One of the biggest challenges faced by security executives across the board historically has been getting senior management to view the security department as a business enabler rather than a necessary evil. That’s made all the more challenging given the fact that security is still largely perceived as a cost center within most organizations that contributes very little to the overall bottom line.
While the fallacy of that logic is exposed when a CSO is able to point to specific instances in which they’ve been able to protect their organizations against potential losses or litigation through the implementation of risk mitigation strategies and technologies, selling security to the C-suite is still one of the chief responsibilities of security executives today. Learning how to bridge this gap was one of the key themes at Verint’s Engage 19 conference, which brought together security professionals from financial institutions and various other organizations and disciplines last week in Orlando.
“It doesn’t matter how you bundle it, it doesn’t matter how you say, ‘look, I swear we’re saving you money,’ it doesn’t matter how you show them pretty graphs or how you really tie everything together clean, at the end of the day you cost them money,” Rudy Wolter, CTO of Citigroup Security and Investigative Services, told attendees during one of conference sessions. “Depreciation doesn’t matter. That’s a pipe dream; it’s still about bottom line P&L.”
Regardless of the size of the organization, Wolter says that every security practitioner inevitably faces the same struggle of trying to secure funds from their senior management teams for technology deployments and other initiatives.
“Selling risk is hard,” he adds. “Risk to some people is when the CEO of your corporation shows up at a given building… and you’re CSO is going, ‘that’s risk, you’ve got to get on top of that now.’ If something happens to your CEO, what’s going to happen to your stock? And who is going to get blamed? The people who cost money.”
While everyone uses video surveillance reactively for post-event investigations, Wolter stressed the need for security practitioners to begin leveraging the technology proactively to help further build the business case for security.
“That’s where we know we can analyze what could be coming and we could figure out how to stop something. If we don’t become proactive and we are reactive, money is out the door,” Wolter says. “You are a cost center, you didn’t stop anything just because we were reactive and we did it after the fact. We jumped on it after it happened.”
Another way security can take a proactive posture, according to Wolter, is by leveraging tools like social media monitoring software which can alert you to events that could potentially impact the business quicker than more traditional mediums. For example, he says they were alerted to the recent vehicle attack in New York City before the police knew about it by using such a platform.
“If you’re not crowd-sourcing, get on board because that is value. That gives you a fighting chance to be proactive and a chance to show straight value so that people believe you are actually looking out for the firm,” he adds.
And rather than trying to get buy-in at the top for a new strategy or solution, Wolter says they start from the bottom up, getting input from frontline employees on what they believe the biggest risks are and how they could be better addressed.
“I want to hear from the grassroots people; tell me what the risk you think is. Don’t make me guess,” he explains. “We do it in all of our buildings – all 13,000 of them – we put it all into a system, track it, and when it is done we get the business that we support in that given building to give us their input as well because they are paying the bill and they’re my customer.”
Driving ROI Home
Aside from becoming more proactive with both technology and processes, Wolter says it is imperative that security executives harp on the return-on-investment that the organization is getting from their security spend with senior leaders.
“If they smell crap, they don’t buy crap. They want answers, they want solutions, and they want safety, security and comfort to put their head on the pillow at night,” he says.
Additionally, Wolter explains that security practitioners need to find a way to quantify the work they do. “You can’t sit in a meeting with a senior executive and say, ‘God, we just had hundreds of cases last year. We worked our butts off,’ he adds. “Where’s my value? Show me value. It is worth doing? You’ve got to protect yourself, but more importantly, you’ve got to protect the organization. You’ve got to spread that knowledge of risk and how to protect on it.”
Of course, even if security managers are successful at validating the ROI they bring to the business, that doesn’t mean that the corporate pocketbook will be freely opened to them to spend on whatever systems they feel they need to adequately address various threats. To accomplish this, Wolter says security needs to engage with business partners across the enterprise to sell risk upstream.
“They are reaching into their pockets to pay for your bills and they’re going to say, ‘why?’ You’ve got to sell it, they’ve got to take it in, and they’ve got to concur and agree and they’ve got to be prepared to say, ‘I’m all in, I agree,’ Wolter says. “Then where does it go? It goes straight up top. At any point in time, we’ve done three things: we’ve let field people - who don’t get a chance to buy-in on a lot things – the opportunity to buy-in, we’ve given people at the next level the opportunity to work with their peer groups amongst their partners and together we send it upstream to where all of the people sitting in the C-suite all agree. That’s where you get a lot of funding.”
Wolter also recommends physical security professionals work with their counterparts in IT as they will likely have to sign off on anything that goes on the company network, including cameras, which they can oftentimes pitch in and help pay for.
Adopting Open Technology
As part of his five-year technology plan at Citigroup, Wolter says one of his goals is to have a fully integrated technology stack. However, the fact that many physical security systems and devices still don’t communicate with each other in a fully interoperable way, he believes, is putting the industry in jeopardy.
“If we don’t take control of this industry… we’re going to get taken over by IT and IT will tell them that you will talk to everything,” Wolter says.
Not only does the proprietary nature of security systems muddy the waters from a user perspective, but Wolters says that, ultimately, it means security as a whole is delivering less value to the organization.
“If the practitioners don’t say, ‘partner, work with us, help us lower the risk,’ we bring no value. We truly are a cost center and we’re just sucking down money,” he says. “Products make the difference. Getting the architecture where it’s not Ph.D. science to run a cable and hook up a camera makes the difference. It lowers the score. That’s what we’re all here for.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].