Home » Security Leadership » Metrics/Budgets

Security's Value Proposition

If you're going to sell security to your CFO-and others in the organization-you'd better know what matters to them.

With the '90s came the corporation as criminal defendant, Internet connectivity, business conduct issues and the need for secure e-commerce. Then the millennium brought us the reality of terrorism, anthrax, SARS and major concerns for the adequacy of internal controls and ethical standards. In this short period, not only the concept of "corporate security" but the standing, skills and competencies of those who deliver the wide assortment of business protection services have expanded dramatically, culminating in the notion of the chief security officer. We are talking about CSOs these days because the nature of threat, vulnerability and business risk is expanding and the corner office wants a cohesive and comprehensive protection strategy.

Do your own history lesson. Look at the reporting relationship, compensation and senior management awareness of these aspects of operational risk within your company and other organizations with which you are familiar. The business world is far riskier today than 40 years ago, and it isn't likely to get any easier. Full-Service SecuritySowith this evolution in progress and a seemingly acknowledged need for a senior security executive within the management teamwhy do we CSOs continue to find ourselves wringing our hands about the value we bring to the table?

I think we've done a lousy job of selling the evolution and central governance roles of a full-service security program to thought leaders in business. I'd also not hesitate to put audit committeeseven the Big Whatever-Number-It-Is-Now accounting firms and the so-called consultancies that serve mahogany row and the business schoolson the detention list as well. I don't give a hoot who runs the full-service security program just as long as it encompasses all of the pieces and is directed with a recognition of how the individual parts can cost-effectively contribute to enterprise protection.

I know security can be a hard sell, not only because it adds cost but because our "clients" see our programs as adding inconvenience or cumbersome steps in business processes. But we all know the rules have changed in these past several decades, and good old Bobby Beancounter knows that as well. Don't forget that CFOs are risk managers at their core, and they know we live in a much riskier world these days.

Every enterprise is different, and the security story is equally diverse. CSOs have to find the hook that works within their unique corporate culture. This has to be the focus of the products we develop and sell. Big, complex technical environment? Big need for in-depth safeguards and redundancies. Other people's money? Trust and integrity. We all have a story that matches our company's risk profile and culture. What some of us have not done well is package the story for the multiple audiences we have. There are hooks for Bobby Beancounter that will ring his chimes, and there are different ones for the audit committee, the CEO, the CIO and so forth. If you are at the table, you will know what hooks work with each executive and how to package the story.