Selling the C-Suite on the value of security

Jan. 27, 2014
A look at a variety of strategies security executives can employ to influence senior leaders

We hear it time and time again in the corporate security environment, from the regional to the executive level: "we don’t have the budget for such a program right now;" "this simply isn’t a concern right now;" or, "we can’t execute on this right now, however put something in writing and we’ll circle back to it soon." Corporate security managers (CSMs) have heard every excuse to dodge security concerns, and oftentimes, we may wonder why we we’re even hired in the first place.        

Selling leadership on the safeguards of protecting business assets has proven difficult since the first executive realized what these safeguards will cost. However, selling leadership on what the costs overall will be, monetarily and beyond, after the fact can be much easier if done correctly. Convincing corporate leadership of the imperative nature in protecting business assets today is best executed by showing examples of past failures from companies larger, more successful and/or more dynamic than your own.

Direct, current and potentially fatal errors within a corporation’s security program can be a CSM’s best ammunition when faced with the challenge of moving forward with the executives’ approval. More often than not, the challenge isn’t creating a feasible and effective program as much as it is getting leadership to approve of it. Money or lack of resources is the typical excuse given from leadership when attempting to move forward. Oftentimes, leadership fails to understand that security must operate as a team in unison with the rest of the company, all while still keeping the company’s mission and vision goals at the helm.

It goes beyond just security. Every aspect correlates or is paralleled with the next. In fact, security closely correlates with reputation and brand recognition for any large organization. The global environment also makes it more challenging than ever to protect corporate assets and maintain the integrity of the organization and its reputation or the brand. Security could arguably be just as important in brand recognition and reputation as marketing for the mere fact that consumers are paying closer attention to how a company defends itself. For example, PayPal brags about how it spends millions of dollars on cyber security to protect the infrastructure of its network. This is a marketing or selling point for PayPal which is a company that is asking for millions upon millions of consumers to trust their money to be sent electronically across the globe. A comprehensive security program is a very powerful selling point for a company like this.

Proactive mitigation is also a tough sell for leadership, specifically with regards to protecting corporate assets overseas. For example, if a company’s assets in Mexico have been stolen or damaged, it is important to investigate the matter, as well as take steps to prevent a similar incident from occurring. More often than not, companies will simply write off the loss and carry on. Bad guys are counting on this, especially when some of the lost assets are not valuable enough to warrant continued investigation by a directive of protocol. Things of this nature should be a red flag to the CSM of a potential inside job. This is all the more reason for a company to search internally for malicious intent, however, executives don’t like to hear this. Another defense (or ammunition, as I like to call it) is selling the executives on weighing their options. What would they prefer to hear; CNN reporting that a bank has internal theft issues and is currently investigating the matter, or that the company is in denial and are reportedly ignoring a potential internal threat of theft? Therefore, more emphasis on mitigation and proactive security measures should be placed on corporate assets overseas.

Another source of ammunition with examples to teach executive leadership a lesson is the public embarrassment that a company endures from these problems, and thus loss in shareholders and consumers. For example, many large shipping companies have endured the hardship of stowaways overseas in international waters. Situations such as this are not exactly a loss of tangible corporate assets, however, they are certainly a security concern. There is still the consideration of embarrassment of the company when the media gets ahold of such information and the company suffers reduced brand value and recognition. Another example is Apple and how their manufacturers in China have seen mass suicide rates within factory employee housing. Although the impact of this negative media attention was negligible, it is still a security concern in that the individuals manufacturing Apple products are, in fact, a corporate asset. The break in direct connection with the fact that these workers were subcontractors is irrelevant. When operating at that level, CSMs must refer to the butterfly effect. The dynamics of security concerns affecting the rest of the company on such a large scale are just as immensely fragile as an eco-system. 

The CSM must sell the programs that allow for safeguards, such as conducting risk assessments, developing protocols and procedures, testing and then implementing those programs, further amending them as needed and educating everyone on the importance of use with every procedure and practice is the only way to protect a corporation’s assets in today’s dynamic world. The managerial responsibilities of the CSM with regards to those procedures are cumbersome enough - selling your executive leadership the need for them shouldn’t be.

You may also consider sharing success stories of companies with fewer resources than your’s and how the implementation of their programs are working for them. Emphasize the seriousness that another corporation (perhaps a competitor) takes in their steps for mitigation. Highlight any proactive approach that you are aware of to show your leadership how useful such a program can be or even perhaps you can improve an existing one that is already working, but for less than the cost that another company pays. This could actually act as company-wide ego boost of competitiveness, with everyone knowing how your company’s program is outperforming for less.

Try to work in correlation with other CSMs as an ally, even if that ally is a competing company, the professionalism between the two organizations should allow for the sharing of knowledge that may allow for economic stability between two or more companies. Just because a company is competing against you doesn’t mean you have to contribute to their demise and the contribution of an increased unemployment rate because you refused to warn them of a mutual threat. Sell the safeguards that will ensure the future of the company and job security for all, more specifically your own.

Sometimes executives need a blunt example, which are hard to come by. A blunt example would be explaining that security is equally as important as the foundation of the very building(s) that a corporation is housed in. If the walls or the roof crumbles, the individuals within are harmed, subsequently the company assets are harmed. Security, with respect to the foundation, is no different. Executives must be convinced that the foundation of the company, both literally and figuratively, in addition to security work hand-in-hand and are one and the same.

Even a “Hail Mary” of desperation could be used, however, but always as a last resort. The CSM could plead to leadership saying: “I can’t protect you unless…” Another way to get leadership to take action is by expressing that your hands are tied and that you have no ability to efficiently protect them without the necessary tools to do so can convey a lack of options. This will hopefully convince leadership that they have no choice but to execute with your recommendations for the safety of the company. Express to your leadership the grave danger and likely consequences of their negligence.

Remember, the CSM is an easy fall-guy when things go south. CSMs should exercise everything within their power to move forward with the most cost-effective and feasible means to deter and combat existing threats to any company’s assets both tangible and intangible.

About the Author: Derek Porter, CHS-III, CITRMS, is the owner of security consulting and protective services firm SecurityGrade.com L.L.C. Derek has worked on multiple levels of the industry both in the military, as a former F.A.S.T. (Fleet Anti-terrorism Security Team) Marine, and as a private contractor. Derek has a B.S. in business management and is studying for his M.S. in security management at the University of Denver.