All security leaders have, at some point in their careers, had to make the case for a change in security—whether it's a simple shift in staffing or the implementation of an entirely new program.
You may not have thought of it as "presenting a business case," but that's precisely what it was. A business case is a written or verbal outline of the reasoning behind a proposed change, with the goal of gaining decision makers' support.
Other business functions have long recognized that without a compelling business case, there's seldom any point in proposing a change. After all, if you can't justify your proposal to the people who need to fund and support it, why should they say yes?
But the security function hasn't always been held to that standard. It existed inside a different mindset, subject to different executive drivers.
Bob Hayes, managing director of the Security Executive Council, says that those drivers have evolved. "Back in the day it was really 'right of boom': We responded to incidents and created our programs around that. In 2004, when the Securities and Exchange Commission required publicly traded companies to list their most significant risks, we went to a more risk-based alignment. About three years ago we started to see executives coming in after seeing the CISO scrambling to meet new standards, and saying, 'I need to know what requirements corporate security must meet.'
"And now, we have more and more CEOs coming in and saying, 'I get risk, I get compliance--but so what? What is the business case?'"
To answer that question, the security leader must first define security's value proposition. The value proposition is central to the business case.
Value Proposition
While a business case justifies a specific security action or change, the underlying value proposition lays out the value that the security function as a whole provides to the organization. As such, it lays the groundwork for any business case.
A Security Leadership Research Institute study found that 57% of responding security leaders considered the business value of security to be the most important concept they needed to communicate to management.
Figure 1 below shows that the three top concerns regarding lagging security programs have to do with executive support. In some cases, security may not be providing executives with the value proposition or the larger business case to justify expenditures or change.
Dan Sauvageau, SEC emeritus faculty and former Senior Vice President of Global Security Operations with Fidelity Investments, recommends presenting the value proposition in a succinct one-page format that can be quickly communicated. A strong value proposition "connects to the business, knows its audience, says what you're trying to protect, says what services you have in place to protect those things, and says what's in it for the organization," Sauvageau says.
He recommends the security leader identify what he calls the crown jewels of the organization – the high-level assets (both physical and conceptual) that must be protected at all costs. Nearly all businesses would begin this list with brand reputation and employee safety, for instance.
Then, he says, identify and communicate the internal and external threats to those assets.
Then list the services you provide that protect against these threats.
All this can be communicated in an intuitive, visual document that can be presented or provided to executives and other leaders in the organization.
Building the Business Case
Having the value proposition already defined will lighten the load of developing a business case, but there will still be a lot of work to be done.
A strong business case is based on data. Build or maintain partnerships with other functions that enable you to access relevant data they have collected. Be prepared to compile and communicate security data in a meaningful way. Review key performance indicators and other security metrics to see how they support your business case.
Brad Brekke, SEC emeritus faculty and former Vice President of Assets Protection and Corporate Security for Target Corporation, emphasizes that the business case must be built upon a deep understanding of the business and security's role and strategy within it.
"I'd recommend you conduct this exercise: Study your business. Know how it operates, how it makes money, how it's set up, what its strategy is – for instance, is it a growth strategy, an expense-driven strategy, a service-driven strategy. Know the culture and risk tolerance of your organization and know the voice of its customer," says Brekke.
Brekke also cautions security leaders not to undervalue the importance of storytelling. Each organization has a language that resonates with management. Consider the language of the brand and the language of the organization's business as you develop the story you will tell and as you make your business case.
You may find it helpful to reframe some security language to better reflect business value. For instance, because one of Target's foundational goals was to focus on the experience of the customer, conversations about shoplifting became conversations about enabling the guest experience.
Next Steps
Developing strong business cases is not a skill that many security practitioners have. It is not something that is generally taught in educational institutions and there is seldom opportunity for gaining experience out in the field. This is where the Security Executive Council can help. We consist of successful leaders of security programs that can apply our knowledge and experience making effective business cases to top organization executives. Contact us to discuss how the SEC can help you gain acceptance for your program.