Every CEO is responsible for ensuring his or her company is profitable, and that means driving revenues and shareholder value from the company's core businesses.
Technologies and regulations do not drive repeatable profits for your company, unless you're a vendor. So how can security cross the chasm from ROSI (return on security investment) to EBTIDA (earnings before taxes, interest, depreciation and amortization)? That is, how can you go beyond cost reduction to active profit generation?
CSOs work to perfect a wide variety of metrics that each security breach helps better quantify. But no matter how accurate current security metrics become, they will never carry as much weight in those board-level corporate strategy sessions as do revenues, bottom-line profits, new market strategies and sales.
Security has to be seen by the CEO as something more than a cost of doing business. Security has to be seen by everyone in the company as an integral part of corporate strategy. CEOs prioritize revenues and profits; EBTIDA wins over ROSI. Therefore, CSOs need to prioritize those security programs that drive EBTIDA.
Here's one example. In the mortgage lending industry, there is a lot of paperwork flying around, usually on the order of 200 pages or more to get a typical loan processed. All of this paper makes up what's called a credit or closed loan file; Social Security numbers, employment history, bank statements, tax returns, loan origination documents, credit histories. These documents contain virtually everything someone would need to steal a person's identity.
Historically, these paper files were handled in a paper-intensive process: passed from the broker or loan officer, to the underwriters, to various other business partners—each adding another piece to the process. This created a scenario that was ripe for a data security breach.
By deploying an intelligent-indexing, imaging and electronic delivery technology, investors and their correspondent lenders can shift from a serial paper workflow to a parallel workflow process, which includes secure delivery of imaged loan files. As a direct result, loans are processed more quickly, and that directly improves profit margins from lower loan origination costs and loan spreads.
Now while we all conceptually understand that process efficiency improves profitability, it's important for a CSO to put proven numbers behind that claim. In the example above, mortgage lenders reported a $100 per loan profit after moving to intelligent electronic delivery technology. At an average 1,000 loans per month, the CSO can now address data-in-transit challenges and claim direct responsibility for adding $1.2 million directly to the company's bottom-line profits.
Look for Process Problems
When I get called into a company whose CEO is looking for ways to improve bottom-line profits, re-capture revenue leakages or improve productivity, I go straight to the CSO and read through his security audit trail first. Why?
Because almost every security breach serves as an “X marks the spot” underneath which is a problem with people and process. Find it, fix it, and I've delivered exactly what the CEO is looking for.
There's much wisdom in the old adage, “If you really want to fix a problem, don't look at where you fell, but go back a few steps to where you first slipped.” When IT executives have made the time to look at how their work can directly impact corporate profits, they've been rewarded with increased engagement in strategic corporate decision-making.
Jeff Johnson, VP of IT applications at Constellation Energy, looked at change control management with an eye on bottom-line profits. He had recorded more than 30,000 auditable events, each one of which cost an average of 15 minutes of effort. After implementing a new change control program, the number of auditable events was reduced by more than 95% to under 500. That's more than $1 million that now goes directly to improving bottom-line profitability.