Q. Like many of my peers, I struggle with the issue of how to effectively demonstrate the bottom-line value that security’s efforts bring to the business. Thoughts?
A. I have often heard leaders say “my business leaders just don’t listen to me; they don’t get it.” Getting and keeping the "boss’ ear" is among a security program’s most challenging issues and one that has been around for far too long. Some feel the concept of demonstrating the value of security is problematic because many business leaders do not view security practitioners as business partners. Often what security practitioners suggest seems to get shrugged-off. Security is frequently viewed as “stuff that really isn’t helping to achieve our business goals.” When security is viewed purely as an expense it becomes difficult for the business side to view your program as one that delivers results like others functions.
It seems the only time business leaders present information around security is at some hastily called press conference where they are acknowledging there has been an issue, for example, a compromise of their customer data. Why is that? What is missing in the conversation about what should be the real role of security in today’s business environment? If all we hear business leaders talk about is “security failures” -- is there something security professionals are missing in their communication opportunities?
The multi-tasking and time demands faced by business leaders today leaves little time for them to absorb, let alone understand, today’s complex security environments. Then add the ever-increasing demands of security compliance and regulations and the Securities and Exchange Commission (SEC) requiring risk information in 10-K forms (at least the latter is waking up some executives to the importance of fully understanding the risk landscape). In one company I am familiar with they had forty-five different federal and state agencies that had some form of security regulatory oversight on their various businesses; the business executives didn’t have a clue. Once they were made aware of this a lot of questions were raised. The questions turned into dialogue and the dialogue – between security and the executives – became the “lever” for security. The result was these business leaders saw how security was making a positive contribution across their operations. Making the business side aware of this was among the first of many positive steps security took to raise the security acumen of folks in operations, HR, finance, labor relations, and many other areas of the business.
Now, there is also a flip side to what was made possible in the above example. It is just as necessary for the security leader and the security team to take the time and make the effort to both learn about the business they are in as well as the culture of the enterprise. All too often those in security are reluctant to learn the business from the ground up. To do that, you have to get out of your comfort zone and find out what line employees do as well as how and where they do it. If you don’t know their working environment you will never understand what they go through or the challenges and possible security issues they confront.
An easy way to start is as simple as accompanying a worker in the field as they do their job or visit a plant during shift change. In some organizations you can even shadow line workers as an apprentice; not to learn their job, but to learn their environment. Also, it’s surprising how much you can learn about the culture of the organization by having lunch with different groups. All it takes is a bit of stepping out of your role and into the role of those you typically work around.
Good security is all about good communications. There are a few things security professionals are really good at and others things we have to learn. Below are a few suggestions that have worked very well for security teams in several Fortune 500 companies:
- Move outside the realm of whatever you do or have done in security (IT, physical, executive protection, etc.) and learn everything you can about business in general
- Continuously learn about the business you are a part of - what makes the business tick? What is unique to a particular company's success?
- For decades there has been little progress in security measures and metrics; although that is changing slowly. You need to use measures like the rest of the business does to demonstrate the bottom-line value of your efforts that have a positive impact across the business. (See Measures and Metrics in Corporate Security by George Campbell.
Focusing on these areas will enable the security leader and his/her team to achieve an understanding of the opportunities to make the business safer, more secure and more profitable. You will also better understand the company’s business culture, which in turn helps tune your strategy and tactics to what will work for a particular business. Each step of the way you are building trust among your business colleagues. It is also essential to know what to say and who to say it to. Always aim to brief the ultimate decision makers – face to face if possible – and you will almost always be able to arrive at solid solutions.
Closing the communication gap is just one factor in the "value" issue. To be continued…
Answer provided by J. David Quilter, Security Executive Council Emeritus Faculty member.