- Corporate Security
- Governance, Risk and Compliance
- Information Security
By Debbie Wang Modified October 18, 2019
This article is the first in a four-part series as a follow up to our sponsored webinar in partnership with ASIS titled “How the Prove the Value of Corporate Security Investments”. Tim McCreight contributed to this article. Read Part 2. Read Part 3. Read Part 4.
When every department is competing for resources with limited budget, it can be challenging for security managers to prove that they deserve the additional investment. Often, this can leave security managers feeling overlooked and frustrated, which is a very common story in security. Companies often systematically under-invest in risk and security management, and they’re suffering millions of dollars in unnecessary losses as a result. It is up to the security manager to prove the value of corporate security by how the objectives of a corporate security team aligns with the overall objectives of the business.
In our webinar, “How to Prove the Value of Corporate Security Investments”, we break down how security teams can create a proposal that will help them get the executive buy-in they need for an additional investment in corporate security. Below is a summary of the key takeaways from the webinar.
As a security professional, you have to be able to properly explain that you are supporting and protecting the assets of that specific business unit or organization. Proof of security investments need to be tied to a positive impact on the business’ objectives. This can’t be done if you do not have a clear understanding of what those objectives are. It’s about understanding how you can, as a security professional, support those objectives through a security program and how you can help reduce the risks that are impacting that department or organization.
The program or project that is put forward needs to actually provide a business benefit back to the organization. It’s also important to look at contextual data when putting together a business case for a security investment. That means taking time to obtain, gather, and review the relevant data points to ensure that you are supporting it with the right security controls in place and reducing the overall risk to the organization.
Mitigations for risks cannot be put into place until there is a clear understanding of what those risks are and the assets that those risks are tied to. What are the assets that are in place today and what are the assets that the business requires in order to achieve its objectives? Typically, these assets are people, property, and information.
Once the key assets have been identified, it’s then time to associate those assets with appropriate risks. It’s the job of a security professional to translate the risks that are typically created from a very technical perspective and transform it into business language so that the business can make a decision based on that risk.
It’s important to note that there is a difference between a risk and a threat. Let’s take a hurricane as an example. The hurricane isn’t the risk. It’s the threat. The risk is the people that are affected by the hurricane, the infrastructure that is affected, and the reduced output that can lead to loss of revenue. Make sure that when you identify the risks, you are able to articulate it in a business language that is tied back to a business objective and that you are using the right scenarios and descriptions.
What controls are in place to mitigate the previously identified risks? And how do those controls tie back to the overall strategic plan of the business? Part of the mitigation process is looking at capability gaps within your security team and determining the additional resources you require, whether that be more team members or new software, that will help your team close those gaps.
A key capability is being able to track events and incidents and then understanding the impact of those incidents on the business unit. Once the impact is measured and the risk of that incident has been mitigated, security teams need to be able to conduct ongoing risk assessments and regularly uncover new vulnerabilities and identify new threats. By tracking incidents and near misses, opportunities arise where you can start to prove a return on investment on a new security program and how the investment will tie into increased productivity. It may not be very direct, but the goal is to try to tie a risk to an asset, which, if left unmitigated will result in a loss of productivity and misalignment with the organization’s strategic goals.
Understanding business context is truly essential when making the case for a security investment because without understanding the context of the business first, recommendations or suggestions that are put forward from security professionals won’t be considered a priority by executives. Back up your case with underlying data. Use dollar values where you can and tie them back to the business’ strategic plan.