Whatever the range of security's duties, the department's prime mission always has to align with the company's. That means being a trusted partner.
"We get brought into the planning process to figure out what's the best way to go forward with any new service or new product," says Kettler, and security is asked to assist in the due diligence to determine whether a new location is a good place to buy or build a facility. The bottom line is that "we are part of the equation," he says.
The company's attitude toward security may be due in large part to Kettler's attitude toward the company. Though he has been in the security field for 41 years, working his way up from an entry-level security officer position, and earning a bachelor's and master's degree in criminal justice, he says that he thinks of himself as an automobile executive who does security.
"It's more important to understand the business than to be a standalone security person and be recognized that way in the business," he says.
Avaya's Allison concurs, noting that her department's biggest challenge is "to stay completely aligned with the business."
That business mind-set is another key component of a model CSO as envisioned by the ASIS guidelines. And it is an ongoing challenge to translate that into concrete actions, because business objectives, like security situations, are constantly in flux.
For example, explains Allison, "we've just acquired three companies, the largest one of them being 5,000 people over in Germany. So we'll have to deal with all the physical security issues of those sites. But we will also have to deal with issues such as: Is this a new technology we've brought in? What are its security requirements? How does that fit in with the company?"
Being aligned with the business also means being aware of the financial impact. "I make a strong business case for everything I do," says Quilter.
At GM, says Kettler, the security department follows the same process as other business units to streamline operations. They call it value-stream mapping or determining what is really needed to run and protect an operation. "That doesn't mean skimping on it," he says. "It just means taking waste out."
Alignment also means taking more of a risk-management approach, analyzing the company's specific situation to make sure that security resources are cost-effectively deployed. "CSOs are getting much better at risk-management concepts of prioritizing and allocating budgets to where it really protects the assets of the corporation," says Walker.
Being aligned with the business does not, however, mean kowtowing to executives when it comes to important security precautions. And that can mean taking some heat.
"Of course, everybody will try to second-guess you," says Allison. She gives one example related to the 2004 Summer Olympics in Greece.
Given the level of concern about a terrorist attack at the time, her department recommended that the CEO not go, and he agreed. Afterwards, when nothing happened, he expressed regrets about having missed a fun event.
"I said it was great on TV, but what I was able to do through the State Department's Overseas Security Advisory Council was to show him some of the things that they weren't showing on TV where they had issues with hooligans in the Olympic village, fire bombings, and IED incendiary devices," Allison says.
She stood by her recommendation, and the CEO was satisfied. You have to have that rapport with the CEO, says Allison, and "you have to know when to go up there; you have to know when to call your shots."
Ultimately, the successful CSO must adroitly combine being a good business partner with being an independent voice capable of telling executives what they do not want to hear. That takes more than a solid knowledge base.
"Leadership includes taking risk," says Quilter. "If you don't have that level of confidence in your own ability, you need to be a manager.... If you are going to lead, know that there's risk there."