The date September 11, 2001 is not only a day that lives in infamy, it represents the high water mark for the corporate security industry. Companies rushed to hire marquee security directors or increase the profile and cache of their incumbent CSOs. They issued mandates to rebuild or dramatically enhance their security organizations. Resources flowed to security and many businesses afforded the CSO unprecedented access to, or even a seat at the executive table. In this era the value of security was just assumed and security leaders could focus all of their attention on doing a great job of protecting the business without the distraction of having to justify their existence.
Over a decade after 9-11 however life has become more difficult as corporate boards and business executives have moved past the hysteria and now regularly question the return on investment (ROI) of the security apparatus. And while many corporate security professionals have awakened to the need to highlight the value proposition their operations present to the company few actually construct a credible and compelling business case to support security investments. Today’s security leader must be acutely tuned to the core business and be equal parts security professional and business enabler.
In most companies the notion that security should be seen and not heard is outdated. Indeed, there must be meaningful and proactive communication with business leaders first and foremost regarding the identification and prioritization of key assets. This is an exercise that begins at the grass roots of the organization and culminates at the executive level. It serves to inform security while signaling to the business that security has embraced a business oriented methodology to align its operations to the business needs, not the reverse. Once the crown jewels have been identified, a cost/impact model must be assigned to incidents that adversely affect those assets. This is where initiative and knowledge of the business plays a critical role; but it’s also an area where security professionals struggle.
How do you measure the cost of the loss of critical Intellectual property or damage to reputation? What is the cost of a negative customer experience due to theft of their personal data, or employee attrition due to workplace threats or violence? It’s difficult, but security must work with business to build consensus around the cost of these impacts.
Developing meaningful metrics of success to support the business case for sustained or increased investment in security is a universal challenge. Business heads are well acquainted with determining when they are succeeding. The evidence of success for security leaders is often less readily apparent. After all, the objective of the security department is to lessen the occurrence of bad events. However, tying the lessening of such events directly to a security initiative can often be a challenging task. Security leaders too often believe that more of a bad thing will support additional budget requests. However, more robberies, internal thefts, data losses, workplace violence and a host of other incidents are clearly not indicative of success.
The bottom line is – fear as the principal driver behind funding requests is a poor strategy.
Security professionals must also learn to speak the same language as business management. Often security professionals use their own jargon which tends to construct a wall between security and the business managers. For example use of words like “threats,” “Intelligence” and “cap index” should be replaced with “risk” and “”business information.” Specific and measurable goals and success metrics aligned with the business should be agreed upon and reviewed periodically with key business stakeholders.
The specific strategies and methods security employs to protect the key assets are mostly within the purview of security professionals but as one wise security professional said: “”the key to buy in from the business managers and executives is to make them a part of the conspiracy.” To do their job effectively security must increasingly rely on technology which requires investment. Such investments require not just “”buy in”” but genuine interest and support from bosses, stakeholders and especially Finance. Security topics are often more interesting than the day to day business operations, so making key business managers into partners by demonstrating business acumen and being inclusive just makes good business sense.
Chris Swecker has 30 years of experience in law enforcement, national security, legal, and corporate security/ risk management positions. Swecker served 24 years with the Federal Bureau of Investigation (FBI) before retiring as Assistant Director of the FBI’s Criminal Investigative Division.
Michael Mason oversees and coordinates global security efforts throughout Verizon’s business units, including enterprise wide security strategy and programs, physical security, cyber security, and law enforcement liaison matters. Prior to joining Verizon he was an Executive Assistant Director with the Federal Bureau of Investigation, in charge of the Bureau’s Criminal, Cyber, Response and Services Branch.