In many professional fields, such as legal, technology, and finance, one can expect to find commonalities among the practitioners. These professionals share certain certifications or degrees, or they’ve progressed through a series of common steps or training regimens to reach their current position, where they share a fairly standard reporting level.
Executives in the security profession—and in this designation we include the retail loss prevention supervisors as well as corporate security and information security leadership—does not fit into such a mold. We at the Security Executive Council have researched this profession in depth, and the diversity of experience, responsibility, authority, and background we’ve found is stunning.
However, across this varied landscape, commonalities of successful leadership do exist. The council’s community is comprised of many individuals who are recognized as highly successful security / loss prevention supervisors. Because they have allowed us access to their time and insights, we were in a position to uncover and identify similarities between them that contribute to strong performance.
A series of in-depth interviews in 2009 led us to identify the following nine practices that the most successful leaders have in common:
- The creation of a robust internal awareness program for the security/loss prevention department, including formal marketing and communication initiatives.
- Ensuring that senior management is made aware of what security/loss prevention is and does.
- Walk-and-talk methodology—regularly talking to senior business leaders about their issues and how security/loss prevention can help.
- Conversing in business-risk terminology, not security/loss prevention terminology.
- Understanding the corporate culture and adapting to it.
- Winning respect by refusing to exploit fear, uncertainty, and doubt.
- Basing the security/loss prevention program goals on the company’s business goals.
- Having top-level support from day one.
- Portraying security/loss prevention as a bridging facilitator or coordinator across all functions.
Some of these items loss prevention supervisors have worked to achieve, such as creating internal awareness programs and conversing in business risk terminology.
Others have come from luck or hard-won experience.
The overarching principles that tie these nine practices together are strong communication and receptiveness as well as responsiveness to the desires and needs of the business and others, both up and down the chain. While loss prevention supervisors stand apart from other security disciplines in many ways, we believe these findings to be as pertinent in a retail loss prevention setting as in corporate security.
Methodology for Successful Loss Prevention Supervisors
As a part of its strategic plans project, the Security Executive Council conducted in-depth interviews with 27 Tier 1 Security Leaders™ to discover and compare best practices. Most of the interviewees were leaders of the security programs in large corporations, many of which operate internationally. Questions addressed issues such as the top risks to the organization (not specific to the security department), business alignment and drivers, internal influence issues, and senior management’s view of the security function.
In the resulting qualitative analysis, council researchers isolated commonalities reported among the leaders of the most successful, internally recognized security programs in the sample.
Our research shows that much of the success revolves around communication and receptiveness. Each of our findings reflects how security or the security leader is perceived by other business leaders, management, and employees based on how the security leader presents risk and, to a great extent, him- or herself.
It should also be noted that many of these findings are intertwined with others. Ensuring management’s understanding often requires having a walk-and-talk mentality, for instance, just as conversing in risk terminology is beneficial to achieving business goal alignment.
1. The creation of a robust internal awareness program for the security/loss prevention department, including formal marketing and communication initiatives.
A formal marketing and communications initiative builds internal awareness of the security department and raises the understanding of what security does and the value it imparts to the organization. This is not to be confused with a security risk awareness and training program. In this case, the successful leader knows that the security department is often misunderstood or that many employees do not even know there is one.
The “marketing” in this case, for example, involves having an internal logo and tagline for the security department (that is, branding the department), holding brown-bag lunches with security issues infused into them, regular newsletters on security department happenings, and encouraging and rewarding employee security champions.
When employees across the organization not only recognize the importance of security’s contribution, but become invested in furthering it, the security function’s potential for success dramatically improves.
2. Ensuring that senior management is made aware of what security/loss prevention is and does.
Management’s perception of security impacts funding and organizational support for security initiatives as well as the security leader’s ability to influence risk-related decision making at a corporate level. All of these limit the effectiveness of the security function. It will be difficult for a senior manager to develop an accurate understanding of his or her organization’s security function without direct input from the security leader. Because the structure and operation of security differ so much from business to business, past experience at other companies may lead a senior manager to a view of security that is unrealistic or erroneous in his or her present environment. In addition, because the security industry in general has done a poor job defining itself in a business context, many corporate executives continue to assume that security begins and ends with guns, gates, and guards until they are shown otherwise.
