A CEO discount is when I offer an organisation a 10% reduction on my consultancy day-rate if they can arrange for a 30 minute, 1-on-1, face-to-face, meeting with the CEO.
Sound like a gimmick? Well, it is partially, I’m trying to run a business, but it’s also extremely beneficial to both sides. Not only that, addresses the most fundamental of all security challenges; management buy-in/support.
From the client side, no project (especially ones related to security) gets anywhere near the amount of support from all levels of the organisation that they need to be; a) operationally effective, and b) cost effective. If the CEO offers not only their verbal support, but active/pro-active support behind an objective, it becomes everyone’s priority. As I state incessantly; “If my boss doesn’t care about something, guess how much I care about it.“. This begins at the CEO level and doesn’t stop until the most junior person is equally infected by apathy, indifference, or both.
If the CEO cares, or is only seen to care, security related projects tend to finish in half the time, at half the cost, and with double the effectiveness and sustainability. Yes, I just made these ‘statistics’ up, but in 15+ years doing this stuff I would be very surprised if I’m off by much.
From my side, if the prospective client is not prepared to even entertain the notion of approaching their CEO, that tells me all I need to know about their security culture. i.e. They don’t have one.
A phrase I have used MANY times now; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter goal here], it’s the CEO’s fault, and no-one else’s.“
I should up my day-rate if I DON’T get to see the CEO!
So with just 30 minutes of prep, which will hopefully result in an agreement from the CEO to send no more than 3 emails (which I will even draft) over the subsequent 12 months, I will have removed the vast majority of roadblocks faced by every security person, usually on a daily basis.
Most security people feel – and in the words of the hopefully immortal Billy Connelly – “…as welcome a fart in a spacesuit.”, anything I can do to deflect that stigma is worth a measly 10%.
Anyway, what are the 3 emails I referred to? With gross simplification:
- “Dear All, a company-wide security program is happening, this is VERY important to me, pay attention and give the implementation team your full support. I will be receiving regular reports.“;
- “Dear All, we have finished the security framework, and released the new policies, procedures and standards that will dictate how we conduct our business from this point forward. An education and training program will be released shortly, and your FULL cooperation is expected. I will be receiving regular reports.“; and (if required)
- “Dear Some, [and I know who you are from my reports] you are not taking this program seriously, start doing so or there will be negative consequences.”
Of course, all of this is rather negative, but there is no reason this could not be organised as more of a ‘carrot’ than ‘stick’ exercise. Marketing/PR should be allowed to focus their communication skills and efforts internally when stakes are this high.
It takes just one visionary CEO in an organisation’s history to get the ball rolling in the right direction, the security program should then become completely self-sustaining as the obvious and ever growing need for security becomes embedded in the culture. There is no security until everyone accepts their individual responsibility and accountability for it, and are active in doing their part.
With any security program, individual incumbents in any role should take a backseat to the company-wide culture, even the CEO. The reason most security programs fail is because they were driven by the security department without the necessary support from senior leadership. From my perspective, if the CEO doesn’t support something, don’t even bother trying to implement it, even if it’s the right thing to do.
Why do you think so many CSOs and CISOs fail? A few are clearly incompetent, but the majority of them just didn’t get enough support to make positive change.
If a few hours a year of the CEO’s time to instil a business saving culture is too much to ask, they will be breached, and they will deserve it.
[If you liked this article, please share! Want more like it, subscribe!]