The Chief Security Officer (CSO) in the Post-COVID-19 World: Lessons Learned from Security Leaders
Raines International and The Lake Forest Group spoke with numerous security executives from major global companies in industries ranging from oil and gas to technology this summer to discuss the trends and new issues a CSO faces in light of the COVID-19 pandemic.
This article is first in a series of thought leadership about the role of security leaders in organizational success.
While a major focus has been on when life gets back to “normal” after the COVID-19 pandemic and what that means for business, forward-thinking business leaders are thinking about the gaps COVID-19 has exposed in their business, specifically from a safety and security standpoint. The upheaval caused by the outbreak has highlighted the need for a strong, agile security leader in organizations of all sizes to protect organizations and maintain business continuity. Raines International, in conjunction with The Lake Forest Group (LFG), spoke with numerous Chief Security Officers and leaders in the security field to discuss how the pandemic has affected the position.
Security during COVID-19
Traditionally, organizations view protecting the physical security of employees through the lens of criminal, accidental, and natural events. The concept of a pandemic had been discussed in the security world as a possible scenario, but the scale at which COVID-19 has disrupted business is extraordinary. Many — but not all — of the leaders Raines and the LFG spoke with acknowledged their companies were not prepared for the scale of COVID-19. Whether companies had to adapt to a sudden shift to work-from-home or simply procure PPE, the pandemic caught many unprepared, but not surprised. Some organizations had plans for previous public health threats like Zika or Ebola, but ultimately, they were far from perfect and might have been outdated. Other organizations always intended on preparing for a disease outbreak, but preparing for threats like kidnapping, terrorism, or active shooters took precedent. As this coronavirus unleashed a new level of security awareness, it amplified concerns and an organization’s responsibility for protecting their employees’ health, along with their safety and security. Unlike disasters like hurricanes or fires, COVID-19’s response and recovery phases could extend longer. This storm won’t pass next week.
While protecting staff’s health and wellness may have previously fallen under Human Resources, Health, Safety, and Environmental, or Corporate Social Responsibility departments, during the past six months, nearly all of the security leaders Raines interviewed assumed handling virus-related concerns and procedures as they saw their roles change significantly. Many security leaders assumed responsibility for ensuring that workers knew how to transition to work-from-home and coordinated company-wide directives for COVID-19 response plans. Other organizations including government contractors balanced security needs by having employees focus on administrative or training tasks during remote work and instituting alternate in-office days to work with classified information.
Organizations also struggled to keep up with constantly changing government and medical guidelines for COVID-19. In February, companies may have been concerned with cleaning surfaces, where now the concern is aerosol transmission. Organizations that are based in the U.S. are still responding to travel restrictions and regional outbreaks, whereas organizations in Europe or Asia may have much more flexibility and “normalcy” back in place. Regionally, nationally, and internationally, each week companies have had to pivot their expectations to match the realities they faced.
Remote Work & Return to Office
The shift to work-from-home and remote work is one of the most obvious changes to companies across the globe in response to COVID-19. Most of the organizations Raines and the LFG consulted had some form of a work-from-home policy already established, albeit on a much smaller scale. While one leader Raines spoke with compared the concerns of shifting to work-from-home to the unrealized panic toward Y2K, in general, the largest work-from-home issue security leaders have faced involves the hurdle of new IT and cybersecurity needs. But, as work-from-home becomes the new normal, many organizations are reluctant to rush back to the office or are even offering permanent work-from-home options. This shift raises numerous security concerns that leaders must consider.
One important area that organizations need to focus on is the impact the shift of the home as the workplace has on its employees. An astute CEO and security leader should prepare for the impending rise in domestic violence and addiction issues triggered by COVID-19 as their Leaders should be prepared to identify warning signs and establish what an organization’s response will be to security concerns at home. Possible solutions include frequent video conferencing to physically lay eyes on employees and increased support for resource groups that employees can access. This challenge presents an opportunity for progressive business leaders to thoughtfully prepare procedures for handling the inevitability of domestic stressors spilling into the workplace, since the definitive line between home and place of business has considerably blurred.
