Question: How can I make a strong case for a security project that is innovative and forward-looking rather than reactive to a specific event?
When my security department led cross-functional teams against the workplace violence risk in the 1980s and 1990s, we were able to demonstrate injury, cash loss and turnover reductions with an estimated 250-percent return on investment at Southland, Jerrico, Hardees and Starbucks. Those results were, in turn, leveraged for improved hiring diligence, fraud detection and network exception reporting. Each demonstrated incremental loss avoidance and return.
Evolving compliance or mitigation requirements are subsidized when we make leadership clients aware of measured investment performance using a relevant cross-functional stakeholder approach. Risk mitigation enables the business plan. Brand reputation benefits from improved safety, loss avoidance and cost improvement. Our relative success begets proactive security re-investment.
It is also true that the general role of any business function or unit is to enable or execute the mission of the business. That gives the security practitioner a secondary purpose, and with today’s networked technologies, there are non-security benefits that security technology can bring to the business.
These are the areas in which a security practitioner has a mandate to be proactive: reducing risks (which includes increasing security effectiveness), reducing costs and adding value to the business. A strong business case for any proposed security initiative will be based on one or more of those, and will educate management if they are not already aware of the needs or benefits involved.
Getting your project cast in the light of how it will enhance the brand, improve the customer or employee experience, or enhance the company’s product offerings will give your business case a positive impact rather than negative one.
Next Month’s Question: From a risk management perspective, how is security in cloud computing different from security in outsourced services?
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.