Home » Security Leadership » Metrics/Budgets

Security's Value Proposition

If you're going to sell security to your CFO-and others in the organization-you'd better know what matters to them.

August 01, 2003 — CSO — Last week, my company's CFO, Bob Beancounter, popped in to my office and dropped a bombshell. "I need some solid evidence that your security programs are contributing to the organization's productivity, its competitiveness and ultimately its bottom line," he said without a hint of apology.

"Evidence?" I asked him. And then repeated it, as if auditioning for a role in some cheesy made-for-TV drama. "Evidence? Hmm. You've got to help me with this one, Bob," I said slyly. "I mean, how do you calculate the cost of a bad employee?" I reminded him that we had been steered clear of hiring hundreds of people in the past several years as a result of what we had discovered during our background investigationscosting only about $125 each. "Do you think more than a few of those rejects might have cost us some serious money had we hired them?" I asked.

"Well, I...," he stumbled. But I had already started down a path of no return.

"Huh. We can demonstrate how our security measures contribute to shareholder value due to lower losses per dollar of sales versus the competition. And, by the way, we have fewer security personnel per employee than any of our competitors," I added.

"And I recall that we were back in business before our competitors were after 9/11 because we had adequately planned and tested business resumption plans," I cited. "I remember that the CEO made some real hay with that one at the annual meeting."

But I wasn't done. "Because of our preventive and detective tools, we haven't had even one minute of downtime due to the increasingly serious viruses and worms that hit us on a regular basis. Has that helped productivity and the bottom line?" I asked.

Then I wondered aloud if he had checked with risk management lately. "Our insurance premiums have all been reduced since they reviewed our safeguards," I told him. "And remember that company marketing wants to hire to manage phone sales? You should have seen the incredible holes we found in their information protection program. Can you help me figure the cost if they had lost our customers' credit card numbers or other sensitive information as a result?"

Finally, I mentioned how Mrs. Jameson might put a dollar value on the security here: One of our security officers saved her husband's life a few weeks back by using the defib after he had a heart attack. It took the EMTs 30 minutes to get here, but our guys were there in three.