Demos study finds six ways to identify successful continuity efforts

Christian Beckner is the author of the Homeland Security Watch blog and one of the sharpest fellows in the business. Most recently he was an invited speaker at the Global Security Challenge, one of our own pet endeavors, and it was there that he met Charlie Edwards of the British think-tank Demos. Edwards is the co-author of a Demos report called “The Business of Resilience,” and although we have not read it yet, we think it is well worth sharing Beckner’s analysis. “t’s an excellent treatise on the evolving roles and responsibilities of the security function within the private sector,” Beckner writes. “[co-author Rachel] Briggs and Edwards offer a number of insightful observations regarding why security and resilience should be considered as core strategic imperatives, and what companies can do to align security with core business imperatives.”

The study goes on to identify six characteristics exhibited by successful companies, which we reproduce here as reported by Beckner:

BULLET POINTS

1. They [companies] understand that security is achieved through the everyday actions of employees right across the company. It is not something that the corporate security department can do to or for the company on its behalf and its functional success is therefore dependent on its ability to convince others to work differently. This places emphasis on communication and requires security departments to value the views of non-security professionals just as much as those of the experts.

2. They recognise the limitations of command and control approaches to change management. Behaviour is altered experience. The power of the corporate security function is now directly proportionate to the quality of its relationships, not the depth of its content knowledge.

3. They understand that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimize damage when things go wrong. Risk-taking is essential to successful business and corporate security departments must not behave as security purists whose work detracts from, rather than contributes towards, the company’s goals.

4. They embrace and contribute towards their company’s key business concerns, and as a result are expanding the security portfolio significantly. Corporate security departments now have responsibilities in areas such as corporate governance, information assurance, business continuity, reputation management and crisis management, which is causing many to question the relevance of the term ‘security’ to describe what they do. The term resilience now more accurately reflects the range of their responsibilities.

5. They draw a clear distinction between the strategic and operational aspects of security management, and have created group corporate security departments to lead on strategy, leaving operational work to be carried out by business units. They all have a clear philosophy to guide their approach to security, which provides direction for non-security professionals, makes it easier to communicate across the company, sell itself to the board, and be credible alongside other functions.

6. Finally, and most important symbolically, the corporate security departments that are leading the way have abandoned old assumptions about where their power and legitimacy come from. Their position does not rest on that which makes them different — their content knowledge — but on business acumen, people skills, only by convincing, persuading, influencing and explaining why a new way of working is in each person’s interest. This requires departments to work through trusted social networks, which places greater emphasis on people, management and social skills than security management ability and communication expertise.

-read more in Christian Beckner’s HLS Watch discussion