Two surveys were published in recent issues of Security Magazine. Each showed that a significant gap exists between the value security brings to the business and the CEOs’ perception of that value.
As a former investment banker with a Babson MBA, I can see exactly why this gap exists. I spend most of my time working with CEOs to close this gap. My recent book was written to show how today’s security professionals are winning “A Seat at the Table” and how you can too.
CEOs have invested millions of dollars worth of products and services expecting to solve the problem of security. They’ve spent countless hours on meeting compliance regulations while security professionals worked tirelessly our entire careers to protect our corporate environments from an endless stream of attacks.
Yet 2006 will forever be known as “The Year of the Data Security Breach.” CEOs are asking “Where’s the ROI on that?” CEOs don’t want algorithms. They want actionable solutions. At the end of the day what a CEO must have to stay the CEO is profits, corporate performance and business agility.
We know how to deliver security. The real challenge is how to sell security internally to win a seat at the table. What we’ve seen in the past is security sold by fear-mongering and more recently by the threat of prosecution.
Selling security based on fear doesn’t work.
CEOs are a fearless group. In fact, they have learned that risk is where the greatest returns are in business. Selling security as a necessity to meet regulatory compliance doesn’t work either. Selling security based on regulatory compliance makes security the very definition of a cost center and no CEO wakes up in the morning looking to grow his or her cost center. The only way to better manage a cost center is to reduce it, which is exactly what security professionals are seeing today in continuous budget cuts.
So how can we change the course of security history?
The first step is to change the way we think about the business value we deliver to the corporation. The time it takes to educate the CEO on how security works is a luxury we can no longer afford. Globalization is changing the world in which we do business too fast to wait for the CEO to change.
We need to recognize that when we deliver security we are driving profits, corporate performance and business agility and we need to understand exactly how we are doing so.
“The starting point of all change is mindset.”
Tom Peters, Author
In Search of Excellence
Globalization, digitalization and personalization are changing the way business is done today and forever. 2006 was the Year of the Data Security Breach because it is both the volume and rate of change that no one accurately predicted that has completely outpaced the best practice processes designed to support them.
A security breach is not the core problem; it is the end result of a core problem within the business itself. The core problem merely presented itself as a security breach. Correcting the core problem within the business improves corporate performance.
Remember when we breakdown Sarbanes-Oxley, for instance, we see that the major components of this legislation is just good business. Maintaining and assuring internal control structures for financial, operational and risk management reports so that the information received by those executives who are making key strategic decisions based upon that information is rusted and accuracy is just good business.
Yet when we focus on compliance as a checkbox, we are labeled a cost center. We need to change our own thinking and recognize that we are empowering executives to make better strategic decisions by delivering accurate information that they can trust. That brings us to step two.