Can you provide me some keys to demonstrate that the CSO is (needs to be) a business leader?
CSOs need to "run security as a business," just like other functions do. Based on our 10 years working with practitioners and researching how successful leaders demonstrate adding value to the organization - and are considered a valuable asset to the business – consider the following recommendations:
Let's start with budgets. Your budget process should be built on a foundation to enhance efficiency and effectiveness. The first step in managing a budget well is knowing what security services the budget needs to support. This may seem simplistic, but it’s a step many security leaders fail to take. If the security leader can’t point to some kind of documentation that clearly states what the function is specifically offering, none of the rest of the organization will fully appreciate the breadth of services security provides.
Once services are identified and cataloged, there are other questions that must be addressed: “What do these services cost?” How many full-time employees and contract staff are dedicated to each service? Does staff outside of security participate as well and, if so, how many hours do they spend performing security services? What technical or material resources does the service require, what does upkeep and maintenance cost, and what is the price of purchase or planned replacement (both within and outside the department)?
When a finalized list of services and costs has been developed, it’s time to determine the service value. Take the list and establish who are the beneficiaries of each service. Which business units gain opportunities or benefit from risk mitigation as a result of the service, and how? If possible, develop or include metrics that show the benefit in a tangible way.
Knowing your "customer" is another vital component. What business would put something out into the marketplace and not assess who uses or values their offering? There are several ways to become more familiar with your customer’s needs. One is to develop personas, a technique borrowed from marketing. For the security department it can be helpful to identify internal customer “types” (needs, motivations, attitudes, etc.). Use these to prototype reactions to proposed enhancements or new roll-outs, for example. Another way to better understand your customer is to gather stakeholder criticality ratings, in a similar fashion that the sales department evaluates product lines. For example, meeting with every stakeholder and determining the security programs and services they consider critical to their line of business. If you are willing to invest the time you help create understanding and ownership of risks with your stakeholders. The process helps business units correlate their risks with what matters to them from a security standpoint. By involving them you’re learning what their concerns are and educating them on what you provide at the same time.
Understand your specific organization. Don't attempt to apply a solution without knowing your environment. This includes how your organization views "security," how mature your program is currently, what kind of leader you are and whether this fits the corporate culture and risk appetite of the company. Our research shows an awareness of and strategy for each of these is needed to: advance the success factor of the security function; develop security leadership aptitude; and advance the organizational readiness for security to sites, staff groups and senior leadership.
Keep in mind the CSO is (or should be) a business person that happens to have knowledge and expertise in risk mitigation – not a person with security acumen that happens to be inside a business. And they should possess the same kinds of leadership skills desired in other business unit leaders. Many do, but some are not thinking of themselves as a business person. This skill set includes good presentation skills, strong communication proficiency, ability to build peer influence, manage budgets, and so on. As a business person you should be continually "selling" your offerings and demonstrating (e.g., through key performance indicators*) what you do is beneficial.
(*See the Knowledge Corner: Measures and Metrics for more on this topic.)
Answer provided by Kathleen Kotwica, PhD, EVP and Chief Knowledge Strategist for the Security Executive Council.
Great article K2! I'd like to offer some additional food for thought that may enhance the CSO's opportunity to be embraced as a business leader when it come to budgets. Most CSO's can talk about 'their budget' but few CSO budgets include the total security spend across the company. A large portion of security costs are often included in the operations, facilities or field budgets and finance plans; embedded in operations budgets. If a CSO cannot talk about the total security spend across all of his/her company, they can't really talk about the impact security spending is having on the firms profitability. CEO's are not only interested in the CSO's budget but they are interested in what impact - overall - security costs are having on the profitability of the company. Therefore, if the CSO can talk about the overall security spend for the entire enterprise, they can transale that into a discussion about security costs as a percentage of total revenue. As it relates to functional spending, this is a metric that the CFO and CEO are most interested in. Most importantly they can benchmark this internally against what percentage of spend other functions, ie HR, HSE, etc. are relative to total revenue. (It's often possible to benchmark total spend as a percentage of revenue externally with CSO colleagues. Even though we often hesitate to share specific budget numbers, I've always had success talking percentages.) The result is that the CSO will be equipped with sufficient information to analyze (using the ideas in K2's article) where there may be opportunities for reducing security spend across the enterprise which improves overall profitability of the firm. Alternatively, they may learn that they are woefully under spending relative to their peers and use this information to help justify an increase in the security spending. This can be a powerful approach toward building credibility as a business leader. Remember, it's not just about the security budget but, most important to the CFO and CEO is the impact on profitability. After all, isn't profitability the bottom line of what investors are using to judge how effective the CEO is at managing their investments?
Posted by: Russ Cancilla | May 05, 2014 at 10:14 AM