​Is time travel possible? Is there life after death? Those questions might be answered before the security professional’s own existential mystery is solved: Can security be a value generator, or is it always a cost? 

Lots of ink, pixels, and perhaps tears, have been shed over that very issue. Some practitioners who think security’s value can be quantified as a return on investment cite as examples enhanced business efficiency as a byproduct of security measures, beneficial acquisitions resulting from security’s due diligence, and third-party consulting services spun out of a proprietary security function. José María García Rodríguez, head of digital infrastructure security at Mapfre SA, a Madrid-based insurance company, says that his department is seen as a profit center in terms of fraud prevention and cybersecurity practices.

Detractors say that security will never deliver ROI, and that there are only a few ways to “move the needle on security.” These include significant incidents, compliance requirements, and the security professional’s ability to sell the function to senior management.

The issue of security’s value, and demonstrating it to corporate decision makers, threaded through the four-day curriculum of “Effective Management for Security Professionals,” an annual English-language course held in Madrid by IE Business School and ASIS International under the directorship of Juan Muñoz, CPP. The students, all at mid-to-senior levels of security, tackled business school cases on corporate strategy and leadership, squared off in negotiation scenarios, analyzed the business case for upgrading card readers in a U.S. airport, and confronted their own leadership strengths and deficiencies.

Your Inner Rock Star

Few security professionals would compare themselves to the “Material Girl,” but Madonna provides an excellent study in adaptability and positioning, said Professor of Strategy Caterina Moschieri. In the 1980s, Madonna styled herself as an ingenue singer, accentuating her prominence through marriage to Sean Penn and assiduously working the media. A decade later, she reinvented herself as a controversial sex symbol, sealing it with a relationship with Warren Beatty and sultry movie appearances. In the 2000s, she became the voice of New Age spiritualism, operating at the intersection of sexuality and politics, and most recently she has emerged as an entrepreneur, philanthropist, and adoptive mother. In each era, she adapted to the zeitgeist and always regained relevance.

Security executives could learn some lessons from her, Moschieri said. For example, experienced CSOs have likely seen corporate priorities and mindsets shift, such as from merger-mania in the 1990s, to the stampede toward globalization in the 2000s, to digital transformation, sustainability, and corporate social responsibility today. The shrewd security professional keeps on top of these trends and how they fit into corporate, and thus security, strategy. A C-suite or board of directors might be laser focused on making their company sustainable, so security executives might position their initiatives in terms of how they advance that corporate goal.

To help get security professionals thinking like trusted business advisors, Moschieri broke students up into groups to evaluate whether they would advise their C-suite to enter several industry sectors. The class harnessed Porter’s 5 Forces, which explain why some industries are more profitable than others. Those forces are industry competition, potential of new industry entrants, power of suppliers, power of customers, and the threat of substitute products. Through this analysis, the teams rejected investments in airlines—aircraft manufacturers, caterers, and airports make good returns while airlines don’t—and higher education, with a qualified endorsement of automotive industry investments. A key takeaway was how to use economic, industry, social, and other trends to position security as a strategic asset.

Let’s Make a Deal

People negotiate every day—with kids, with spouses, with work colleagues, and with neighbors. But when it comes to formal negotiations—over a contract, a large purchase, and so on—many people unravel or shift into a hyper-aggressive mode. In fact, the hardest task in negotiations is “to be something you’re not,” said Professor of Negotiation Mari Cruz Taboada. When your natural personality leaks through, “you lose credibility,” she warned.

The four golden rules of negotiation are: know your opponent (and yourself), focus on interests (not positions), have a backup plan, and prepare scrupulously—even to the extent of simulating the setting down to table size and configuration and considering social aspects of the negotiation. Key is understanding the other side’s requirements: what are they looking to gain and why? Just as important is knowing what your purpose is, and understanding your default negotiation style, which inexperienced negotiators often revert to.

As a preliminary exercise, students were paired up in an exercise resembling the “Prisoner’s Dilemma.” Each party showed either an open or closed hand on cue. If both participants showed an open hand, they equally shared a hypothetical monetary award. If one showed an open hand and the other a fist, the person with the closed hand received an award that exceeded the total payout if both had revealed an open hand. The other person got nothing. If both parties showed closed hands, neither got anything. Each pair went through three rounds of the exercise, and each round upped the stakes.

Some students deceived their partners immediately, promising to show an open hand but revealing a fist instead. That typically destroyed trust right away, with the counterpart trying to flip the script on the next go-round. Some people cooperated in the first two rounds but betrayed their partner in the third, most lucrative, round. In one case, the partners betrayed each other on the last round and ended up with nothing. One pair cooperated throughout the exercise, collectively reaping more rewards than any other negotiating pair.

The group was then divided into three-person teams to do simulated negotiations in a “Shark Tank” scenario involving an app and smartphones. Afterwards, the professor played videos of the discussions, pointing out signals the class missed. For example, the author unconsciously covered part of his face during a difficult part of the exercise, when he was communicating concern about the inability to protect intellectual property in China. That’s a tell indicating discomfort, the professor said, which others could have exploited. In other groups, video showed participants frowning or looking away during discussions, cues that the speaker did not pick up. Some used a ploy called “price anchoring.” Although conventional wisdom says that the first person to mention a price is at a disadvantage, several members of the class did so anyway, on the theory that it would psychologically anchor their counterparts to that number. The salvo worked in most cases, and in fact research supports its efficacy.​

Access Control as ATM

Can a card reader make you a 1,000 percent return on investment? Probably not, but that’s the trap students fell into in an exercise on making the business case for corporate security. After reading a case from the Kellogg School of Management at Northwestern, the class was asked to calculate the return on investment of installing a state-of-the-art credentialing system at San Francisco International Airport. The new system would allow the airport to vastly expand its service capacity—such as by cutting wait times, decreasing service time, and streamlining credentialing operations with full audit and compliance—while meeting federal security requirements and reducing costs such as system replacements, compliance-violation fines, and labor and materials expenses. For comparison and context, the case provided cost, efficiency, and other improvements reaped by Toronto Pearson International Airport, which had installed the same system a couple of years earlier. 

