Getting "buy in" for an idea or cause is a universal concept that sometimes borders on the absurd. Everybody is a salesman on one level or another. When you were a teenager, selling the fact you were responsible enough to warrant a driver's license was part con and definable action - and it didn't work unless both parents bought in. Most politicians promise programs they know will never be delivered. But that's okay - they realize you'll never hold them accountable. They just want your immediate "buy in" at the ballot box.
When positioning a program or project with upper management, security professionals are constantly striving for C-Level Suite buy-in. Methods of achieving this and closing the deal with your boss may vary from scare tactics and humiliation to that golden oldie, "security as a necessary evil."
Buy-in arguments that go down this road are usually driven by a manager who thinks that the technology will close the deal. How could the CFO not be impressed by a network camera that sees in the dark, has embedded analytics that can spot grumpy employees as they shuffle through your optical turnstiles and is also aesthetically sensitive to the boss's wife's lobby color scheme.
Security directors who assume that focusing on technology in your relations with business units and using fear tactics to try to force compliance are missing a big opportunity to convince the C-suite of security's importance to what they do care about: managing risks to revenue streams, operations and the brand.
In most cases, your CEO, CFO or COO could care less about which widget does what. As business leaders, they must be convinced of their responsibility for assuming risk and how security relates to their efforts to promote the organization's success. In almost every business, that success is related to the financial bottom line.
To promote security as a valued business driver and enabler, tested governance structures need to be developed and a consistent information pipeline must be established with business leaders. That information should drive their awareness of security's relevance at a strategic level and help them take action on issues that could put their business at risk.
Perhaps the most astounding fact in this entire "buy-in" process is the frightening number of major organizations that have never been approached with the pitch. It is not unusual to find yourself in the position of having to develop a governance program. It must be sound in principle, process and procedure while using industry standards as a foundation. While you're at it, try expanding into an enterprise risk management (ERM) model that establishes standard risk management functions within your most critical business units. A comprehensive ERM program provides tangible evidence that your company exists to provide value for your stakeholders.
Starting from scratch in an established organization is not easy, but it can be done. While attending a recent consultants' symposium sponsored by UTC Fire & Security in Rochester, N.Y., I met a security director who did just that. Ray Osborne came on board at the University of California-San Diego's Medical Center in 2008 with virtually no security infrastructure in place.
"They didn't know what they didn't know before we met with them. We had to get the C-Level buy in, but I needed to see how committed the administration was before we started," said Osborne, whose security budget went from less than $600,000 his first year to millions by his third year. "Most places look at security as a necessary evil. The feeling here was no different."
Osborne said his first goal was to find out how much risk was too much for his new executive bosses and what their eventual expectations were for a security/risk plan. Osborne shared with them some of the staggering crime statistics that were currently occurring near and around the facility. It was an eye-opener.