This article is the third in a four-part series as a follow up to our sponsored webinar in partnership with ASIS titled “How to Prove the Value of Corporate Security Investments”. Tim McCreight contributed to this article. Read Part 1. Read Part 2. Read Part 4.
When you first start building out a corporate security program for your organization, the first step you need to take is to understand your organization’s strategic plan. But then how do you take that strategy and use it as part of your security process? In our recent webinar, “How to Prove the Value of Corporate Security Investments”, we emphasize the importance of analyzing relevant data points and quantifying risks, whether negative or positive, in a way that can be tied back to an aspect of the strategic plan.
Matching security objectives to corporate objectives
Sometimes it can be difficult to find a security angle for each of the business’ strategic objectives. If we look at the enterprise aspect, the work you do to integrate security controls for the organization directly impacts the level of risk facing the enterprise. You have the opportunity to help the security department decrease certain risks by investing in new technology. The sign of a successful project is when the security department is able to show risk reductions across the business.
If the organization’s strategic objective is to become a market leader by increasing its market share, then the security objectives that your team is responsible for may include ensuring that offices in new foreign locations are safe for new employees. From an IT security perspective, it might mean making sure that there are processes in place for reporting data breaches to the appropriate governing bodies, if relevant.
Remember, objectives must be tied back to a risk or specific data point. What is the potential loss of profit if a data breach occurs? What is the risk to employees if there is a break-in? If you can answer these questions, it will make it easier for leadership to understand the importance of your corporate security program.
The difference between negative and positive risks
It’s normal for risk and security professionals to see risks as inherently negative. Positive risks should not be overlooked, but it is much more difficult to identify positive risks to the business.
Negative risks are ones you want to avoid and mitigate, typically arising from a threat. Positive risks are ones you’d want to accept as they can lead to opportunities for the business. An example of this may be something we mentioned earlier: pursuing an expansion into a foreign market, which can result in a potential increase to market share and profit.
Identifying data points and quantifying the risks
When you develop your security framework, you should first do a detailed review of the business’ strategy and look for any statements around the safety or security of their employees, protecting the brand, or expanding the business into new markets, etc. This exercise can give you benchmarks that are important to the organization and help you determine if there are any gaps in the organization’s controls and risk mitigation strategy.
From this, you can create a number of “what if” scenarios to see what the potential impact to the company is, whether that is profit, brand reputation, or something else. What if the organization fails to implement a control that could help prevent an IT incident? What are the tangible and direct costs to recover from that incident, and is that cost significant enough to warrant implementing those new controls as part of your overall corporate security program? Every incident that occurs should identify control inefficiencies. This helps your team paint a picture of your current capabilities and provide additional measures that can be quantified, giving you historical data to benchmark against once new controls are in place. Being able to quantify these risks will help your team develop a security program that aligns to overall strategic plans.
Securing executive buy-in for your new security program
Your leadership team has limited time to sit through an entire presentation on a new security program or a business case presentation. Use your time wisely and focus on the risks from a business perspective, and identify the proper mitigation strategies. Back up your observations and recommendations with facts and data.