Two surveys were published in recent issues of Security Magazine. Each showed that a significant gap exists between the value security brings to the business and the CEOs’ perception of that value.
As a former investment banker with a Babson MBA, I can see exactly why this gap exists. I spend most of my time working with CEOs to close this gap. My recent book was written to show how today’s security professionals are winning “A Seat at the Table” and how you can too.
CEOs have invested millions of dollars worth of products and services expecting to solve the problem of security. They’ve spent countless hours on meeting compliance regulations while security professionals worked tirelessly our entire careers to protect our corporate environments from an endless stream of attacks.
Yet 2006 will forever be known as “The Year of the Data Security Breach.” CEOs are asking “Where’s the ROI on that?” CEOs don’t want algorithms. They want actionable solutions. At the end of the day what a CEO must have to stay the CEO is profits, corporate performance and business agility.
We know how to deliver security. The real challenge is how to sell security internally to win a seat at the table. What we’ve seen in the past is security sold by fear-mongering and more recently by the threat of prosecution.
Selling security based on fear doesn’t work.
CEOs are a fearless group. In fact, they have learned that risk is where the greatest returns are in business. Selling security as a necessity to meet regulatory compliance doesn’t work either. Selling security based on regulatory compliance makes security the very definition of a cost center and no CEO wakes up in the morning looking to grow his or her cost center. The only way to better manage a cost center is to reduce it, which is exactly what security professionals are seeing today in continuous budget cuts.
So how can we change the course of security history?
STEP ONE: CHANGE HOW WE VALUE WHAT WE DO
The first step is to change the way we think about the business value we deliver to the corporation. The time it takes to educate the CEO on how security works is a luxury we can no longer afford. Globalization is changing the world in which we do business too fast to wait for the CEO to change.
We need to recognize that when we deliver security we are driving profits, corporate performance and business agility and we need to understand exactly how we are doing so.
“The starting point of all change is mindset.”
Tom Peters, Author
In Search of Excellence
Globalization, digitalization and personalization are changing the way business is done today and forever. 2006 was the Year of the Data Security Breach because it is both the volume and rate of change that no one accurately predicted that has completely outpaced the best practice processes designed to support them.
A security breach is not the core problem; it is the end result of a core problem within the business itself. The core problem merely presented itself as a security breach. Correcting the core problem within the business improves corporate performance.
Remember when we breakdown Sarbanes-Oxley, for instance, we see that the major components of this legislation is just good business. Maintaining and assuring internal control structures for financial, operational and risk management reports so that the information received by those executives who are making key strategic decisions based upon that information is rusted and accuracy is just good business.
Yet when we focus on compliance as a checkbox, we are labeled a cost center. We need to change our own thinking and recognize that we are empowering executives to make better strategic decisions by delivering accurate information that they can trust. That brings us to step two.
STEP TWO: ALIGN WITH THOSE “OTHER EXECUTIVES”
While it is important to continue to collaborate with those executives such as Legal and Operations that we are used to collaborating with, they too are cost centers. We need to also align ourselves with those other executives who we have historically had the least amount of proactive collaboration with – the VP of sales, VP of marketing and the CFO.
Often corporate security is seen as the division that will prevent a sale, prohibit a marketing campaign or command significant unplanned expenses. For security to win “A Seat at the Table” we have to be invited by everyone who is already there. There is no shortage of ways to do that.
For example, when security creates a new customer portal making it “easier for new customer to start buying,” the VP of sales wins and security maintains the corporate security policy on new customer access.
Take the VP of marketing to lunch and ask what his or her top three objectives are for the year. Look to see where you, as the security professional, can enable the delivery of at least one of those objectives. Marketing is responsible for creating intellectual property for the company, while security is responsible for protecting that intellectual property. If we are not working closely with marketing, as business consultants for them, to help them meet their top three objectives, we are missing a great opportunity to close the gap between the value security brings to the business and the CEO’s perception of that value.
When a CFO can reduce the costs of ping, power and pipe by upwards of 70 percent by virtualizing the corporate data center, it creates a compelling business case that many security professionals are able to leverage to also meet their disaster recovery needs. The business value to the company that security delivers via virtualization is what every CFO and CEO already values – business agility.
STEP THREE: MEASURE FIRSTWHAT MATTERS MOST TO THE CEO
As we explained earlier, CEOs want actionable solutions. At the end of the day what a CEO must have, to stay the CEO is profits, corporate performance and business agility.
When a security breach occurs, what we have historically measured was everything but lost revenues and profits. We need to appreciate that the weakness in the component of the system that enabled the security breach leaked not only data, but revenues and profits, too.
Because a security breach represents an underlying revenue and profitability problem that had gone undetected, preventing a security breach should be managed with the same level of urgency.
If every data security breach were seen by a CEO as a lost revenue or profit opportunity there would be virtually no limit to the amount of resources invested in the correction of the problem at its very core.
We are seeing many of the emerging technologies purchased today with funds from security’s budget directly benefiting other departments even more than they do security.
For example, e-mail discovery tools had been used in a litigation case to identify the offending e-mail thread at a global energy company. Funds for these tools came out of the security budget. What this global energy company looking through volumes of e-mails had come to discover were customer conversations about new products that their existing customers would be willing to buy. Marketing was able to use this email recapture as a form of accurate, real-time customer intelligence to build new products and create new revenue streams.
This was neither an isolated event nor a surprising result when we remember that security used to be considered part of everyone’s job – back in the day when everyone knew who their customers and fellow employees were. In fact, today security needs to be seen as everyone’s job again and not solely the job of the CSO.
“Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure.”
Nelson Mandela