What loss prevention supervisors often fail to do is to fully understand (or analyze) their resource capacity regarding what the security staff is spending their time on and providing on a day-to-day basis. From this, what percentage is important and valued by senior leadership? Every other function needs to demonstrate where their time and resources are going—why would the security department be exempt from this?
Several of the security leaders interviewed in this research hold seats in corporate strategy groups and on risk management teams and planning councils. Some hold C-level and vice president titles with direct reporting to executive management. All of these positions allow the security leaders greater access to communicate candidly and clearly with top corporate leadership. However, these high-level positions are likely also evidence that management already understands and appreciates security.
The security leaders interviewed who still sensed that management required greater understanding took the important step of speaking directly to business unit leaders to understand what risk issues keep them up at night and what security services they find valuable. This is different than the casual brown-bag activities. These one-on-one meetings often result in some kind of quantitative outcome that can be used to make senior management aware of how their direct reports value security’s services.
3. Walk-and-talk methodology: regularly talking to senior business leaders about their issues and how security/loss prevention can help.
The most successful security leaders we interviewed regularly speak to senior business leaders about their goals and concerns to determine how security can help. These meetings were held in addition to, not concurrent with, formal meetings, such as quarterly briefings with senior management or the board.
Our successful interviewees take the initiative to set up meetings with senior executives as well as business unit leaders across the organization. As one leader stated, “I don’t wait for the phone call; I invite myself to major business meetings around the world.” Sometimes it means taking the initiative to learn business processes, especially if no one volunteers to show you the ropes. In some cases, the security or loss prevention supervisor manages all these relationships himself; in others, deputies are charged with heading up regular communications with a select set of business units, making sure they understand their world and represent them in security plans.
These meetings are most effective when the security leader enters them with a business-first attitude. Note the wording of the first sentence in this section specifies the goals and concerns of the business leaders, not the concerns of security, come first. Security leaders begin by asking what senior management wants and needs to accomplish, then present themselves as helpers in accomplishing those action items. Security does not set the agenda; the business sets the agenda. Both these elements are critical to effective “walk and talk.” If a security leader tries to insert him- or herself into regular meetings with senior management, but ignores the second lesson on the tone and content of the talk, he or she may be viewed as arrogant or micromanaging.
4. Conversing in business-risk terminology, not “security/loss prevention” terminology.
“We are business professionals who happen to be experts in security,” stated one of the leaders interviewed in our research. Interviewees remarked that they emphasized their role as “business assurance” rather than “security.” Some noted the importance of SWOT (strengths, weaknesses, opportunities, and threats) analyses and cost-benefit analyses within the security department to build better performance and to better enable the security staff to “talk business.”
Even if the mission, goals, and strategies of the security function are perfectly aligned with the same in the business, if they are not communicated in the right terms, they may be rejected by senior management. The language of security is not easily translated by non-security business executives. Terms that describe security tactics, operations, or projects may have double meanings…or no meaning at all…in business language. “Perimeter” has different meanings in corporate security and information security. “Convergence” is a commonly used term in many functions whose definition varies with its speaker. Even the word “risk” has a broader meaning for business (for example, taking a calculated risk to enhance revenue) than for security.
Speaking about business issues in business terms helps enhance management’s understanding of security and increases the chances of management support.
5. Understanding the corporate culture and adapting to it.
Many security leaders feel it’s their job to change the corporate culture into something that is more security-centric. Our research showed that successful leaders believe the opposite. Their job is to learn the existing corporate culture and find the best ways to fit security into it.
An IT services company that prides itself on its relaxed and open philosophy is unlikely to appreciate a security leader whose focus is on locking the employee population out of newer communication technologies, for example. Staff and management may look at that individual as a roadblock to be surmounted rather than a partner.
If on the other hand, the security leader talks with human resources, employees, and management to learn what the corporate culture values most, then negotiates security policies and solutions that leave those values intact, the perception of that leader will be markedly different across the organization.
