Security and the CFO: Show Me the Money

“I have been able to create relationships with the CFO and the C-suite, and I have regular quarterly meetings so that when it’s time to ask for money, the repertoire is there,” says Jill Knesek, CSO of BT.

Chief Financial Officer (CFO), Finance Director, Corporate Treasurer…whatever the title may be, they control the money in an organization – where it’s spent, how much is spent, perhaps even why it’s spent.

As a corporate officer in many organizations and with a spot at the C-suite, the CFO is primarily responsible for managing the financial risks of a corporation. This officer is also responsible for financial planning and record-keeping, as well as financial reporting to higher management. In some sectors the CFO is also responsible for data analysis. The CFO typically reports to the CEO and to the board of directors and may additionally sit on the board.

As a CSO who may be trying to get a new security program or funding, the CFO is someone you’ll have to sit down and discuss how you spending money is actually going to save the company money. How do you sell security to someone who’s thinking it is all about dollars and cents, profit and loss and who possesses advanced business and financial degrees and experience?

For Jill Knesek, CSO of BT (British Telecom), it doesn’t have much to with security at all.

It’s The Business

BT is one of the world’s leading providers of communications solutions and services. The company’s principal activities include networked IT services, local, national and international telecommunications services, and higher value broadband and internet products and services. BT is also the world’s oldest communications company, with a direct line of descent from the first national telecommunications undertaking in the world.

The company’s global services security department, which Knesek heads up, operates in 170 countries, and is responsible for end-to-end security – cyber security, physical security, crime, fraud, asset protection and risk mitigation for 1,500 facilities. Knesek’s staff consists of 27 security directors.

“People in security think they are special because they save lives, but they’re not that special, because HR, marketing, sales and IT all think they’re special as well. We’re all competing for the same piece of pie,” says Professor Christopher Walker, executive professor of strategy with the College of Business Administration at Northeastern University, in Boston.

“With a CFO, it’s important to talk about security, but it’s more important to talk about the business,” Knesek says. “It’s been one my biggest challenges. But I have been able to create relationships with the CFO and the C-suite, and I have regular quarterly meetings so that when it’s time to ask for money, the rapport is there. So when I get face time with the CFO or the Board, I articulate reducing the cost of crime, protecting our brand and reputation and showing security’s long term value.”

“As a telecommunications company, we see a lot of potential for revenue fraud,” she says, “for example, theft of assets, cable, copper, and illegitimate customers. So I tell the CFO how my security operations will save millions of dollars in fraud losses per year. Once you start talking about dollars and cents and revenue, provide metrics and articulate how you will reduce costs with mitigation plans in place, you’re on your way to reaching the CFO. Security is not just about throwing a guard at a problem, it’s about reducing risk.”

As a former CSO with a Fortune 50 company and with a leading media firm, Christopher Walker once reported to the CFO. Professor Walker is currently the executive professor of strategy with the College of Business Administration at Northeastern University, in Boston, Mass. Professor Walker has also consulted with a number of business firms across several industries. He has created management development programs within three universities and among a range of organizations and businesses.

During his career, he says, articulating the logic behind the security systems that you want in place was always a difficult task. “You have to articulate financial logic behind doing what you do,” he suggests. “If you ask companies to spend a large of amount of money for a feeling of safety, that’s not sufficient. Articulate how you’re going to reduce the company’s liability exposure and the loss of assets. Show the financial impact that could be attached to a security disaster.”

Specifically, Professor Walker advocates benchmarking. “Someone has that experience,” he says. “Look at what has happened and the financial impact of litigation that has taken place, the case laws that are out there and provide a logical argument that embodies the legal and the financial aspects.”

As with Knesek, Walker stresses understanding your company’s line of business first. He also says that past experiences may not be the best thing on which to rely. “Maybe you have had success in another job so you make certain assumptions about what should be done in your current company. That’s not necessarily the best way to go about it because business is about context.”

The CFO: Tales from The Front

How have two CSO’s reached their CFO? Their advice:

“I report in to our COO, so I am not an expert on presenting to a CFO, albeit I have tremendous support from our CFO who stands behind our mission. I can only add that we view security in two areas, moral imperatives (life safety stuff) and then business resiliency (things that make sense for protecting the business and building continuity). The way I break out my mission regardless of who I am presenting to in leadership is easy: If we do not get the moral imperatives right, we will lose the faith of our people and clients; that outcome is a zero sum game. The resiliency piece is more measured against risk and spending in areas that are needed to sustain the business (protection, response, redundancy).”

Timothy S. Weir

“I concur with Tim’s position. I do think, however, that presentation of information is different based on who you need to connect with, while the underlying premise (moral or resiliency) is the same. For example, a CFO is focused on the dollars of it all, so sound business cases that translate the issue and result into numbers/productivity will resonate better. In this case, if we’re talking about moral imperative, part of the pitch might be cost of lost productivity due to absenteeism, fear, distraction, etc. Resiliency usually translates easily to some business language. A Chief HR Officer will be more focused on associate safety, perception and more, and less on bottom lines or other financials. So, the basic premises remain the same – the “language” you use to convey the opportunity and solution is geared toward your specific audience.”

Timothy T. Janes, CPP, CFE

Business Programs for CSOs and Mid-Level Security Managers from ASIS International:

Wharton/ASIS Program for Security Executives

October 31-November 4, 2011 and January 23-27, 2012, Philadelphia, PA

www.asisonline.org

Business Concepts for the Effective Security Manager

ASIS and Northeastern University

March 8-11, 2011; October 18-21, 2011

Boston, MA

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

ON DEMAND: Apple Mac computer use is growing in the corporate space. Having the solutions and the knowledge base to respond to events that include Mac computers is just as important as their Windows counterparts.