SAGE Conversations: Creating the value stream of security

June 5, 2012
Why value needs to flow through all levels of a business organization when making security investments

I am aware of situations that are occurring right now in security organizations where previous assumptions around how to evaluate, measure and manage their programs as well as external partners are being questioned by their leadership.

Entrenched service and product vendor’s value propositions are being tested and challenged because the root of the value measurement itself is under review. At the end of the day, information flows downstream. And companies must be aware of the consequences of obstructions. The value, velocity and veracity of their programs depend on the clarity, alignment and continuity of their process.

To be blunt: Just like the flow of information, the costs also flow downstream, and the same is true with value. And the last thing security executives need to do is to make non-valued additions to their budget.

So what to do?

Describe your value stream. The Sage Group has interviewed members of the security ecosystem from risk and continuity consultants, technology architects, business process optimization experts and integrators. We have found that there is no clear line of shared communication and management through the physical security value stream. We have attempted to describe it and look forward to the peer review that will surely follow.

But there is one thing from our research which cannot be ignored: If you are a part of this value stream, you are not adequately communicating. You can blame the client, integrator, consultant or market forces, but you are not communicating or operating within a methodology that will create the force multiplier your organizations require now more than ever.

We all need to be part of the change. Networks of vendors and clients must implement change to optimize and receive the full measure of value they are leaving on the table today.

We suggest the following steps:

1. Select partners in each one of the disciplines (we have outlined these disciplines in our white paper)

- Business Continuity (Organizational Risk Management)
- Security Information Technology Architecture
- Information Categorization and Classification (A Baseline for Analytics and Strategic Response)
- Security Process Optimization: the performance baseline of the existing interaction between your people, process and technology
- System and Solution Integration including Concept, Strategic Planning, Project Management, Commissioning and Training
- Operate and Maintain: Including the initiation of metrics against the people, processes and the non-functional requirements of the technology.

2. Organize them into teams

3. Create Key Performance Indicators (KPIs) against your budget and organizational goals

4. Manage your internal and external teams to those measurements

5. Reward the performance leaders

6. Learn from the intelligence they create

7. Make them part of a sustainable CQI (Continuous Quality Improvement) program

Finally, review your partner selection process. As you review this process, remember that your bid process is not collaboration. Your bid process is designed to mitigate risk and cost. But I would wager that it is doing the opposite. It is adding to your cost and adding to your risk if it is not bringing you the correct partner.

It is time to do your homework and create a highly leveraged team that is measured at every step and helps you navigate the changes needed to create a resilient, competitive and adaptable organization.

It is possible to create this team approach. We are seeing security executives taking the risk of trusted relationships, but to do this, they are establishing clearly specified performance expectations and a persistent cost basis. They are demanding collaboration. What they are beginning to experience is when clear KPIs are established, and a fair market value is understood, then creating a long term relationship creates opportunities for investment between both parties. This ultimately creates what is called an "extended learning organization," and it results in continuous quality improvement. Great leverage with compelling returns, that’s the value stream in security.