LAST WEEK, MY company's CFO, Bob Beancounter, popped in to my office and dropped a bombshell. "I need some solid evidence that your security programs are contributing to the organisation's productivity, its competitiveness and ultimately its bottom line," he said without a hint of apology.
"Evidence?" I asked him. And then repeated it, as if auditioning for a role in some cheesy made-for-TV drama. "Evidence? Hmm. You've got to help me with this one, Bob," I said slyly. "I mean, how do you calculate the cost of a bad employee?" I reminded him that we had been steered clear of hiring hundreds of people in the past several years as a result of what we had discovered during our background investigations — costing only about $US125 each. "Do you think more than a few of those rejects might have cost us some serious money had we hired them?" I asked.
"Well, I. . . ," he stumbled. But I had already started down a path of no return.
"Huh. We can demonstrate how our security measures contribute to shareholder value due to lower losses per dollar of sales versus the competition. And, by the way, we have fewer security personnel per employee than any of our competitors," I added.
"And I recall that we were back in business before our competitors were after 9/11 because we had adequately planned and tested business resumption plans," I cited. "I remember that the CEO made some real hay with that one at the annual meeting."
But I wasn't done. "Because of our preventive and detective tools, we haven't had even one minute of downtime due to the increasingly serious viruses and worms that hit us on a regular basis. Has that helped productivity and the bottom line?" I asked.
Then I wondered aloud if he had checked with risk management lately. "Our insurance premiums have all been reduced since they reviewed our safeguards," I told him. "And remember that company marketing wants to hire to manage phone sales? You should have seen the incredible holes we found in their information protection program. Can you help me figure the cost if they had lost our customers' credit card numbers or other sensitive information as a result?"
Maybe it doesn't end up on the balance sheet as a line item, but I'd bet the bottom line that the bottom line would be a lot smaller if security didn't do what we do. Finally, I mentioned how Mrs. Jameson might put a dollar value on the security here: One of our security officers saved her husband's life a few weeks back by using the defib after he had a heart attack. It took the EMTs 30 minutes to get here, but our guys were there in three.
Yup, Mr. Beancounter, I think we're doing our part in contributing to the bottom line in this organisation. But we also do so much more than that. At the end of the day, I think what we are about is helping the company run its business in a risky world. Maybe it doesn't end up on your balance sheet as a line item, but I'd bet the bottom line that the bottom line would be a lot smaller if we didn't do what we do around here.
Eyes Wide OpenNow, I'd love to have a buck for every discussion I've been a part of that wondered how the corporate security team could demonstrate to the bean counters — and to mahogany row, for that matter — that it is far more than just another cost centre.
All you need to do is look back at the past decade to see that security is a fundamental element of core business processes. Start with the Corporate Sentencing Guidelines or all the high-level resignations due to phoney experience credentials. Or consider international — and now domestic — terrorism threats. Or think about intellectual property theft and product diversion. What about the high-level internal misconduct and criminal activity, and the daily reality of cybercrime and business interruption? Look at any one of those areas, and you've got yourself a good case for the bean counters.
Yet I've worked for executives who never saw the real value without my persuasion. They thought that any activity that couldn't demonstrate a direct contribution to the revenue stream and profit margin was an albatross around the neck of the company. They never took the time to understand our mission and its relationship to the protection of the enterprise.
I say this with no apologies: CSOs are enablers. We provide services that allow the enterprise to meet business risk with its eyes wide open. Its value is in managing risk. I mean, if you want to own buildings with big rents for tenant businesses, you'd better have good life-safety systems and procedures. If you want to do e-commerce, you'd better provide a secure means for customers to deal with you. If you handle other people's money, you'd better have in-depth controls around integrity. If you want to build a business in a risky foreign environment, you'd better have security on your agenda.
US business is going through an evolution of sorts when it comes to security and its growing role within business operations. Thirty or 40 years ago, we moved from the basics of general asset protection to more risk-focused content prompted by negligent security litigation, safe and secure issues of employment law, and increasing notice of workplace violence. As the American workplace moved into ever-increasing technological complexity and reliance, the threats became more sophisticated, and remote and business continuity took on new meaning.
With the '90s came the corporation as criminal defendant, Internet connectivity, business conduct issues and the need for secure e-commerce. Then the millennium brought us the reality of terrorism, anthrax, SARS and major concerns for the adequacy of internal controls and ethical standards. In this short period, not only the concept of "corporate security" but the standing, skills and competencies of those who deliver the wide assortment of business protection services have expanded dramatically, culminating in the notion of the chief security officer. We are talking about CSOs these days because the nature of threat, vulnerability and business risk is expanding and the corner office wants a cohesive and comprehensive protection strategy.
Do your own history lesson. Look at the reporting relationship, compensation and senior management awareness of these aspects of operational risk within your company and other organisations with which you are familiar. The business world is far riskier today than 40 years ago, and it isn't likely to get any easier.
Full-Service SecuritySo — with this evolution in progress and a seemingly acknowledged need for a senior security executive within the management team — why do we CSOs continue to find ourselves wringing our hands about the value we bring to the table?
I think we've done a lousy job of selling the evolution and central governance roles of a full-service security program to thought leaders in business. I'd also not hesitate to put audit committees — even the Big Whatever-Number-It-Is-Now accounting firms and the so-called consultancies that serve mahogany row and the business schools — on the detention list as well. I don't give a hoot who runs the full-service security program just as long as it encompasses all of the pieces and is directed with a recognition of how the individual parts can cost-effectively contribute to enterprise protection.
I know security can be a hard sell, not only because it adds cost but because our "clients" see our programs as adding inconvenience or cumbersome steps in business processes. But we all know the rules have changed in these past several decades, and good old Bobby Beancounter knows that as well. Don't forget that CFOs are risk managers at their core, and they know we live in a much riskier world these days.
Every enterprise is different, and the security story is equally diverse. CSOs have to find the hook that works within their unique corporate culture. This has to be the focus of the products we develop and sell. Big, complex technical environment? Big need for in-depth safeguards and redundancies. Other people's money? Trust and integrity. We all have a story that matches our company's risk profile and culture. What some of us have not done well is package the story for the multiple audiences we have. There are hooks for Bobby Beancounter that will ring his chimes, and there are different ones for the audit committee, the CEO, the CIO and so forth. If you are at the table, you will know what hooks work with each executive and how to package the story.
I think the notion of adding value is a many-sided story in itself. As I said in my pitch to our CFO, we can show how our efforts avoid clearly measurable risk. We can demonstrate in any number of ways these days how we contribute to our firm's competitiveness. I obviously had not "sold" Mr. Beancounter prior to his visit. My fault. He's the guy who whispers in the CEO's ear on cost management, after all! If your organisation is doing its job well, you have tons of data, metrics and risk mitigation stories to support your cost and put the value equation in perspective. Advertise successes. Think of signs at construction sites saying "254 days accident free!" What signs might each of your programs have on the wall? At your periodic meetings with senior management, have some bullets on metrics and a story or two keyed to that manager's hot buttons. It works.
Value is in the eye of the beholder. Our products are often hard for the business to understand and see. Know your clientele and open their eyes with the facts.
This column is written anonymously by a real CSO at a major US corporation.