Build Business Cases Like Steel Pistons!

To help, we’ve compiled some dos and don’ts for using numbers to make a case for security, from finding the right metrics to dressing them up real pretty. Here’s to getting it all into shape.1| DO Make the most of what you’ve gotFeel like you don’t have much to begin with? Don’t despair. It’s not just what you’ve got, as they say, but how you work it.

Suppose, for instance, that half a million dollars’ worth of products gets stolen on the way to customers each year. In the greater scheme of things, other executives might not care much about $500,000 worth of goods. (They can send the cash our way if they think it’s such small change.) But if you point out that the company has invested hundreds of millions of dollars in its supply chain and that customers aren’t getting their orders on time for security reasons, “that kind of talk will get people very interested and concerned,” says David Saenz, vice president of worldwide security at Levi Strauss & Co.

“Look at where the organization is going, and see how your work contributes to that, and then link your priorities and service to those jobs,” Saenz adds. In other words, good numbers are all about business context.

You might already have more useful numbers than you think. Rate data is one place to start. What did you spend last year per employee on security? Per computer on information security? Per square foot on guards? And what will you spend next year? It’s all about finding good metrics within your reams of data.2| DON’T Ignore where you startedWhenever you decide to undertake a significant project, do whatever you can to establish a baseline first. It’s like knowing how much you can bench-press on your first day at the gym.

Here’s the kind of example you probably dream of. A few years back, Saenz’s group decided to act on a businesswide goal of reducing counterfeiting in key markets. The first step was finding out exactly what market share belonged to counterfeit products in China, Italy and the Philippines. The company hired a marketing firm to conduct a survey, and it turned out that 40 percent of the market share was counterfeit Levis, while genuine Levis had only 9 percent of the market share (which still ranked it first among genuine brands). Saenz’s group started filing lawsuits against sellers and working with local officials to seize counterfeit goods; over the course of a few years, he was able to show that the counterfeit market share dropped to 15 percent and Levi’s genuine market share rose to 12 percent.

That’s a surefire way to turn some heads, considering where Saenz started. And look, ma, no calculus!3| DO Get creativeWe can see you sweating already. Baseline? What baseline? Executives outside of retailand those who are trying to secure IT assets in particularcomplain that if you’re not talking about boxes of widgets, it’s hard to know where to get that baseline. Sometimes there are industry benchmarks that can help. The Building Owners & Managers Association International, for example, tracks how much money companies are spending on security per rentable square foot each year. But other times, you might have to get more creative.

Ken Pfiel, CSO of Capital IQ, a New York-based financial services technology company that was recently acquired by Standard & Poor’s, relies on infosec studies as a starting point. He says that if you know, say, that a certain virus cost companies $X billion, then you can extrapolate how much money you are saving the company. That’ll get you to a little something called a return on security investment (ROSI). (Hint: Your CFO will like that.)4| DON’T Get too creativeBe careful about the numbers you begin with, though, or you’ll gain a rep as a FUD-meister. (That’s fear, uncertainty and doubt, for those of you who’ve managed to keep the words out of your vocabulary.) A lot of the vendor-driven research has its own game plan: getting you in the door and your pocketbook open.

“You’re always left to your own interpretation when using numbers that have been put out there,” Pfiel warns. “A lot of [studies publicized by vendors] may be scare tactics and things that are trying to draw a revenue, but there are also some solid facts behind that. I think a good rule of thumb is the old adage: Believe half of what you see and none of what you hear. If you cut those numbers in half, you’ve eliminated your margin of error.”

Maybe you’re being overly conservative using this adage, he says, “but any numbers, as long as you can reference them, are helpful.”5| DO Get people to look at youJust because you have some solid numbers to share, however, doesn’t mean they should be the be-all and end-all of your presentation to the board. Far from it. You don’t want to blend into the scenery. “In the background on television, when you see [the screen] behind Peter Jennings or Dan Rather or Tom Brokaw, what does it contain?” asks Jerry Weissman, the corporate presentation consultant who wrote Presenting to Win: The Art of Telling Your Story. “It contains two words or four words, or an image and four words, and then they [the newscasters] tell the story.” They don’t rely on the screen to tell it for them.

Likewise, make sure that PowerPoint slides are backing you up rather than repeating your entire message and then some. And most of all, make sure they’re legible. Weissman has seen too many presentations where legends are indecipherable or the gridlines are impossible to follow. (Haven’t we all, really? And don’t they always happen right after lunch?) And don’t get Weissman started on people who don’t right-justify columns of numbers, leaving an inebriated-looking column of commas and zeros. “Any one of these violations of the depictions of the numbers is a distraction from the presenter and the presenter’s message,” Weissman says. Keep the slides simple, label charts clearly, and try to get people to look at younot your numbers.6| DO Leave something eye-catching behindA better bet is numbers that people can take away, not ones they’ll squint at while you’re trying to make your case. At jobs in the past, Hayes liked to hand out an annual wallet card that summarized what the security department had accomplished in the previous year, compared with what it had done in the past. (See a mock-up on Page 34.) The trifold card showed, for instance, year-to-year changes in the number of attempted virus attacks and successful virus attacks, and it highlighted the cost per hour of a full-time security employee versus a consultant. (FTEs are a bargain, of course; generally, they earn two digits an hour instead of three. So why not point it out?)

You can either create a wallet card on your own, or, better yet, try to adapt whatever kind of dashboard or scorecard is used in other parts of the business. And whenever possible, Hayes says, focus on outputnot input. “I had a senior vice president once say there’s a big difference between activity and results,” Hayes says. “Yeah, you were busy, but is that all you got? Lots of people are busy. What would happen if you didn’t do your job?”7| DON’T Ignore the alternativesDecided that your chance of finding a ROSI is about as good as your appearing on the cover of Esquire? The ability to directly tie the work you’re doing to the business goal can be a good substitute for hard-and-fast numbers. Alan Mayer-Sommer, an associate professor at Georgetown’s McDonough School of Business, even believes that the popular Balanced Scorecard approach can be applied to security in a very effective way.

This business strategy, in a nutshell, ensures that every action you take ties back to stated corporate goals. You can spend lots of money on a consultant who will help you set it up, or take the quick-and-dirty approach of spending 35 bucks on The Balanced Scorecard: Translating Strategy into Action by Robert S. Kaplan and David P. Norton. “If you can show that there are certain objectives within your department that will directly help the organization achieve its broader set of objectives, then you have a basis for making a presentation to top management,” says Mayer-Sommer, who gives a seminar to security pros every year through a joint program with the International Security Management Association.

“The traditional way is you wait for a disaster and say, Here’s what the cost is going to be for a future disaster,” he says. “But then people lose interest after a while. That approach does not provide you with a more steady and reliable way of building relationships and enhancing credibility.”

Good relationships, after all, are what really make you stronger in the long run.