Companies have long recognized the value of benchmarking performance, IT operations, and numerous other functions of business. However, though businesses often ask for reliable security-related benchmarks, few have been developed, says Kathleen Kotwica, EVP and Chief Knowledge Strategist for the Security Executive Council. "There is no easy way to compare apples to apples in the security world,"she says. "What most businesses want is to benchmark within their industry or sector. A defense company wants to find out how it compares in the defense industry, not necessarily in a field of businesses that includes media companies and retail. The drivers for security in those environments are completely different."

The SLRI’s Corporate Security Organizational Structure, Cost of Services and Staffing Benchmark examines the responsibilities, budgets, and authority of security leaders in a range of organization types. The report breaks down its findings by organization size (number of employees), revenue, scope (from local to international), and in some cases industry, so that it can be used to benchmark against similar organizations.

"This study is unique because we’ve carefully crafted questions to provide data useful for creating a universal benchmark, but that can then be unpacked to build much more detailed comparisons, for example, by organization size or by sector,"says Kotwica.

Among other findings, the benchmark reports that security budgets on average were $249 per organization employee and represented an average 0.07% of revenue. The scope of responsibility for the majority of respondents-all risk management practitioners-spanned multiple countries, and a majority of respondents were within two reporting levels of the senior-most operating executive. Yet 43% of organizations reported that either no risk oversight group exists or that security is not represented in the risk oversight group.

These findings can be used by organizations to analyze internal security operations and services, to help justify budgets and staffing, and to provide supporting data for promotions, expansion of duties, or a broader corporate responsibility. However, the report stops short of analyzing sector-by-sector breakdowns on many topics because more data is needed from several industries in order to provide meaningful results.

"The survey is set up to provide sector-specific data, but the only way we can provide that is if we get more participation,"says Kotwica. "If there are companies out there that want to see this type of data analyzed specifically for their sector, we are encouraging them to contact their industry trade groups or associations and to ask them to partner with us to build participation that will allow us to provide an industry-specific report."

The intent of the SLRI is to continue to gather data for future reports. Future editions should be able to show trend tracking over time.

The Security Executive Council invites security leaders to visit www.securityexecutivecouncil.com to take a free, abbreviated version of the leadership component of its OPaL assessment. This 60-second security leadership insight assessment, available for a limited time, gives security practitioners a glimpse of how they have progressed in security leadership. As of August 20, 386 practitioners have taken the assessment, and most of them have been identified as "in growth mode."

The OPaL assessment is based on more than six years of research and trending on successful corporate security leaders and programs. This research found three main factors that play a role in enhancing or furthering security programs in any organization:

• Organizational readiness
• Program maturity
• Leadership status

Often practitioners move from a company where they led a successful program to a new one only to find their approach does not seem to work anymore. Chances are, the new situation scores differently on OPaL factors, making it impossible to simply transfer previous success to the current environment. This also can happen when a company changes due to acquisition or shake-up in senior leadership. Understanding these factors helps security practitioners accomplish better security strategies and improved leadership performance.

A full OPaL assessment allows the Council to fine-tune its deliverables to be successfully applied within your organization. Contact a Council staff member if you’d like to explore the OPaL assessment one-on-one. Visit ;www.securityexecutivecouncil.com to read more about Opal and how it applies to your organization.

Do Not Miss Out on the Fastest Growing New Offering from the Council!

The Council recognizes that some may not be ready for participation in our Tier 1 Security Leader program so we have recently opened up our "Security Executive Council Vanguard" program. Participation is growing rapidly. So far the feedback about what attracted these risk management leaders to participate in the Vanguard program circle around a few key valuable benefits:

• Vanguard provides access to resources and materials that have been proven in live fire situations and does not include file uploads from unknown sources.
• Vanguard provides access to shared knowledge of paid subject matter experts who have experience successfully leading risk management programs for major organizations.
• The Vanguard group is made up of practitioners, not vendors.
• Participation in Vanguard is open to risk management practitioners from organizations of all sizes and sectors that are interested in taking their programs to the next level.

Click here for more information about how to engage with the Security Executive Council.

