Every CEO is responsible for ensuring his or her company is profitable, and that means driving revenues and shareholder value from the company's core businesses.
Technologies and regulations do not drive repeatable profits for your company, unless you're a vendor. So how can security cross the chasm from ROSI (return on security investment) to EBTIDA (earnings before taxes, interest, depreciation and amortization)? That is, how can you go beyond cost reduction to active profit generation?
CSOs work to perfect a wide variety of metrics that each security breach helps better quantify. But no matter how accurate current security metrics become, they will never carry as much weight in those board-level corporate strategy sessions as do revenues, bottom-line profits, new market strategies and sales.
Security has to be seen by the CEO as something more than a cost of doing business. Security has to be seen by everyone in the company as an integral part of corporate strategy. CEOs prioritize revenues and profits; EBTIDA wins over ROSI. Therefore, CSOs need to prioritize those security programs that drive EBTIDA.
Here's one example. In the mortgage lending industry, there is a lot of paperwork flying around, usually on the order of 200 pages or more to get a typical loan processed. All of this paper makes up what's called a credit or closed loan file; Social Security numbers, employment history, bank statements, tax returns, loan origination documents, credit histories. These documents contain virtually everything someone would need to steal a person's identity.
Historically, these paper files were handled in a paper-intensive process: passed from the broker or loan officer, to the underwriters, to various other business partners—each adding another piece to the process. This created a scenario that was ripe for a data security breach.
By deploying an intelligent-indexing, imaging and electronic delivery technology, investors and their correspondent lenders can shift from a serial paper workflow to a parallel workflow process, which includes secure delivery of imaged loan files. As a direct result, loans are processed more quickly, and that directly improves profit margins from lower loan origination costs and loan spreads.
Now while we all conceptually understand that process efficiency improves profitability, it's important for a CSO to put proven numbers behind that claim. In the example above, mortgage lenders reported a $100 per loan profit after moving to intelligent electronic delivery technology. At an average 1,000 loans per month, the CSO can now address data-in-transit challenges and claim direct responsibility for adding $1.2 million directly to the company's bottom-line profits.
Look for Process Problems
When I get called into a company whose CEO is looking for ways to improve bottom-line profits, re-capture revenue leakages or improve productivity, I go straight to the CSO and read through his security audit trail first. Why?
Because almost every security breach serves as an “X marks the spot” underneath which is a problem with people and process. Find it, fix it, and I've delivered exactly what the CEO is looking for.
There's much wisdom in the old adage, “If you really want to fix a problem, don't look at where you fell, but go back a few steps to where you first slipped.” When IT executives have made the time to look at how their work can directly impact corporate profits, they've been rewarded with increased engagement in strategic corporate decision-making.
Jeff Johnson, VP of IT applications at Constellation Energy, looked at change control management with an eye on bottom-line profits. He had recorded more than 30,000 auditable events, each one of which cost an average of 15 minutes of effort. After implementing a new change control program, the number of auditable events was reduced by more than 95% to under 500. That's more than $1 million that now goes directly to improving bottom-line profitability.
Mark Rein, IT director at Mercy Hospital and noted author of an upcoming book on securing healthcare facilities, said, “Although HIPPA compliancy is important and certainly gets a lot of executive attention, leading with a focus on compliancy will not get the CSO on the top of the agenda at any board of directors meeting. Healthcare is very much a business that is built on revenues and profits. Healthcare Executives know they need to keep their most profitable business units running 24/7.
“Quite a few hospitals realize the majority of their profits from their radiology, laboratory, and outpatient care departments. A CSO that maps revenues and profitability metrics directly to an increased level of system availability will be able to show the CEO where the money is in security.
“When security can deliver to physicians the level of unfettered access to critical patient information they demand, that healthcare facility will attract more of that physician's business. When an MRI system can be kept running 24/7 and accessible from remote locations, cash flows from those revenues run 24/7 too.”
To Win More Games, Change Your Players
Historically, the CSO has been closely aligned with IT, Legal and Risk Management. If the corporation sees security as a technology and compliance problem, that makes sense. But if security is to be an integral part of corporate strategy, that's not enough.
In order to change security's standing in the company, the CSO needs to rethink security's relationship with other departments.
So who are the executives the CSO should engage with more? The VP of marketing, the VP of sales, the VP of customer service, the VP of operations and human resources. Why? Aren't they often part of the problem—the source of so many security events?
These executives often run the other way when they see the CSO coming. They may spend a great deal of time dissatisfied with the policies the CSO is trying to enforce, rather than embracing them as good for business. That's not a healthy environment for anyone to be in. So turn that around by finding what's in it for them and mapping security to their mission.
For example, what if your VP of marketing wants to analyze customer data to find a new revenue opportunity? There are several technologies out there today that initially are purchased by security to sort through company emails, often in a litigation case, that are then dual-purposed to find and deliver what Marketing is always looking for: real-time customer feedback and information from which they can spot a new business trend and create new products or services that customers are already asking for.
The First Four Steps
Each case in this article represents an opportunity for success that is reproducible in other companies across other verticals. Here are four steps to get you started:
Step One: Think like your CEO. Look for revenues, profits and new business opportunities.
Step Two: Look with renewed vision at those audit and security event reports and trace each breach back to analyze where people or processes played a role.
Step Three: Map revenues and profitability metrics directly to security. Look at business continuity, asset protection and change control.
Step Four: Engage new players by mapping security to their success metrics and use security as a pivot to help them achieve their core mission.
Winning the battle to secure any company requires commitment from the entire corporate team. Those CSOs who have been able to show the CEO where the money is in security have come one step closer to victory.
Jackie Bassett is founder and CEO of BT Industrials Inc. Her expertise is in identifying ways to improve business processes, productivity, profitability and shareholder value using security. She holds an MBA from Babson College and is co-Author of an upcoming book, A Seat at the Table for CEOs and CSOs. As an active member of Business Executives for National Security (BENS), Ms. Bassett works extensively with CSOs and CEOs of Global 500 companies. She can be reached at firstname.lastname@example.org .