Far from a cut-and-dried exercise, the process of calculating ROI was complicated, speculative, and deceptive. The three different student groups working on this problem to calculate an internal rate of return (the percentage return from the project), net present value (the current value of all future cash flows generated by the project, including the initial capital investment), and time period after which the investment would be repaid came up with widely diverging figures. Calculations for internal rate of return ranged from 328 percent to 913 percent; net present value ranged from $3.6 million to $23.9 million, and payback period ranged from almost immediately to five months. “Welcome to capital valuation,” Economics Professor Juan Pedro Gómez told the class.

In fact, Gómez said that the much more likely result was a 76 percent internal rate of return, a net present value of $874,000, and a two-year payback period. And even that seemed high to him for an airport credentialing system. “You should challenge that,” he said.

Why had the class overshot so badly? While several factors were in play, the class based some calculations on the Toronto situation that would not necessarily apply in San Francisco—which terminals could reasonably be upgraded and in what time frame; the number of system users, how long it would take to get them online, and the number of transactions they would perform; and so on. Another trap was overestimating prevention of losses resulting from compliance violations and other failures. Finally, phantom cost savings snuck into the calculus.

The upshot was that there were too many variables to yield an ironclad result. “Play with the numbers before you present them,” advised Gómez, because small changes can produce large discrepancies. It’s also critical that security not develop a business case in isolation. Other business units must get involved—operations, human resources—to develop a better-rounded, more accurate estimate. The lesson? “Never use numbers that you can’t defend,” said Gómez. “You have to look credible.”

Follow the Leader

What kind of leader are you? That’s a question that Professor Juan Carlos Pastor helped students confront through exercises, simulations, case studies, and discussions. The least effective leaders only act to respond to problems; they avoid taking action until they need to put out fires. Their staff’s behavior is based on fear. One level up is the transactional leader, who rewards achievement and closely monitors staff performance to correct deviations and errors. This style leads followers to a job-description-level of performance, but no more. The highest tier of leader, said Pastor, is the transformational leader. That person is authentic, builds trust, acts with integrity, inspires others, thinks innovatively, and develops people. Protégés of these leaders become emotionally committed, exceptional performers.

But that doesn’t mean that the perfect leader is wholly transformational. One student proudly announced that he wasn’t transactional because he didn’t micromanage his staff. But it turns out that he wasn’t corrective enough. His staff needed him to more regularly oversee their work and correct errors. Others coached their staffs but didn’t ask for or receive coaching from their own bosses, which could come off as arrogant or hypocritical. Older workers frequently scorn coaching, Pastor said. Many students criticized themselves for not taking enough risks: “We are cowards. We don’t want to hurt anyone’s feelings,” one commented. 

True leaders derive their power from themselves, not their position, Pastor said. Managers gravitate to positional power—typified by title, formal authority, visibility, and coercion. Leaders are imbued with personal power, which comes from expertise, energy, charisma, reputation, and social capital.

And that cohort of the IE Effective Management for Security Professionals course, hailing from locations as diverse as Saudi Arabia and Sudan, Sweden and Spain, seemed well on their way to becoming authentic leaders. As Program Director Juan Muñoz concluded, “A leading security executive does more leading, and less security.” They will leave the time travel question to others.  

 

Michael A. Gips, CPP, CSyP, CAE, Chief Global Knowledge Officer at ASIS International, was a student in the July 2018 rendition of this course. He has been Vice President of Publishing and Senior Editor at Security Management.

 

About the IE Certificate Program​

By Juan Muñoz, CPP

​Security practitioners can be effective only if they have knowledge of the industry in which they manage risks. And if security professionals are ever going to have routine access to the C-suite, they need to know business fundamentals such as how to read a profit and loss statement, how to see societal trends as potential business accelerators or hindrances, and how to present risk in a way that resonates with senior business leaders. 

And those skills are, in fact, articulated clearly in the ASIS CSO Standard and in Enterprise Security Risks and Workforce Competencies, a 2013 report by the ASIS International Foundation and the University of Phoenix. The CSO standard emphasizes business acumen, strategic agility, decision quality, and management of teams. The foundation report highlights business and financial management, leadership and communication skills, and strategic thinking.

Many security professionals remain mired in traditional reactive thinking, keeping security in a purely tactical role. They risk becoming irrelevant in a world demanding more value-adding abilities. 

So how do they get from there to here? For the past several years, ASIS has teamed with the IE Business School of Madrid to provide that next-level education and development. Some of the key benefits are described in the accompanying article.

It’s time to graduate from asset guardian to strategic business manager. 

Juan Muñoz, CPP, CSMP, CSyP, served as the chairman of the ASIS International Spain Chapter from 2013 to 2018. He is also assistant regional vice president of Region 9C and a member of the ASIS Standards & Guidelines Commission. A former alumnus of the IE program, he is now its director.