Poll Results: Find Out Where Your Peers Go for the Information They Require for Their Day-to-Day Operational Needs?

In our last Security Barometer we wanted to examine who risk management practitioners most often reach out to for assistance meeting their day-to-day operational needs.

Click here to see the results.

The next Security Barometer quick poll is investigating what your peers feel is the biggest impediment to their career growth. Click here to participate in the latest Security Barometer and view the results instantly.

Are You Looking for Executive Education for Risk Management Executives?

The Next Generation Security Leader program is offering the only executive development program for risk management practitioners that actually has successful security executives working with business experts in the design and delivery of the material. The Next Generation Security Leader program incorporates operational all-hazards risk management issues not as an afterthought but as a core element of the cirriculum. Then it shows you how to address these issues as an integral element of an organization’s strategy and culture.

You will come away not only with an understanding of business but the unique approach taken by the Next Generation Security Leader program will build the specific skill sets you need to advance your career.

Click here for more details on the Next Generation Security Leader development program.

COUNCIL FACULTY MEMBER OF THE MONTH: Jerome P. Miller

Do you have a question about personnel protection or crisis management? Ask your question directly to Jerry Miller, Subject Matter Expert Faculty: contact@secleader.com

Some selected highlights of what Jerry Miller brings to the Council are:

• Crisis management team briefings, tabletop exercises, training, risk assessment, continuity preparedness and public-private partnerships as part of the MSU/SEC Business Continuity Alliance Workshops
• Proven Practices Presentations: Managing Risks in Business and
• Personnel Protection in the Corporate World
• Supports Tier 1 Security Leaders™ in areas of private sector critical incident protocol (preparedness, structured response and rapid recovery)
  Click here for more information about Jerry Miller

Valuable Guidance for Corporate Directors

The Institute of Risk Management has released a consultation paper to provide guidance to directors and risk professionals. While the paper specifically addresses risk appetite and risk tolerance in relation to the UK Corporate Governance Code it is also applicable to U.S. Security and Exchange Commission regulations regarding corporate board responsibility toward risk governance.

Click here to access the IRM publication on Risk Appetite and Risk Tolerance.

The Security Executive Council continues to lead the industry by communicating the value generated by strong risk management programs directly to business executives. Some examples include:

• Our article in Financial Executive magazine discussing the CFO’s responsiblity regarding insider threat. Click here to read the Council’s article published in Financial Executive magazine.
• Our article in Corporate Secretary magazine discussing why risks must be coherently addressed at every level of the organization: Click here to see the Council’s article in Corporate Secretary magazine.
• Our article in Harvard Business Review on the importance of enterprise risk management as an economic strategy. Click here to access the article in Harvard Business Review.
  Some Quick Notes of Interest…
  • The Heidelberg Institute for International Conflict Research (HIIK) released the 2010 edition of their Conflict Barometer. Click here to access the research from the HIIK.
  • SEC Approves Dodd-Frank Whistleblower rules. What does this mean for compliance hotlines? Click here to read ComplianceWeek’s article
  • The OECD recently published a report examining how governments and other stakeholders are responding to the risks and aligning policy to address the protection of children online. Click here to view the report from the OECD.

Events of Interest to Security and Risk Management Executives:

• – Aspen Security Forum, July 27-30, Aspen, CO.
• - Black Hat USA 2011, July 30-Aug 4, Las Vegas, NV.
• - 7th Annual GFIRST National Conference, Aug 7-12, Nashville, TN
• - 2011 ATAP Threat Management Conference, Aug 16-19, Anaheim, CA

(Council members receive discounts to many of these events.)

No vendor-speak, no Powerpoint slides and straight to the point; you get five future forward looking keys to success in seven minutes.

Click here to view the video.

