The Science of Organizing Security

Strategic Security

​​​Photo by Matthew Henry on Unsplash​​

The Science of Organizing Security
Tim Williams, CPP, MBA

Open any publication, blog, newscast, or other media today and expect to be inundated with developments in technology. Artificial intelligence, machine learning, and computing power are propelling a tsunami of changes to the work environment and to society. Marketing wizards will use euphemisms like big data, IoT and other witticisms to describe complex technologies in simple terms. Yet we know that technology advances will drive unique evolutions, most assuredly in the security of things.

Guarding, fraud detection, cyber security, facial recognition, and many other areas will see significant advancements in the short-term. However, one critical success factor to advancing asset protection in large corporations is what I call the "technology" of organizing to secure a company's people, critical information and business strategy.

Cognitive Convergence
Take, for example, the cyber war that rages across the Internet every day—stealthy, ubiquitous, and deadly silent in attempts to steal governmental secrets and relentlessly target American corporations. The many publicized losses are staggering.

Companies talk about converging cyber and physical security, but I believe Cognitive Convergence™​ is even more important. Fighting the cyber war necessitates that companies know how to organize to properly defend themselves from current and emerging risks. Instead, many companies' enterprise security roles and responsibilities are diffused among various departments, where IT may be focused on technology costs, while HR is looking after background checks or exit interviews. Security is handling investigations and legal, audit, and environmental health and safety are accountable for other aspects of security.


Sometimes chief information officers are not equipped to fully understand cyber risks and are ill prepared to work with law enforcement agencies without a gaggle of lawyers to direct almost every step. Often, the lawyers require a quick remedial training course on cybersecurity themselves and fear (with some justification) that turning over information to the U.S. government during an attack may come back and bite them.

In one company, for example, an internal audit fraud investigation was underway targeting an individual who was actually an insider planted in the corporation to develop intelligence on the best way to attack that company's network. This same person was simultaneously being investigated by the security organization, which suspected he was stealing proprietary information. Neither department knew of the other's activity until the employee was fired.

Cognitive Convergence​ ends these obstacles to cybersecurity. It means bringing together the intellectual horsepower of numerous departments and business units and assimilating the right intelligence for risk-aware decision making and unified security across the enterprise. Having a comprehensive written strategy that details who has accountability for various aspects of protecting enterprise assets and how these professionals are going to collaborate for end-to-end, proactive risk management is fundamental to building this culture.

Partnerships and Best Practices
Another imperative is having the United States government partner effectively with the private-sector, which owns and operates 85 percent of the critical infrastructure and resources of the United States according to the Federal Government in its Information Sharing Environment. When a crisis happens, it's simply too complex, cumbersome, and time-consuming for companies to reach out to the FBI, U.S. Department of Defense, U.S. Department of Homeland Security, or other agencies, without having a preestablished contact person. Instead, companies need a safe harbor, single point of contact for liaison with the U.S. government regarding cyber intrusion matters.

Law enforcement and intelligence agencies also try to improve the country's cybersecurity position, but they too must work through huge bureaucracies and often don't understand how to bridge their knowledge with the corporate world. They are cautious, as they should be, about sharing classified information—even when security or legal staff need it for business-savvy consultation to senior management.

At the same time, the security industry should consider adding more business risk managers to corporate roles to balance the experience of second career professionals from law enforcement agencies who may be trained to chase the crime rather than remediate the business risk. Security associations can create a coalition that provides American companies with nontechnical advice that board members and business leaders can rely on to act quickly and decisively. Software providers, too, can partner with companies to improve IT hygiene that detects vulnerabilities faster and more reliably. More and more, bringing together security and technology professionals with governmental entities, law enforcement, and business leaders will become essential to building platforms and cybersecurity regulations based on best practices and collegial understandings that are truly effective in fighting this war.

Pay It Forward
At the same time, each of us has a responsibility to help prepare the next generation. Let's bring people together in trade or industrial associations, educational institutions, and other ways to promote soft skills such as communications and teamwork. Kudos to ASIS International for launching a publication specific to educating security leaders about the risks and rewards of cybersecurity and other technologies. I equally welcome a companion theme for security professionals to become business-savvy collaborators and mentors, serving as catalysts within their own organizations and among future generations.

It's like building an airplane in flight and winning the cyber war in the United States will demand:

  • A clear directive to U.S. public-private boards of directors and government agencies that mandates respective roles and responsibilities and assures one safe harbor for American companies who seek support when breaches occur.

  • That American corporations that influence Washington and impose corporate mandates to ensure taking up the fight responsibly.

  • Corporate leaders who organize around different departmental priorities, leadership styles and cultures to combat and mitigate cyber risks that have the capacity to undo them all. 

To win this war, each of us must master the technology of organizing vertically, horizontally, and sometimes sideways in landing this plane safely. 

Tim Williams, CPP, MBA is vice chairman, Pinkerton, a global provider of corporate risk management services and solutions. He has served in Fortune 50 corporations for more than 36 years as chief security officer or in consulting roles, managing enterprise security risk. He is a past president of ASIS International and founding member of the Global Security Risk Management Alliance.​