Guidelines for large organisations looking to build out an in-house corporate security function

Advice and tips for Business Leaders and Decision Makers looking to get a return on their investment.

This article is mostly aimed at large organisations or companies that have undergone a significant increase of growth over a relatively short period of time. This maybe due to a dramatic increase of sales or a series of acquisitions, or perhaps, you're lining up for one large business takeover. It could be that the value of your company’s assets has only just started to sink in due to this expansion, which has brought about a very sensible and logical decision to invest in the security of your business, ultimately to help ensure your bottom line is protected. Or, it could be that the decision to invest has come about in response to a security related incident or breach that has affected your business operation and demonstrated certain security gaps and weaknesses across the board, which unfortunately, is more often the case from my experience.

Whichever it is, you should follow this instinct and take responsibility to protect your assets / bottom line with a long-term outlook. However, with all (good) business investments, we should know what we’re getting for our money and whether we’re getting the best bang for our buck. When planning to establish a security function, its a case of implementing the right resource, structure and strategy required to make the final product a success in terms of adding real business value. I have come across several organisations that have wanted to create a security standard of some sort but have often jumped the gun without knowing what that standard should look like and what it will take to get there. Most of them were unfamiliar with the concept of Security Risk Management and the different ways in which it could enhance a business operation.

You can always find a great SME and get him or her on board for the right salary, but if that person has no direction, doesn’t manage a security budget or can’t authorise one, or more to the point, make senior level decisions, then realistically how much of an impact will that person make. Most of their time will most likely be spent (without board-level access) trying to convince senior management to invest in security, which ironically, is most likely what the company intended to do in the first place. More times than not, this person ends up running around aimlessly trying to create awareness about security risks, while being available to respond to any escalated security incidents. That, however, is not going to demonstrate the true value of a security (risk management) function.

First, before anything else, ask yourself this question; what do you want to get out of your security investment? Now to answer this question, you may need to hire an experienced security consultant (initially) to assist with a strategic company-wide threat and vulnerability assessment, which should help provide the necessary information required to make a well-informed decision on what type and level of protection is needed as a business and to better understand the long-term associated costs involved. But whatever you do, don’t turn it into a tick box exercise. This may seem like a lot of leg work, but it’s all about being realistic regarding the resources you need to properly protect your assets along with the growth and reputation of your business. You can end up wasting a lot more time and money by getting this initial judgement wrong.

If it is recommended that you hire a Security Manager, Head of Security or Security Director etc., then the next critically important step is to decide where this person is best placed to sit within the structure of your organisation, as this could make a great deal of difference to the level of influence and impact the security function will have on your business. For example, I have seen security managers’ report into HR, Operations, and Facilities. However, the cross-functional reporting option can result in the security function being misplaced and downgraded in terms of business priority, which can often weaken the strength of its influence on the organisation. Let’s put it this way, what is the highest priority of an Operations Director - well that would be Operations, of course. The same can be said for other functions that possess tunnel vision.

This is where it’s possible for security to get lost in the mix and seen as an add-on support function, making the function itself viewed as less important, and in many cases, ineffective when trying to promote security practices. Security has always been a difficult one to place within organisations, but when you decide on the structure and reporting line of your security function, look at your leadership team and review whose remit and values are closest linked to that of the Security Lead. Most importantly, make sure that the person has a security risk appetite and understands the importance of security risk management. This kind of setup will help ensure that the Security Lead is being listened to and heard, and that his or her team’s support and expertise is being demonstrated at all levels by receiving the necessary leadership backing required.

Once the management structure is formed, its then a case of not creating a security strategy yourself, but having a broader idea of what the expected long-term results are for the type of strategy that is to be put in place by the Security Lead. After all, what’s the point of establishing a new business function if you don’t know what you want from it, and ultimately, why it’s been created in the first place – this goes back to my original question towards the beginning of this article; what do you want to get out of your security investment? Not only do you want to know what you’re going to get for your money in the long run, but you also want to be able to give the Security Lead a sense of direction, so that he or she will know what is expected from the business to help support and inform their strategy from day one. In terms of the kind of (short and long-term) results you can expect, well the business benefits on offer are endless, especially when you’ve got the right people / teams in place. Hiring from the right pool of talent, which possess all-round leadership qualities and a good degree of business acumen, is also key to improving your chances of getting greater results.

Good security risk management can be achieved by changing the mindset of a company to effectively manage evolving operational risks in accordance with wider business objectives. That’s easier said than done of course, but it can be done, and done successfully with the right resource, structure and strategy - backed by strong leadership support. One of the main things to remember is that security is a team effort and it requires everyone to pitch in. But without an impactful security function, it would be extremely difficult to provide the business with the right kind of influence, direction and focus to get people thinking more about security, including business leaders and department managers, who should be expected to ensure security practices are being followed throughout the business areas for which they are responsible.

The leadership attitude towards security can contribute to a positive change in culture throughout your organisation, allowing your security to go a lot further than ever imagined, which in turn will help protect your bottom line and reduce the exponential risk of loss to your growing business operation. Like with any investment, when its well thought through, it can get you great results!