While all 15 leaders Raines and the LFG spoke with said their respective organizations are adhering to CDC guidelines and local and state ordinances for return to work, including masks, symptom questionnaires, and social distancing, the overriding trend called for restraint in returning to the office. If employees’ job responsibilities do not require them to be in the office, organizations have preferred allowing employees to determine when to return to the office, and to avoid potential lawsuits that requiring them to return to what they consider an unsafe environment could trigger.
For employees who are returning to the workplace, most organizations Raines consulted are instituting new security technologies, including temperature checks, touchless technologies, and contact tracing. Many organizations are limiting the number of workers in the office and conducting health checks. One executive at a large technology firm noted that many of its workers were eager to return to work because they missed the community feel of the office; in that case, the organization had to establish policies for permitting partial return-to-work including alternate days and flexible work shifts in the office. This is an area that security leaders have been adapting to throughout the past six months, as guidelines shift and scientists learn more about how the disease spreads.
Now with six months of coronavirus response data, many organizations are taking a step back to review how they handled the emergency. Raines’ partners at the LFG recommend an After Action Review to assess their decision-making. “An After Action Review is a process-based retrospective approach that provides key findings, insights, and lessons learned to improve future response for comparable incidents,” the LFG’s founder and CEO G. Michael Verden explains.
How to Identify the Best CSO
For organizations seeking to establish a Chief Security Officer position in the post-COVID-19 world, the best candidate will be able to anticipate, prevent, and react to events while also remaining adaptable to respond to unexpected incidents or emergencies. In general, when asked what professional backgrounds serve a Chief Security Officer well, law enforcement and military were the top responses. Advantages of this background include the ability to adapt quickly with whatever tools are on hand and a proactive approach to security. While a military or law enforcement background may lend itself well to a security position, the best security leader is well-rounded and able to offer soft skills of emotional intelligence, approachability, organization, and team building. Leaders also must balance the rigidity of security needs with the reality of a workforce that may not welcome more guidelines and policies. In addition, because security leaders must understand the nuances of the corporate world in order to be effective, organizations can offer security executives tailored corporate training and leadership courses and a thorough onboarding process.
“As the pandemic crisis moves from the response to recovery phase, businesses need to prepare people for returning to the new workplace well before they step into the building,” the LFG’s Verden advises. “They can prepare their employees through a customized training, education, and awareness program that’s delivered via virtual forums like webinars and videos.”
“Effective CSOs understand their organizations need a comprehensive security program that protects employees and visitors through risk and security assessments that identify what they have and what they need to promote a safe and secure workplace, emergency management plans that protect against all hazards, and training that addresses workplace violence, warning signs of concerning behavior, and other security related areas,” Verden continues. “As we’ve seen during the pandemic, security leaders have responded to a myriad of business continuity challenges because security’s role in protecting an organization and its employees is intrinsically intertwined with its business objectives.”
Raines advocates for the Chief Security Officer to have a seat at the C-suite table. If that’s not possible, the CSO must at least have a direct line to the CEO and COO to be most effective. Security leaders must also have a strong relationship with the human resources department and communications team. Whether informing employees of the new protocol for return-to-work safety procedures or producing videos demonstrating how to securely work from home, the support of the communications department cannot be overstated. Because employees’ natural instinct may be to avoid protocol if it is cumbersome and every employee represents a potential risk to the company, it is vital that a CSO educates and engages all employees to participate in best practice-based security measures.
The Way Forward
COVID-19 has exposed weaknesses in many organizations, disrupted traditional business models, and offered an opportunity to adapt and grow. Whether preparing for or responding to a crisis or conducting general checks on security processes, the CSO plays a vital role in business continuity. An outstanding CSO offers organizations the opportunity to not only protect their employees from threats and concerns, but also to position the organization itself to excel.
We don’t have an end date for COVID-19 or work-from-home restrictions. We don’t know a lot about the disease or its long-term effects to society and individual and public health. But we do know that creative, adaptive, reflective, and well-prepared security leaders help their organizations navigate these crises more effectively. A CSO adds tremendous value to an organization by preparing for business continuity, preventing physical, cyber and human threats to an organization, and, ultimately, responding when a threat becomes a reality. While we plan and prepare for the many risks we might face, the right security leader empowered with the right tools, authority, skills and knowledge brings your organization a step closer to safety, security, and success.