Jerry Brennan is probably the most well-known and prolific recruiter of corporate security talent. After serving as a security executive for multiple companies, including Mobil Oil, he co-founded SMR Group, whose search practice is exclusively focused on professional and executive level security risk professionals. Brennan has placed more than 1,000 security executives in 62 countries, with clients that include one-third of the Fortune 100. He operates out of Virginia with offices in London and Hong Kong.
We interviewed Brennan to talk about how security recruiting has changed, the issue of physical and cyber convergence, and how COVID is changing the security industry.
How has the profile of the security executive changed, and how has what companies are looking for changed since you started recruiting?
Initially, programs focused on physical issues and reactive issues related to employee misconduct and investigations. It was very “gates, guards, and guns.” Technology, like access control systems, were standalone and single purpose, programs were reactive and security departments liked to lock themselves away from the rest of the company. Many were in isolated in areas like basements. And these professionals had a mindset that we very insular from the rest of the organization.
I remember Dennis Dalton wrote a couple of groundbreaking books about how to become a business partner and enabler. That seemed to spur a new way of thinking about corporate security.
Yes, Dennis and I were very much aligned in terms of our view of the world. Government always fed a high percentage of the security field. It’s still running about 85% worldwide, with mid to senior level people in private security coming from government of some sort. Back then, the government was behind in embracing technology and the agencies were reactive and isolated, and that carried over. Newly hired private security executives did not want their department to be integrated in the company, they wanted it locked down. It was very “us versus them.” Business acumen, business integration, and the expanded utilization of technology, as Dennis and a few other exceptions advocated, was not commonly on the table.
What turned the tide?
First, business leadership grew tired of spending money with no thoughtful analysis of value to the company. This was also part the organizational re-engineering trends throughout the 1990s. ASIS created its guideline commission in the 2000s, writing the CSO guideline as a model. I quickly volunteered to lead that. I felt it needed to look like a business position. The concept was to look at the 5 key areas of business risk and find ways you could make a difference in the organization. It was a 50,000-foot look at how for that organization, in that culture, you could align the security department from a business perspective. It is about influence, not ownership. It recommended having a single point of accountability at a senior enough level charged with the governance of the issues related to mitigating security related risks for your company.
And then physical and cyber convergence became the hot, and controversial, issue.
Absolutely. If you ask a security leader about owning IT security, most will say no. They view it as requiring you to be a technology expert. But you don’t. IT security is not information security. It pertains to the security of systems that collect, store, and transmit data. Information security may or may not reside within a computer system. It relates to the broader concept of intellectual property. You do not have to be the subject matter expert on cyber security and related technology. I don’t know many CSOs installing cameras or other physical security systems. They do need a current functional understanding of the utilization of technology and what the company wants to achieve with it.
What were the structural implications?
The point was, you didn’t necessarily have to own it. You want your teams to be conversant with it. Convergence is about understanding where the pieces are and being able to influence. It could be centralized, done through risk committees, or matrixed. When people don’t understand it, they are often afraid of it. But it’s probably one of the major changes in a CSO’s repertoire, along with being a business enabler, having a seat at the table and doing board presentations, understanding the corporate risk profile, being involved in mergers and acquisitions, conducting due diligence, and now resiliency.
Resiliency was an evolution of crisis management, or did it have a different origin?
Resiliency came out of an analysis of the supply chain. There’s a perfect spot for security to be; security doesn’t have to own it. You support the supply chain, understand their needs. As you start to understand the flow of materials, and possible disruptions like pandemics or Fukushima, you end up having a much greater business acumen capability, and you perhaps start seeing proactively where things might go bad.
Pandemic, recession, civil unrest. They are current flashpoints for society. Are they also flashpoints for the future of the security profession?
It can go in a lot of directions. There is a tremendous opportunity for security leaders of the future to not only exhibit coolness and calm in a crisis to help manage immediate issues, but also to understand the business and how the security function can add value as an enabler. The pandemic crisis, like all “war zones,” will come and go.
What’s the future of the CSO? On one hand, security during COVID is pivoting toward making people feel comfortable coming back to the office. That’s a change to more of a safety function. At same time, we know not everyone is coming back to the office. Now there will be less of a physical footprint to secure, but more cyber, fraud, and information issues. Do safety and security merge and roll up into cybersecurity?
The times I’ve observed physical security getting rolled up into CISO have been when the CISO is perceived to have more executive skills than their physical counterparts. Organizations want an executive they can relate to and talk to. It’s hard to say generically whether EHS leaders are better prepared to take on security. Can they be strategic, brief and influence the executive management team, and instill confidence during a critical event or crisis? Right now it’s appears to be effective and good PR to have security performing this safety function in public-facing businesses. Pre-Covid, we ignored health. People always came to work sick. This crisis is forcing companies to rethink policies on sick leave, sick pay, how job descriptions are framed. They haven’t fully integrated work at home versus office dynamics strategies.
If today you were a mid-level private security practitioner or a retiring senior government official and wanted to be a CSO, what skill sets would you need going forward?
We just did a study on this. Oddly, the gap we see most between junior and senior professionals is business acumen and influence. Not until executives make a base of $250K do they more frequently list business acumen as one of their top 5 soft skills. Understanding effective business skills, how businesses function and how to read a balance sheet are critical skills needed at that level. The 21 st century CSO may well look more like an intelligence officer than a police officer or investigator. They gather information on a wider array of topics, do the analysis, connect widely disparate dots, and offer a mitigation strategy or response to what they have found. Then use that to enable your stakeholder’s/partner’s success.