What Security's Worth

From the Publisher

By Bob Bragdon, Publisher, CSO

July 01, 2006 — CSO —

There's gold in them there hills

That’s what I am hearing nowadays from CSOs, who for years have struggled to identify the real value that security delivers to their organizations. In many ways it is the same old challenge from CEOs who ask questions like: “We spend millions on security and nothing bad happens. Is that because of the millions spent on security or because nothing bad was going to happen in the first place?”

How can you better exhibit the business value of security to guarantee continued support from senior management?

Many security executives, as they struggled with the compliance issues around such laws as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley, were the first to complain about the waste of money their organizations were forced to spend on compliance measures. But about 14 months ago, I began to observe an interesting development. CSOs were taking note of the additional benefits that were emerging from these compliance exercises. Sure, the controls and accountability requirements resonate with security types. But they were discovering real business value—beyond just keeping their CEOs out of jail.

Example: A simple technology like spam filtering allowed businesses to reduce the amount of time that their employees spent weeding through junk e-mail. If your employees bill by the hour, like lawyers or accountants do, the savings equation is simple: less spam = greater productivity = more billable hours. Bingo! A business benefit.

But you’re going far beyond that today. Think about video surveillance. Tyco has installed video CCTV systems in many retailers that incorporate back-end technology that allows a computer to count the number of people going into or out of a particular retail outlet. Easy to see the value in that, right? But take it to the next step. By correlating traffic volume counts with advertising and promotions, the retailer can see how many more people are coming into their stores when they run an ad and compare that to when there are no ads running. In the past, advertising success would have been measured strictly by sales figures. We ran the ad. Did we sell more garden gnomes?

But sales figures alone don’t tell the whole story. If the Tyco system sees that the ad actually did drive an increase in the number of shoppers, but the point-of-sale systems (cash registers) don’t show an increase in sales, then something else may be going on. Maybe the gnomes are poorly located in the store. Maybe they are too scary looking, or the price is too high. What we’re getting to here is real business intelligence.

The key to selling the value of security in your business is to identify where results deliver business value beyond just delivering on a security need. Spam filtering technology cuts down on wasted time and increases billable hours. Surveillance technology allows retailers more insight into marketing and merchandising performance. Meet with your business units and ask them, “what else could you do with this information that we’re collecting for security operations?” Look at your own organization and I bet you’ll find many examples.

Read more about data protection in CSOonline's Data Protection section.

Other stories by Bob Bragdon, Publisher, CSO

• Print