"What a wonderful world"

Louis Armstrong

Our world can be complex and turbulent. Risks abound. 

But around us, are people attempting to make sense out of it, learning from each other, and creating powerful new approaches that create value for all of us; personally and professionally. 

The Great Conversation™ in Security was conceived and, later launched more than a decade ago, in response to 9/11. There were serious questions regarding our ability, as a country, and, by extension, our place of work, to leverage our people, performing roles in everyday processes using the tools we have provided them, to adequately address the serious nature of the risks that we were facing.

We needed wisdom. The notion that history, ideally, was a sequence of conversations and innovations that would ultimately supply us with that much-needed wisdom, was a foundation we built on. We then needed the ecosystem to weigh in. We needed the transparent sharing of the good, the bad and the ugly stories from the leaders who were attempting to protect the assets and lives of their organizations. We needed the service and product vendors to listen to these stories and begin to respond to the learnings. We needed products to be developed, not in response to feature requests, but in response to the unspoken needs that become visible through truly understanding the people, performing roles in their core processes.  That is what truly determined the performance measures of a risk, resilience and security program. We needed consultants who would reach out to collaborate with integrators. This would mean that integrators would want to know the 'why' behind the technology. And consultants would want to leverage integrator insights on the performance metrics of their deployments. Our industry had a fractured ecosystem. It was time to heal it.

We also knew that leadership and change management would be key disciplines in this journey. So we looked for the students of leadership to speak to us, motivate us and inspire us. We looked to practice leaders of change to enable us. And we looked to technology gurus to disrupt our old notions of how security should work. 

So welcome to this Great Conversation. We try to touch base with the best and the brightest throughout the year so we can produce in two-days, a congress of minds that shape the next evolution of security. Your voice is needed. Your work must be shared. You can change your world. Join us. 

Ron Worman, The Sage Group

From October 2017 through February 2018, we featured monthly webinars that touched on subjects we would be featuring atThe Great Conversation in Security forum on March 5 and 6 on the Seattle waterfront. 

The webinars were designed to provide some insights that we have gained since the last Great Conversation. 

The series included conversations such as:

Leadership and Change

The Security of Physical Security Systems

The 360: the Next Generation of Access

The Age of Voice and Why it Matter to the Business and Security

All of the webinars were recorded and can be found under "Videos" on The Sage Group's YouTube channel

Who can combine creativity and execution? That is the underlining question that haunts hiring managers today. They want engaged employees. And from that engagement of heart and mind, they want their creativity. They want their creativity because they want to create a highly adaptive and innovative organization. 

But they also want execution. Blocking and tackling. On time, quality performance. 

We want it all.

Clayton Christensen, a Professor of Business Administration at the Harvard Business School, is regarded as one of the world’s top experts on innovation and growth and his ideas have been widely used in industries and organizations throughout the world. A 2011 cover story in Forbes magazine noted that ‘’Everyday business leaders call him or make the pilgrimage to his office in Boston, Mass. to get advice or thank him for his ideas.’’ In 2011 in a poll of thousands of executives, consultants and business school professors, Christensen was named as the most influential business thinker in the world. 

Clay is the best-selling author of nine books and more than a hundred articles. His first book, The Innovator’s Dilemma received the Global Business Book Award as the best business book of the year (1997); and in 2011 The Economist named it as one of the six most important books about business ever written

"I don't want to overstate the case", Christiansen was quoted as saying, "I think about 40 percent of people just are not going to be good at innovating regardless of what they do. And 5 percent are born with the instinct. There are things that they do and ways that they think that are intuitive. The rest of us could learn what these innovators do if somebody would just crawl inside their brains and codify what to them is intuitive.

In a sense, that was our hope with The Innovator's DNA, that we could articulate how innovative people think. So over a period of years, we interviewed hundreds of innovators and almost 5,000 executives to identify ways of thinking that distinguish innovative people from typical executives. What we found is that innovators "think different," to borrow a slogan from Apple. And thinking differently leads them to act differently. From our research, consistent patterns emerged that led us to identify five primary discovery skills that underlie innovation: associating, observing, questioning, networking, and experimenting.

First and foremost, innovators are good at associational thinking, or simply associating. They make connections between seemingly unrelated problems and ideas and synthesize new ideas. I would frame associational thinking by asking this question: Has somebody else in the world solved a problem like this before? It turns out that most problems have been solved before by somebody in a different environment. Associating that other experience to what's going on in my world may make me look brilliant, but in reality my brilliance was in seeing that this had been solved elsewhere.

Observing and questioning go hand in glove. Innovators observe things, then question why. If you want to be an innovative person, when you see things, you have to pay attention and then wonder why."

In The Great Conversation in Security, we are always seeking the "Why" and in many cases the "Why not?". We bring a diverse group of stakeholders in our industry together to share their different perspectives and experiences. We intentionally jump start the conversation through a problem that illuminates an insight that leads to self, team and organizational discovery. 

And we take chances. In a world of data-driven analysis, sometimes we need to stop waiting for someone else to create a proof-point. As Christensen says: "I don't want to wait until somebody provides data. I need to get out there and create data."

