A few times I've had a similar conversation with a few leaders in the security industry. They had been experiencing the same reaction from their enterprize leadership and were frustrated to the point of looking for another job. Their joint frustration revolved around a lack of support for their security vision. They could not seem to get past the barriers in perception that they did much more than request and manage security clearances and facilities. This may be a common issue facing many FSOs throughout the National Industrial Security Program cleared defense contractor base.
These issues could stem from from three possible challenges facing cleared defense contractor companies. The first is that the FSO has not developed a reputation of a corporate leader with effective strategies to ensure the organization is prepared to compete, win, and maintain classified contracts. The second is the cause of the first in that that the company has grown, and the original FSO may not possess the leadership skills necessary to continue engage as necessary. Finally, the security manager is not considered an executive function and falls under a corporate executive and outside of those performing on classified work (a corporate executive vs. a program manager.
Understanding how security fits into the organization is crucial. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. This could manifest through denial of requests for tools, resources, and capabilities that the workforce needs. Instead of considering workarounds, the FSO may naturally be inclined to say "no" instead of doing the hard and helpful work of performing a risk assessment and providing helpful solutions. Rather than assuming the role of "Dr. No" , the FSOs should possess the skill to develop policy that supports NISPOM requirements AND provides for the fulfillment of the classified contract's objectives, work products, and deliverables.
I've witnessed FSOs often respond to requests with "DSS (DCSA) won't allow it," or the more popular "it violates the NISPOM", only to have industrious cleared employees find a workable solution approved by the government customer, while going around the FSO. Think about what that does to the FSO's credibility and influence? They may never be consulted again and could have their office be reduced to, "just get us our security clearances and we'll take care of the rest".
FSO's should also understand that the security program is there for the cleared employees and not the other way around. The cleared employees perform on the classified contracts; the work that brings revenue to the company. The FSO brings the resources, guidance, consultation and tools to facilitate the performance on classified contracts.
For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rationale for change in policy, the FSO's may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company's business model or culture. A more succinct example is the FSO requiring the organization to provide monitored surveillance and alarms for the protection of SECRET documents already adequately secured in a GSA approved security container.
The second problem addresses the level of the hired or appointed FSO and the company grows from 50 to 300 cleared employees. The FSO for the 50 person company may just need clerical and administrative skills to provide security assistance to the few cleared employees working one or two classified contracts. In this case the company grows to 300 cleared employees, with 15 contracts, and is managing growth problems and opportunities. The growth requires a sound strategy that go beyond clerical skills.
In the third situation, the corporate office misunderstands the role of the FSO and assumes that they have limited leadership skills and roles. Suppose the FSO is experienced in leadership, but is buried under many levels of leadership and not able to influence decision making. They could make sensible recommendations based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.
Larger and very successful cleared defense contractors understand the needed balance. These companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.
Influencing Change
So, how does the described security manager create influence and credibility that counts? First of all, they should address their professions as risk managers. They should factor the contractual requirements, NISPOM, government contracting activity, and potential growth. A growing security requirement is expensive and resources should be planned for and budgets presented based on quantified risk and not fear tactics.
Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.
Presenting the security program does not have to be a frustrating event. If a security manager is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.
Check out our book series: Security Clearance and Defense Contractorsd