Benefits Beyond Avoiding Cuts
The most common complaint from security leaders approached with this process is the amount of time it takes to pull the information together, do the legwork, and then create a plan. It is true that compiling this data is time consuming and often difficult, however, it is time well spent.
Failing to gain an in-depth understanding of where the money goes has implications that extend well beyond the budget. If your team cannot talk about the services the security function provides in a consistent language, and you do not have documentation to show how many people and how much time are dedicated to each service, then you don’t have a function like all the others in the business. No other business function would put something out into the marketplace and not assess who uses or values that offering. Neglecting this kind of research and development limits Security’s influence with the rest of the business.
The benefits also range beyond simple budget cut avoidance. The Security Executive Council provides templates and frameworks for security leaders to use as they collect information on services and cost, and we have seen CSOs make important strides through this process. Besides avoiding cuts, they have eliminated inefficiencies.
If the process shows that there are 13 business units responsible for disparate aspects of investigations, for example, the security leader can drill down to cut out the redundancies, centralize where necessary, and not only reduce cost but greatly improve the execution of investigations company-wide.
Further, imagine what a clearer and more detailed knowledge of security services, staff, expenditures and value can do for strategy development. Six-month, one-year, even five-year strategies will be much more realistic and informed when they are built on an understanding of the content and value of services offered now. The same is true for business alignment — security can much more easily demonstrate that its offerings line up with the goals and needs of the business if this fundamental work has already been done. The path forward becomes clearer once you know where you stand today.
Commit to documenting your security programs as outlined here, and you will be more likely to be recognized by senior management as a proactive business leader — someone who knows the security function and the business, and someone who is looking beyond security to the good of the organization as a whole.
Marleah Blades is senior editor for the Security Executive Council (SEC), a problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk.
Kathleen Kotwica, PhD, is EVP and Chief Knowledge Strategist for the SEC. Drawing on the collective knowledge of a large community of successful security practitioners, subject matter experts, and strategic alliance partners, the SEC provides strategy, insight and proven practices. Our research, services, and tools work to help security leaders initiate, enhance or innovate security programs; build their leadership skills; and bring quantifiable value to their organizations. To learn more, e-mail email@example.com or visit https://www.securityexecutivecouncil.com/ste. Follow the SEC on Facebook and Twitter.