With her broader view of risk and deep knowledge of business, Shelley Stewart has made risk and security management a value creator. The executive director of global security for Cummins, an international manufacturer of diesel engines and power generators, didn't come to the position with the usual background in security.
"A lot of people in my role grew up in law enforcement," she says. "I didn't."
The 2012 CSO Compass Award Honorees
This year's CSO Compass Award winners point the way toward risk management that's more inclusive -- and more exact
She started as director of benefits strategy, and after implementing a major overhaul of the company's healthcare program, she began looking for a new challenge. The director of risk insurance had just left the company and Stewart, along with her boss, recognized she had two strengths that made her a perfect fit for the job: a deep knowledge of insurance and an excellent understanding of Cummins. That last is no small thing in a company with 44,000 employees and customers in 190 countries.
Working closely with the risk management group gave her a comprehensive understanding of security operations, and she was asked to help find a new head of security for the company. "The senior executives weren't comfortable with the outside candidates who'd been brought in," says Stewart. "As the search went on, my boss kept saying, 'You should do it.'"
In her previous positions, Stewart had been able to increase the business value of the risk, safety, human resources and environmental functions. Management realized that this ability and her knowledge of the corporate culture were more important than a background in government, law enforcement, security systems or investigation.
As head of global security, Stewart is in charge of security operations, information asset protection, standardizing security processes, and intelligence and crisis management. Stewart says she figures out how security can better help business units instead of just telling them what the problems are.
"My job isn't to tell them what not to do, but how to do it with the least risk," she says. "This sometimes means security doesn't have to be as extensive as we thought because it turns out the risk we're protecting against isn't that great."
One of her most important achievements was putting together an intelligence program that quickly delivers information around the world. This program helped her, her team and their partners execute preventive measures in response to the Arab Spring, the 2011 earthquake and nuclear disaster in Japan, and other crises.
While Stewart knows that a strong knowledge of security is essential for risk management, she understands that other skills are important, too. She believes having a deep understanding of business drivers is the key to making security add value to the organization.
"We could see that the company's most critical asset is engineering information, so we brought in an engineer to help us with information asset protection," she says. "This let us understand that in order to help the company, we had to come up with ways to protect that information which were flexible enough to let us work with outside partners."