Arguably the most common challenge among security leaders is being able to communicate the value that risk management services and programs bring to the organization.
If you are attempting to provide that information you know what we are talking about. If you are not already providing that information don't be fooled. You may think management is happy with your performance but if you are not presenting them information on the value of your risk mitigation programs and services it is only a matter of time before they ask for it. And chances are, when they do ask, it means they have already made up their mind about the value you are providing the organization.
As competent security practitioners, we would not think of waiting for someone to break into the barn before we locked the front gate. Make sure you are starting to collect the data and build the information you need well before management demands evidence of the value you are providing.
Security's value proposition is driven by a combination of facts—real results—and perception.
Security often must demonstrate a risk avoided or prevented. But there are real deliverables offered across our spectrum of services that can (and should) be assembled to demonstrate where and how we deliver value to the bottom line.
The following are samples of how to define and present the value Security is bringing to the organization.
Security's Balanced Scorecard
The balanced scorecard was originally developed as a business strategic planning and management system. It can be adapted for use by Security. A key element of the balanced scorecard technique is to include both financial and non-financial performance measures. To get started, answer the questions in the chart for Security at your organization.
Internal Customer Value Analysis
This is an analysis of who values your services and why. Why is this important?
- Proactive defense against potential cuts or allies take on the budgetary burden for a service they do not want to lose.
- Opportunity to create loyal customers.
- Remind Business Units that Security does not own the risks, the business units do.
Connecting Board-Level Risks to Security Mitigation
Of particular importance when communicating with the C-Suite is relating mitigation to the corresponding board-level risks. This chart shows an example of grouping the security program strategy/mitigation with the business areas that own the security risk and ultimately with the board-level risk category.
Preparedness & Competence = Anticipated Value
This chart helps to relate the elements of preventative/detective and responsive/recovery measures to potentially significant business interruptions or events. The core idea is that expected value derived from Security is the result of the preparedness and risk mitigation competency of the organization.