The International Security Conference & Exposition (ISC West) held at the Sands Convention Center in Las Vegas on April 9 to 12, was bigger than ever with a 10.2 percent attendance increase and an expanded show floor that welcomed roughly 180 new exhibitors. There were plenty of new buzzwords traveling the show floor: mobility, 4K, cloud, and more. But one overwhelming trend was the aspiration of attendees to learn from vendors and peers in order to meet the challenges of the years to come as technology and a recovering economy promise to change the security industry.
Preparation was the main theme of ISC West’s State of the Industry keynote, as panelists offered insights and opinions on risk mitigation, security’s place in the business process and preparing the next generation of security industry leaders.
Moderator Bob Hayes of the Security Executive Council led the hour-long discussion that focused on the Security 2020 leadership movement — a highly collaborative, cross-functional enterprise risk management strategy.
One of the biggest challenges security practitioners face today is the “prove your worth” mindset many executives have toward facing security and risk management, Hayes said.
“Management expects security to run as a business and think strategically at the director level,” he said. And proving oneself is about more than just looking at the most recent financial report, said Francis D’Addario of Strategic Influence and Innovation. We’re not looking at quarterly earnings, but what can we do to help the next generation year-over-year. If we’re not, we’re missing the point,” he said.
Phil Aronson of Aronson Security Group said that’s something his organization and others have been working to achieve for several years.
“Ten years ago, we identified that security needed to do that, and people looked at us like, ‘You’re crazy,’” he said. “It’s not unusual anymore. Security needs to be at the table and needs to be strategic.”
The best way to earn a seat at the table? Get yourself some first-hand experience in the business, said Timothy Rigg of Duke Energy, adding that his own endeavor turned out to be a very valuable 18 months. “There’s a greater expectation now for security leaders to know the business they’re supporting,” he said.
That experience is helpful in designing solutions that address clients’ needs, which in turn demonstrates that value to the business, Aronson added.
With that seat at the table comes the responsibility to understand who, exactly, owns risk. The answer, Rigg said, is simple: “The business. They have the exposure, the decision and the authority, and frankly, somebody in the organization has the ability to decide the level of risk,” he said. “There can be a disparity between what I see as a risk and what their priorities are. So at the end of the day, they own it. We can’t sign checks from a security and risk mitigation perspective, but they can.”
That raises the question of how much risk is acceptable to the business because, if we’re being honest, it’s impossible to mitigate 100 percent of risk, D’Addario said. “Security is no Nirvana. We’re always going to be assailable by dedicated assailants who have the resources and the ingenuity, so you have to address that,” he said.
Once a particular risk has passed, don’t be afraid to talk about it with management. Dwelling solely on successes doesn’t do anyone any favors said Jeffrey Woodard from Global Real Estate Group. “It’s important to provide the honest feedback that’s crucial to success, but also any failures because failures contribute to organizational learning,” he said.
In terms of preparing the next generation of leaders, education will play a major role not only in preparing and defining those leaders, but in how security is perceived within an organization. That education, however, doesn’t necessarily need to be security-specific, Rigg said.
“If you’re going to get advanced degree, get a business degree,” he added. “If you can’t speak the language of business executives, you’re already set up for failure in the long run.”
Aronson agreed that formal education will be a big factor, but that there still has to be more to it than that.
“Collective knowledge and collaboration, that’s where it starts through organizations like this [ISC West], organizations like ASIS, and we have great conversation events,” he said. “There are also going to be more schools, universities and masters programs around security and risk. We’re also going to see more MBAs as security people because they have to run security as a business. But the biggest thing is collective knowledge.”
Emerging factors like IP, IT and a drive to create a broader middle class around the world are going to drive companies into broader emerging markets, where they may face more risk than they do today, which makes preparation — sooner, rather than later — crucial, Rigg said.
“How do we prepare for that today? If we wait until 2020, we’re too late,” he said. “People expect us to bring the risks to them and tell them how we’re going to mitigate them. That strategy starts today because proactive, strategic security is the way of the future.”