The answers to our most pressing problems lies within and between us. Let's start a great conversation. 

A Great Conversation 2017 Monthly Speaker Review

In 2011, the International Network of Women in Emergency Management (inWEM) hosted its International Women in Homeland Security and Emergency Management Hall of Fame induction ceremony. It honored women who are pioneers and leaders in the fields of homeland security and emergency management in local, state, tribal and federal governments. Each one of the inductees were known for promoting a culture of preparedness for safer, resilient, and sustainable diverse communities.

Annie Searle, a Great Conversation in Security keynote, was one of them.

Annie’s presentation was entitled “Using Conduct Risk to Link ERM and ESRM to Organizational Value.” She began by addressing the fact that the intersection of people, processes, systems and events can ultimately elevate risk and/or financial loss. This intersection works within a values framework that ultimately is anchored by the words and actions of the leaders of the organization.

Since the intersection of risk and opportunity represents the value equation for an organization’s executives, the values framework is put to the test in the strategic planning, communication and performance management of the executive team. Actions speak louder than the values framed on a wall.

CEB, a best practices insight and technology company, used as a data source by Annie, stated that 40% of misconduct observed by employees goes unreported. Of those that are reported, only 17% will find their way to a compliance and ethics office. This is disturbing; especially when the projected costs of misconduct are $5.4M for a single privacy breach or $188 per record and 5% of annual revenue for a single instance of fraud.

If the risk is frightening, the opportunity loss is staggering. CEB reports that higher integrity companies outperform in shareholder returns by 16.2%.

Why do leaders set the tone? According to Annie, there are three causes of conduct risk:

1.           Monkey See, Monkey Do. Employees will model the tone at the top

2.           Culture. Employees practice what leaders preach

3.           Conflicts of Interest. There is a general lack of supervision and gaps in ethical controls.

Annie believes the word “tone” needs to be more understood. She cited a 2016 Ponemon Survey that described tone as “a term used to describe an organization’s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are most likely to uphold those same values. As a result, such risks as insider negligence and third-party risk are minimized.”

From this we know that employees pay close attention to the verbal and non-verbal responses of their bosses. Procedures manuals take second place.

Regarding culture, Annie cited the 2016 U.S. Financial Industry Regulatory Authority:

“While firms may have their own definition of ‘firm culture,” we use it here to refer to the set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.”                 

She then showed several corporate brands and asked the security professionals in the audience what they believed the tone at the top valued and how it influenced the culture. Many of the brands were icons of the Pacific Northwest.

Finally, with “conflicts of interest”, Annie referred to the classic Oxford Dictionary definition:

“A situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.”                 

This is where self-interest meets opportunity without attention to a values framework. She broke conflicts of interest into non-financial and financial categories. Examples of non-financial interests included career advancement, publications and reputation. Financial interests were direct and indirect.

In a 2012 report by Labaton Sucharow, a law firm that prosecutes precedent-setting class and direct actions, recovering billions of dollars on behalf of defrauded consumers and investors, where they interviewed 500 financial professionals from the U.S. and U.K., they found that 22-25% believed they needed to behave illegally or unethically to get ahead. 16% would commit a crime like insider trading if they believed they could get away with it. 94% would report misconduct if it could be done anonymously, protected their job, and they could receive a monetary award. Annie’s point, without an actionable governing values framework, and a culture of reporting misbehavior, misconduct will likely occur.

To reduce conduct risk, Annie recommends the following:

• Review the corporate values/vision statements

  • Create a statement of values that points to desirable behavior, not a marketing slogan.

• Create/review the code of conduct

  • Put a real communications program in place, with storytelling around behavior.

• Incentivize employees to do the right thing

  • Recognize when employees and teams do the right thing. Protect individuals from retaliation.

• Build a fraud and misconduct plan

  • Train employees on how to report misconduct or fraud.

• Create your own whistleblower program

  • Guarantee anonymity, employee protection and a monetary award. Self-report without retaliation.

• Ask your senior leaders to reinforce ethical conduct with their own performance

  • Walk the talk. “I was wrong.” And/or “Thanks for your insight.”

Please feel free to reserve your seat for The Great Conversation in Security here

When Carol Fox, the Vice President of Strategic Initiatives of RIMS, the risk management society™, presented at The Great Conversation in Security this year, she was addressing security program executives from multiple industries and disciplines. Each of these programs has implemented a process for identifying risk. But as Carol pointed out, identifying risks and identifying gaps in performance are two different things that achieve different outcomes.

We see Security Risk Management Services (SRMS) providers as a bridge between the risk assessment and the gap analysis. As Carol suggests, an SRMS provider would use risk assessments to identify, analyze and evaluate the uncertainties to objectives and outcomes of an organization. With this as a foundation, they can then begin to create a 360-degree view of the risk, which can include the line of business “risk owners” and the culture of risk inside the organization. But it would not stop there. SRMS vendors can then deploy their technology and business process expertise to truly understand the gaps in performance. How do people perform their roles within their core processes using technology? This is where breakthroughs and innovations occur.

Carol’s presentation is summarized in an article she wrote for the RIMS organization which we have provided by link below.

