Sharing security in Calgary
By Neil Sutton
By Neil Sutton
Security leaders and their departments are often tasked with rigorous self-examination. Their purpose may be clear, but the means may not. They may have to evolve over time to expand or refine their mandate, add new goals and objectives, or adopt a model (or models) that embraces action over reaction, collaboration over isolation.
Culture change within the security department and its relationship to the larger organization it may serve, was one of the central themes explored during a recent Security Executive Council summit, held this May in Calgary, Alta.
The two-day leadership forum, “Next Generation Security Leader: Driving Current and Future Corporate and Municipal All-hazard Resilience,” featured seminars and panel discussions from the City of Calgary’s security leadership team, as well as municipal security practitioners from across Canada and the U.S., security leaders in private industry and the SEC’s own faculty members. The event’s objective, according to the organizers, was to bring together practitioners from both countries, CSOs and CISOs alike, to share proven practices to make communities and companies more resilient.
“Security is no longer a solo play, it’s a team sport,” said Bob Hayes, managing director, SEC, setting the tone for the conference.
“You have to work with all the other groups in the organization,” added Hayes. “Whether it’s a standards driven or risk driven strategy, if your security program doesn’t match the culture, it’s not going to work.”
Culture change was a central concern for Tony Strickland, head of enterprise security, for therapeutics company CSL Behring, which operates in 35 different countries. Strickland, the first dedicated security leader for the organization, said his team conducted a gap assessment in 2017 to gain a better understanding of where the security department sits in relation to CSL as a whole, and also what the rest of the business expects from his department.
The initial results were concerning. “We were very, very low on the maturity model,” said Strickland. On a scale of 1-5, the blended average of returned scores was 0.8. An immediate turnaround was necessary and the security department actively leaned on other areas of the business to narrow that gap. “That collaboration was critical,” he said. “Those individuals knew they were heard and had a say in things. We got a tremendous amount of traction out of that.”
Making those connections was “huge,” he added. “It really helps us drive culture.” He urged attendees to always stay connected with other departments and strive to answer their questions. “It’s a really strong way for us to create a collaborative environment.”
Every dog has his day
When Tim McCreight, manager of corporate security, cyber, City of Calgary, adopted a rescue dog who had been mistreated, he knew he had his work cut out to win back the animal’s trust. His solution? Become a dog. Relate in a different way and challenge his own perspectives.
McCreight, a speaker at the Calgary conference and a long-time contributor to Canadian Security magazine (read his regular column on p.12 of this issue), said he has adopted this change principal in his own work.
“It’s made me realize that throughout our entire careers, if we don’t want to change, we don’t want to adapt, we don’t want to change for the structure and the business that we help to protect, we’re going to fail,” he opined.
A crucial adaptation is to reframe the security department as a business, with business objectives in mind.
“If we don’t start taking a look at ourselves as business owners, we are going to be losing a lot of what I call credence inside the organization,” he said.
“Everything we do as security professionals is to support and enable the business. We don’t run it — it’s not our job. Our job is to support the business by identifying what are the risks against the major objectives, what can we provide for suggestions to remediate and what’s the business going to do to decide.”
One of the most difficult aspects is letting someone else make the decision to accept the risk. But this is central to the security role, said McCreight. “I’m not the CEO. What I am is a trusted advisor… But the business has to decide. And then you have to let them. One of the things we have to do as security professionals is to take our ego out of it. Sometimes business is going to do risky things. We have to let them.”
That last part was the “hardest lesson” he added. Echoing Hayes’ and Strickland’s learned wisdom about the dangers of isolation, McCreight stressed the importance of continuous improvement and communication. “The organization needs to know what we’re going through.”
This is not the military
The final presenter on a three-part panel, Terri Govang, director of technology, Western Canada, at WSP, said, as a consultant, she leans on her previous experience to get the message of culture as an enabler of change across. As such, security cannot operate in a vacuum.
“We have to remember, we’re not a militant culture,” she said. “As security professionals, we can’t just identify risk, put a 10-page report on the table and say, ‘This is how it is.’ It doesn’t work like that.”
Govang pointed to cybersecurity as a natural ally within the organization; she suggested that physical security departments reach out to their digital counterparts to identify common opportunities to help one another. She also said it’s important to talk to sales and marketing departments on a regular basis. Why? Because they can help turn security into a profit centre.
While change is vital, expect some resistance, said Govang. Change can inspire feelings of loss of control. No one likes to be surprised, she said, and successful people may be highly resistant. After all, if they have achieved success with their current methods, why mess with a good thing? “We have to understand what the resistance is and then work through it,” she said. “Some people change when they see the light, others when they feel the heat.”
Another piece of advice from Govang: “Don’t launch and leave.” Management has already had time to become acclimated to change since they are the decision-makers. They have to extend the same courtesy to their employees. “We have to give them a moment to catch up.”
This story was featured in the Summer 2019 edition of Canadian Security magazine.