6. Winning respect by refusing to exploit fear, uncertainty, and doubt.
Respect is won over time, so this accomplishment requires long-term improvement and consistency. While tapping into the fears of business may seem the easiest way to gain support and elicit reactions, ultimately it results in a loss of influence and trust. The successful leaders we surveyed focused on communicating risk in business terms, as something to be transferred, mitigated, avoided, or accepted, not feared. If the security or loss prevention leader is consistently level-headed in describing risks and their implications on the business, clear in conveying the options for managing the risk, and receptive to management’s concerns and decisions, he or she is likely to earn lasting respect.
7. Basing security or loss prevention program goals on the company’s business goals.
One of the most common terms in the interviews conducted in this research was “enable.” One interviewee stated, “Security enables the business to take risks; we don’t block them.” And another said, “Our strategic plan is to enable the company to be the company.”
Many of those interviewed stated that the goals and strategies of the security function cascaded down from the CEO. If brand protection was a major corporate concern, for instance, it became the priority of security. Some security leaders who took this approach reported that management and other business units began coming to security to ask for assistance and advisement on various issues.
The security leader who puts the business before the function is more likely to experience long-term success than the one who works to drive the business in a direction set by security. There are several reasons this may be the case. When every function works toward the common goals of the business, setting internal goals that further the corporate mission, the entire organization should become more efficient and effective. This business optimization then reflects back on the individual functions, creating a cycle of higher performance and building success.
Communication is another factor. Basic psychology holds that a leader who is constantly asking “How can I help you?” will be met with less resistance and will be more positively perceived than one who is constantly interjecting “You can’t do that.” This positive perception easily translates into greater influence, always a factor in improved performance.
8. Having top-level support from day one.
Those interviewed who came aboard the organization with a high level of management support performed best. They reported that management places high value on the security department, that they are given one-on-one access to the presidents and chairman, and that their advice, if not always acted upon, is never disregarded. The lesson here is to try to make this level of support a condition for your next career move.
The success of these leaders may be as attributable to their acumen as to the clear organizational focus on security’s value. This finding should dispel any doubt of the correlation between organizational support and security success. To have such support is an enviable position in which few security leaders find themselves. However, a caveat—if your internal success relies on this relationship, you may be out the door when a senior management shake-up occurs. Make sure the other practices are in place to thwart immediate displacement.
9. Portraying security/loss prevention as a bridging facilitator or coordinator across all functions.
Every business unit in an organization is subject to, and sometimes owns, various risks. Many of the leaders we spoke with took it upon themselves to become central points of contact on risk for other business units. One stated that his organizational risk committee regularly sends information to business units to review and asks them to report back, ensuring they have an opportunity to make their voices heard.
Another remarked on his function’s close relationship with no less than seven operational functions. That leader further stated that strong security requires these business units to be engaged in risk management rather than periodically reminded of it.
When security acts as a bridge between functions throughout the organization, it can help minimize redundancies and optimize resources. The security leader who focuses on achieving this also has the opportunity to identify, understand, and respond to business unit risks more quickly.
What Does This Mean to You?
While our research identified nine common practices from the collective knowledge of industry-recognized leaders, no doubt there are more. But this report provides a rare wrap-up. Strive for the practices you can implement in your current organization, or look for opportunities that may support these types of practices in the next phase of your career.
The extent of information sharing these interviewees offered for this study is unusual in our industry, but more such sharing is required. The security function needs to share its wisdom to become a better understood, more highly recognized, and more valued contributor to an organization’s bottom line. If you are at the tail-end of your career, consider playing a role in the passing on of knowledge by sharing this report with your promising staff.
The Security Executive Council
The Security Executive Council is a problem-solving research and services organization focused on helping businesses build value while improving their ability to effectively manage and mitigate risk. Drawing on the collective knowledge of a large community of successful security practitioners, experts, and strategic alliance partners, the council provides strategy, insight, and proven practices that cannot be found anywhere else. Our research, services, and tools work to help organizations identify and mitigate risks to people, assets, and the bottom line.
SIDEBAR: Lessons from Low-Shrink Retailers
In similar research conducted by Adrian Beck and Colin Peacock, five US retailers were surveyed to determine common practices shared by loss prevention organizations with historically low shrinkage rates. Coincidentally, the authors also identified nine organizational themes that contributed to their success. While these nine factors are not identical to those discussed in this article, the similarities are striking and, taken together, add further insight into this important topic.
This article was first published in 2012 and updated June 5, 2017.