Recognizing the Gaps in Gap Analysis

By Carol Fox, Vice President of Strategic Initiatives of RIMS, the risk management society™,

When used in the right context and for the right reasons, gap analysis can do just what it is intended to: identify areas—usually from the perspective of process, abilities, competence, time and performance—where moving from a current state to a desired future state would be both beneficial and prudent. As noted in the ANSI/ASIS/RIMS risk assessment standard, “Gap analysis is intended to highlight the amount by which the need exceeds the resources that exist and what gaps may need to be filled to be successful.”

Read More

“Risk Intelligence is probably one of the most important of the core elements which must be established when building a successful and effective governance, risk and compliance (GRC) program”, said Lynn Mattice, Managing Director of Mattice and Associates, a keynote speaker at The Great Conversation in Security – 2017.

According to Mattice, Risk Intelligence is often confused with Business Intelligence. They have similarities. Business Intelligence is often applied to data mining within company databases. It is used to drive competitive intelligence, customer relationships, and supply change behavior.

Risk Intelligence is more expansive. There are risks, threats and hazards within the environments an organization operates. They must be extrapolated from external and internal data. If mined and understood, they can clarify opportunities for value generation as well.

Most security executives are challenged with developing a Risk Intelligence program. Government agencies will often speak about collaboration, but most will not share timely and vital information that could make the difference in formulating strategic risk programs.

Mattice suggests that the evolution of an intelligence program start with an assessment of the culture. This will become an essential data point in determining the value path that a leader should take. One of the cultural data points is leadership at the top. Mattice often acts as the advisor to the leader encouraging collaboration and a deliberate assessment of the data and the subsequent actions that must be taken.

Analysts must be hired or strategically contracted to help with the data analysis.

With this foundation in place, the next step is to act as an informed advisor to the business leaders. This will provide a rich layer of requirements that are aligned with how the company operates and generates value. Risks to people, processes, assets and markets are omnipresent. The role of the advisor is to help the business leaders quantify, manage and persistently manage those risks. Alignment with the leader’s business and market intelligence team is critical. Your eyes will interpret the data differently and provide valuable insights.

The bottom line is an attitude and capabilities adjustment is in order before the security executive’s team can provide trusted and valuable advice to business leaders. This evolution is necessary to ensure the budget spend is strategically aligned with the objective of running a valuable organization. Failure translates to brand and value dilution at the worst.  At the best, your contribution creates opportunities that will help guide the future of the organization.

And, according to Mattice, that is the future of Security.

Lynn Mattice is Managing Director of Mattice and Associates, a management consulting firm and trusted advisor assisting enterprises in navigating a world full of risks. Developing Risk Intelligence Programs for clients is one of the services provided by Mattice & Associates.

On March 6 and 7, executive risk, resilience and security leaders from around the United States and the world, convened with one expressed purpose: to influence innovation and change in the profession and the industry. The leaders were not only executive security officers and their teams, but also their ecosystem of current and future vendors such as risk consultants, security risk management services providers, system integrators and technology vendors. This supported one of the core themes of The Great Conversation in Security™; to raise the standard of performance and value for the entire ecosystem with the end goal of protecting our communities, organizations and our countries.

The Great Conversation took place at the Bell Harbor International Conference Center on the Seattle waterfront with close to 300 registered attendees.

The two-day forum was organized around a collective experience of keynotes and panels with interactive digital polling preceded by video interviews that were conducted before the forum focused on the themes of the presentations.  As well, time was set aside for breakouts around critical communication issues in and around the “campus”: the descriptor we use to define the space by which we organize, communicate, educate and work with employees, visitors, contractors and vendors. Finally, several organizations took part in a collective case study involving the identification of their problem, the mustering of experience around the problem, and the scorecard by which they evaluated potential solutions.

Over the next few months we will be publishing stories from these practitioners and thought leaders as they challenge the status quo and continue the conversation throughout the year.

The first profile is about the leadership challenge issued by Mike Mason, CSO of Verizon. Mike’s opening address was fitting for this conversation community since the innovations and changes we are considering will demand bold, courageous and disciplined leaders with highly engaged and motivated teams.

The threat is significant, but not obvious. The biggest threat we have is not developing an engaged workforce. It is one of our greatest strengths if we are successful. It leverages the combined intelligence, persistence and commitment of a unified team. If we fail, we will keep mining our legacy of discouragement, cynicism, lack of motivation and, what Thoreau described as people leading “lives of quiet desperation”. Mike provided transparent moments where he failed as a leader, faced his failure and overcame it through a deep and evidential caring of one human being to another.

Today, one of Mike’s key performance indicators, is sending an “atta boy” twice a week to one of his hundreds of employees around the world. He now hires, trains and measures around relationship; the platform for any organizational measurement or goal.

After his keynote, he then made one of his most important statements about leadership. He positioned himself in the front row for the rest of the conference, actively listening, engaging, and taking copious notes. We are leaders of our families, friends and our employees, rarely through words, but through our actions. He was modeling the art and discipline of learning. He was not outside the auditorium chatting or doing email. He had committed to the act of learning through his sacrifice of time and the limitation of distractions.

At the end, you could say he was the wisest person in the room.