executive level security professionals within multi-national companies and even less that are considered as part of the C-suite.

This is due to the fact so many assumed the roles of executive leadership in the early stages but failed to transition from subject matter expert to that of business leader.

They couldn’t defend their profession, they couldn’t defend their tenure and in many cases they couldn’t defend their budgets and departments.

Some have just held on until retirement or until they too are made redundant because they can’t find work anywhere else.

In recent years, one of the first departments to be ‘restructured’ or downsized has been the security or risk management verticals. 

Security and risk management professionals need to demonstrate senior management, leadership qualities and experience in their commercial roles.

Rank and title don’t amount for much if you can’t assist the company in being profitable or as part of their growth.

Subject matter experts need to master and communicate in the language of business as soon as possible….numbers!

Savings, efficiencies, revenues, improvements, reductions and all elements of the business in which you impact should have metrics, numbers and measurement factors.

Peter Drucker may be the father of the statement of “if you can’t measure it, you can’t improve it”, this should be lesson number 1 for subject matter experts.

If you want to sit at the table with the C-suite, numbers needs to be your lingua franca.

If you can demonstrate growth, profitability and other commercial benefits as a direct result of your influence and efforts, even better!

I recommend you never stop learning and enhancing your craft but it will be far more valuable to you, your business and the profession if you demonstrate how effective and successful you have transitioned from subject matter expert to that of business leader.

The second will offer you far more opportunities in the commercial sector and any business leader that can turn around a bad commercial situation, deliver better than average returns and expand the company’s market share will always be in greater demand commercial than that of someone who can recite technical and tabulated data on a piece of equipment or threat.

Remember, hired heads are always more valuable than hired hands. 

Tony Ridley

Enterprise Security Risk Management and Security Science