Home » Security Leadership » Metrics/Budgets

Security's Value Proposition

If you're going to sell security to your CFO-and others in the organization-you'd better know what matters to them.

Yup, Mr. Beancounter, I think we're doing our part in contributing to the bottom line in this organization. But we also do so much more than that. At the end of the day, I think what we are about is helping the company run its business in a risky world. Maybe it doesn't end up on your balance sheet as a line item, but I'd bet the bottom line that the bottom line would be a lot smaller if we didn't do what we do around here.Eyes Wide OpenNow, I'd love to have a buck for every discussion I've been a part of that wondered how the corporate security team could demonstrate to the bean countersand to mahogany row, for that matterthat it is far more than just another cost center.

All you need to do is look back at the past decade to see that security is a fundamental element of core business processes. Start with the Corporate Sentencing Guidelines or all the high-level resignations due to phony experience credentials. Or consider internationaland now domesticterrorism threats. Or think about intellectual property theft and product diversion. What about the high-level internal misconduct and criminal activity, and the daily reality of cybercrime and business interruption? Look at any one of those areas, and you've got yourself a good case for the bean counters.

Yet I've worked for executives who never saw the real value without my persuasion. They thought that any activity that couldn't demonstrate a direct contribution to the revenue stream and profit margin was an albatross around the neck of the company. They never took the time to understand our mission and its relationship to the protection of the enterprise.

I say this with no apologies: CSOs are enablers. We provide services that allow the enterprise to meet business risk with its eyes wide open. Its value is in managing risk. I mean, if you want to own buildings with big rents for tenant businesses, you'd better have good life-safety systems and procedures. If you want to do e-commerce, you'd better provide a secure means for customers to deal with you. If you handle other people's money, you'd better have in-depth controls around integrity. If you want to build a business in a risky foreign environment, you'd better have security on your agenda.

U.S. business is going through an evolution of sorts when it comes to security and its growing role within business operations. Thirty or 40 years ago, we moved from the basics of general asset protection to more risk-focused content prompted by negligent security litigation, safe and secure issues of employment law, and increasing notice of workplace violence. As the American workplace moved into ever-increasing technological complexity and reliance, the threats became more sophisticated, and remote and business continuity took on new meaning.