Tier 1 Security Leaders™ have direct access to the premier thought leaders in the security industry. While becoming a Tier 1 Security Leader™ is still the best value, we understand that budgets are tight. So we have expanded the ways you can gain access to the resources and insight the Council can offer. Click here for information about new ways to engage with the Security Executive Council

As a part of its Goals, Objectives & Strategic Plans project, the Council conducted in-depth interviews with 28 Tier 1 Security Leaders™ to discover and compare best practices. They discussed issues such as their top organizational risks, business alignment and drivers, internal influence issues and senior management’s view of Security. During the resulting qualitative analysis, it became clear that the interviewees with highly successful, internally recognized security programs had several things in common.

The successful security leader

• has created a robust internal awareness program for Security including formal marketing and communication initiatives;
• ensures that senior management knows what security is and does;
• has a walk-and-talk mentality-regularly talks to senior business leaders about their issues and how security can help;
• converses in business risk terminology, not "security";
• understands his or her corporate culture and adapts to it;
• is well respected and never reacts by exploiting fear, uncertainty and doubt;
• has Security program goals that mirror the company’s business goals;
• has top-level support from day one; and
• sees Security’s role as a bridging facilitator or coordinator across all functions.

"The interviewees that articulated all or most of the nine highly developed security leader attributes stood out as recognized industry leaders with strong and often innovative programs," said Kathleen Kotwica, EVP and Chief Knowledge Strategist for the Council. "While they had different leadership styles, we found it of note that they all gravitated to similar ways of moving Security forward in their organization."

To learn more about the Tier 1 Security Leader program, click here.

About the Security Executive Council

The Security Executive Council (www.securityexecutivecouncil.com) is an innovative problem-solving research and services organization. We work with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through our pioneering approach of Collective Knowledge™, we serve corporations and organizations of all types and sizes. The Council is quickly becoming the foremost voice on organizational risk mitigation leadership. We welcome all aspects of the security community to become involved. If you are a practitioner, vendor/contractor, media company, professional association or educational institution, contact us: contact@secleader.com.

Click here to take a one question quick poll and see what your peers are concerned about regarding their critical incident plans.

An economical way to plan for a potential incident is by using table top exercises. The Council in partnership with MSU are putting together a "best practices" resource on things to do to make sure a table top exercise provides the most value. Rad Jones and Jerry Miller, subject matter experts on the subject, will cull their collective experience to develop this resource. We will be sending this to you in the next week. We hope that it will be useful to you given likely sensitivity and scrutiny by management.

Contact us if you need assistance with your emergency response, crisis management and/or business continuity preparation: newsletter@secleader.com

https://www.securityexecutivecouncil.com/survey/index.php?sid=92744

The survey, conducted in August, asked both the Council’s Tier 1 Security Leader™ members and its community at large the question, “What in your organization is putting your continued employment at greatest risk?” It generated one of the highest response rates of any Security Barometer poll the Council has run.

Eighteen percent of respondents identified corporate leadership changes as the biggest risk to their continued employment, and another 18% marked lack of management buy-in to the security program. Sixteen percent chose difficulty demonstrating value, and security program failure accounted for another 11%. Full results are available here.

Overall the results demonstrate that security and risk management executives face a diversity of challenges that are capable of threatening their employment. These risks are largely determined by each organization’s perception of the need for security and its unique culture, or what the Council calls “organizational readiness” toward security. Thoughtful and visionary leaders will recognize the need for an honest assessment of management’s expectations and their security organization’s ability to adapt.

The Security Executive Council has been researching and creating solutions to mitigate these risks to security continuity and has an ongoing initiative to educate corporate executives about the reality of the security program and the value it can add to the organization. The goal of the Council is to assist security leaders in addressing each of the risks to employment identified in this survey. To learn more about organizational readiness and to assess how your program is aligned with your corporation’s business objectives, visit www.securityexecutivecouncil.com or e-mail contact@secleader.com.

About the Security Executive Council
The Security Executive Council (www.securityexecutivecouncil.com) is an innovative problem-solving research and services organization. We work with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through our pioneering approach of Collective Knowledge™, we serve corporations and organizations of all types and sizes. The Council is quickly becoming the foremost voice on organizational risk mitigation leadership. Contact us about becoming involved: contact@secleader.com.

Bob Hayes
Managing Director
Security Executive Council
202-730-9981
404-502-1600
bhayes@secleader.com