This page was originally titled “Management Briefings”, and in 2020 was expanded and renamed “The Right Stakeholders.”
At RBCS, we have over two decades of effectiveness in briefing – and helping security practitioners brief – senior management as well as middle management security stakeholders. Topics include updates on risk profiles, strategic security investment, project plans and status, overviews on security programs and on proposed security improvements.
When it comes to influencing the organization’s decisions about security matters, it is important to identify all the right stakeholders – and that goes beyond immediate up-line management, dotted-line reporting, budget committees and procurement.
A lot has been written about “selling security to management.” That perspective includes the idea that management can say Yes or No to the sale. However, what I dislike the most about that concept is that:
- Security is not just a simple yes or no proposition. If needed measures can’t be implemented, other measures must be.
- It’s not possible to sufficiently educate decision-makers in a sales call fashion when security improvements are needed. Their natural sales resistance is fully engaged, and that undermines most attempts at security education during proposal presentation.
- Successful sales approaches are based on personal resonance with the buyer’s own interests and purposes. Security measures are “purchased” for a third party – the organization and its critical functions, people and property. The personal motivation factor is missing.
The mission of security – reducing security risks to acceptable levels, at an acceptable cost – is often compromised because the right approaches to enabling the right stakeholders are not taken.
The Right Stakeholders
It’s important to find “the right stakeholders”, as we define that term. To understand that term – and for any stakeholder to be able to understand whether he or she is (or is not) “the right stakeholder” – requires understanding the first two briefing messages below, which are at the core of security’s mission. These two message, when fully understood, put security practitioners and stakeholders are on the same page about security decisions. Thus, there can be full agreement – for any security strategy, initiative, proposal or project – as to who are “the right stakeholders.”
Your Most Important Briefing
The most important briefing, whether or not you have briefed management before, is to introduce the primary mission of security:
Reduce security risks to acceptable levels, at an acceptable cost
At RBCS we refer to this as “Message #1”.
We consider this statement, which we repeat as often as opportunity permits, “the security mantra”. The more you can say it, the better.
The objectives of this message include:
- Get all security stakeholders using the same starting point in their thinking about security
- Provide management with the right perspective for evaluating security program elements and proposals
- Introduce the idea that security performs “risk reduction” not “risk elimination”
- Establish that security’s baseline thinking is fiscally responsible and takes into account the organization’s cost concerns and resource availability
- Provide immediate justification for collaborating with middle managers and senior executives on risk appetite and cost considerations
Breaking Through Management Overload
The time of middle managers as well as senior executives is precious, as there are more demands on their time each day than they can give to requested meetings.
That’s one reason why how security messaging is provided to managers is critically important.
The most effective way is one message at a time.
We start with the security mantra, and repeat it at every meeting in which security personnel participate. For example:
“As you already know, the primary mission of security is to reduce security risks to acceptable levels, at an acceptable cost. That’s why for this particular initiative we’re considering, we’ll want to assess the security risks, including the risk of ‘doing nothing’ in terms of additional security measures, so that we can provide input as to the costs and efforts that may be appropriate to support this initiative.”
“We need the business stakeholders to weigh in on this, as we don’t want to more than we need to or less than we should.”
You know when you have repeated this message enough when the other meeting participants start finishing the security mantra before you do.
That means you have successfully broken through the overwhelming amount of data that managers and executives have to deal with, and you have firmly established security’s role in the minds of your peers and upper management. By establishing this concept in the minds of middle managers and senior executives, you have taken the first major step in fixing a very common problem: practically no one outside of security has a correct impression of security’s role in the company. The “security mantra” expresses the most fundamental concept of your job and the role of the security function.
One that concept has “made its impression” in the minds of your managers and executives, they are now ready for “Message #2”.
Building on the Foundation
Having firmly established what the primary mission of security is, the next step is to involve management in these risk decisions:
- What level of risk is acceptable?
- What level of cost is acceptable?
These are management decisions
This is “Message #2“. They are management decisions because the assets at risk are not security’s assets — they are corporate assets entrusted to the care of managers at several levels in the organization.
Thus the problems they have are not security’s problems, they are the problems of the business that relate to protecting people, material assets and critical processes.
Your role as a security practitioner is to provide acceptable risk-mitigation measures in the form of people, processes and technology.
You are already doing this, but to obtain the full support of mid-level and senior-level managers, a shift in thinking is required that starts by getting “Message #1” across followed by “Message #2“.
The Bombshell Insight
In 2004 RBCS collaborated with nearly forty security practitioners and consultants to research security technology and security program projects that were turned down for budgetary reasons – but which the security practitioners thought were critically important to fund. We found 24 security improvement proposals, some for program development, some for additional personnel, and some for technology improvements.
Part one of this research included a close analysis of the decision-making processes for each initiative revealed these two critical factors regarding the disapproval decisions:
- The decision-makers definitely did have had the financial authority to say yes or no to the security expenditures.
- The decision-makers definitely did not have the authority to accept the organizational risks that resulted from disapproving the security initiatives.
Part two of this research included finding the stakeholders who did have the authority to approve the levels of risk resulting from not implementing the security improvements. Finding them, and explaining the risk factors involved, resulted in two critical discoveries:
- 100% of the stakeholders agreed with the security practitioner that the levels of risk from doing nothing were completely unacceptable.
- 100% of the stakeholders with the authority to accept the risks also had the financial authority to mandate that the security expenditures be made. And they did so.
All of the proposed initiatives were fully funded, some within the following two quarters, and some for Q1 of the next fiscal year.
The discussions with the right stakeholders took less than 10% of the effort that was expended previously in working with the wrong stakeholders.
These were earth-shattering results from the perspective of the security practitioners, who were heartily thanked for bringing the matter to the attention of the right stakeholders.
Technically speaking, this was a matter of (a) aligning security with the business and (b) aligning the business with security.
Finding the right stakeholders was the action of aligning security with the business. Effectively delivering Message #1 and Message #2 to the right stakeholders was the action of aligning the business with security.
Simple and powerful – but rarely practiced.
Security Assessment Impact
This is a very important element of security assessments — but rarely (except for RBCS assessments) is right stakeholder identification done for each major risk element found. If you don’t include finding the right stakeholders within the scope of each security assessment, the assessment’s findings and recommendations aren’t fully actionable. As a result, many security improvements are needlessly delayed by several quarters to a year or two, with all of those involved thinking that it’s just “business as usual.” It certainly shouldn’t be!
Over the past decade the term business alignment has been adopted to refer to the process of leaning more about the business, and engaging managers and executives in their participatory roles in establishing or improving a sustainable security program. Working with the right stakeholders is the most critical aspect of business alignment.
This is a specialty of RBCS, and we gained our experience over 20 years with management briefings and numerous business alignment initiatives.