Panelists (left to right) Timothy Rigg of Duke Energy, Phil Aronson of Aronson Security Group, Jeffrey S. Woodward of Global Real Estate Group and Francis D’Addario of Strategic Influence and Innovation joined moderator Bob Hayes of the Security Executive Counsel for a discussion of risk mitigation, security and leadership at yesterday’s State of the Industry keynote.


Preparation was the main theme of yesterday’s State of the Industry keynote, as panelists offered insights and opinions on risk mitigation, security’s place in the business process and preparing the next generation of security industry leaders.

Moderator Bob Hayes of the Security Executive Counsel led the hour-long discussion that focused on the Security

2020 leadership movement — a highly collaborative, cross-functional enterprise risk management strategy.

Panelists led off the session discussing what it means — and what it takes — to be a next-generation security leader.

It’s important to note that being part of the next generation of leaders has nothing to do with how many years you have under your belt in the industry, said Jeffrey S. Woodard from Global Real Estate Group.

“Every person, regardless of position or responsibility, has to be a leader,” he said. “You have to act as a leader and have peripheral vision to provide the tools and resources available today.”

Thoroughly exploring trends, issues and technologies is a big part of preparing people for what’s in store, he said.

“You have to continue to think more critically, and continue to question everything,” Woodward said. “Identify root causes and challenge current beliefs and mindsets, including your own, and continue to bring tough issues to the surface, especially if it’s uncomfortable.”

One of the biggest challenges security practitioners face today is the “prove your worth” mindset many executives have toward facing security and risk management, Hayes said.

“Management expects security to run as a business and think strategically at the director level,” he said. And proving oneself is about more than just looking at the most recent financial report, said Francis D’Addario of Strategic Influence and Innovation. “Management wants a persuasive, proven business case. We take the long view, not the short view. We’re not looking at quarterly earnings, but what can we do to help the next generation year over year. If we’re not, we’re missing the point,” he said.

Phil Aronson of Aronson Security Group said that’s something his organization and others have been working to achieve for several years.

“Ten years ago, we identified that security needed to do that, and people looked at us like, ‘You’re crazy,’” he said. “It’s not unusual anymore. Security needs to be at the table and needs to be strategic.”

The best way to earn a seat at the table? Get yourself some first-hand experience in the business, said Timothy Rigg of Duke Energy, adding that his own endeavor turned out to be a very valuable 18 months.

“There’s a greater expectation now for security leaders to know the business they’re supporting. Spend time in a part of the business that has nothing to do with security,” he said. “When you have that business experience and more business understanding, executives are more willing to let security sit at the table and strategize. The more you know the business, the more you will be able to talk about security in their business.”

That experience is helpful in designing solutions that address clients’ needs, which in turn demonstrates that value to the business, Aronson said.

“Understand the client needs, understand the value to the organization and how security fits within their strategy,” he said. “As a service provider, you’re going to be expected to show how you bring value to the organization.”

With that seat at the table comes the responsibility to understand who, exactly, owns risk. The answer, Rigg said, is simple.

“The business. They have the exposure, the decision and the authority, and frankly, somebody in the organization has the ability to decide the level of risk,” he said. “There can be a disparity between what I see as a risk and what their priorities are. So at the end of the day, they own it. We can’t sign checks from a security and risk mitigation perspective, but they can.”

Naturally, that raises the question of how much risk is acceptable to the business because, if we’re being honest, it’s impossible to mitigate 100 percent of risk, D’Addario said.

“Security is no Nirvana. We’re always going to be assailable by dedicated assailants who have the resources and the ingenuity, so you have to address that,” he said. “There are people who say, ‘That’s not going to happen on my watch,’ but that’s just silly because it’s going to happen.”

His advice? Be transparent and learn from the experience. But most of all, he said, be confident.

“When organizations are tested, investors and stakeholders want to see confidence,” D’Addario said. “An executive has to know that all the risks were considered before, during and after that risk or event, and that the team is on it with all the resources and technology they have, and they have to be updating people throughout the process.”

Once a particular risk has passed, don’t be afraid to talk about it with management. Dwelling solely on successes,

Woodward said, doesn’t do anyone any favors.

“It’s important to provide the honest feedback that’s crucial to success, but also any failures because failures contribute to organizational learning,” he said.

In terms of preparing the next generation of leaders, education will play a major role not only in preparing and defining those leaders, but in how security is perceived within an organization. That education, however, doesn’t necessarily need to be security-specific, Rigg said.

“If you’re going to get advanced degree, get a business degree,” he. “If you can’t speak the language of business executives, you’re already set up for failure in the long run.”

Aronson agreed that formal education will be a big factor, but that there still has to be more to it than that.

“Collective knowledge and collaboration, that’s where it starts through organizations like this (ISC West), organizations like ASIS, and we have great conversation events,” he said. “There are also going to be more schools, universities and masters programs around security and risk. We’re also going to see more MBAs as security people because they have to run security as a business. But the biggest thing is collective knowledge.”

Emerging factors like IP, IT and a drive to create a broader middle class around the world are going to drive companies into broader emerging markets, where they may face more risk than they do today, which makes preparation — sooner, rather than later — crucial, Rigg said

“How do we prepare for that today? If we wait until 2020, we’re too late,” he said. “People expect us to bring the risks to them and tell them how we’re going to mitigate them. That strategy starts today because proactive, strategic security is the way of the future.”

Hayes challenged attendees to take advantage of the human resources surrounding them here at ISC West.

“Are you having meaningful conversations with who’s here? There’s a lot of collective knowledge here, so how do we leverage that?”