Demonstrating the Value Security Brings to the Organization

Return to Demonstrating Value

For over ten years the Security Executive Council (SEC) has been working with leaders of security programs worldwide. While doing so we have been collecting information about what separates world-class security leaders and programs from others. Our findings show that one of the greatest differentiators is the ability to demonstrate the value security brings to the organization.

Over time we have built up a knowledge base of a large number of methods and techniques that contribute to demonstrating value. We recently conducted a survey to get an idea of how widespread the usage of some of these indicators were amongst our community.

From our many years of research we have found that top scorers have…

A security metrics program that measures value.

When first initiating a security metrics program many rely on showing activity, e.g., how many badges issued or how many investigations have been completed; or a step-up, they show how their processes are becoming more efficient. This is a good start but the metrics that resonates with senior management are those that show a desired impact on business goals, some examples:

  • Customers captured or retained, award fee contribution or client satisfaction acknowledged as attributable to proactive or reactive security measures.
  • Reductions in employee interaction with time-consuming security measures.
  • Reduction in cost of compliance with security-related regulations or cost to insure.
  • Percent of reduction of security-related incidents attributable to improved security measures.
  • Advertised and demonstrably effective security measures that enable customer satisfaction and are a potential draw for new customers and sales. Being "the secure choice" is a plus to the bottom line.
  • Security department customer satisfaction survey that asks how well respondents understand security’s awareness messaging and how effective the communication medium is.

A framework for scoring risk, mitigation plans and calculating residual risk.

This provides a metric used by Security that measures the primary reason for having security in the organization.

A quantitative grasp on their resources and capacity and articulate this to senior management.

Security Leaders systematically collect, identify, analyze, and report security services and measure their business value. This process can include creating a master list of security services by program; FTE commitment by service by internal customer; criticality and/or satisfaction ranking of services by customer; cost of security calculation by service by customer; and results reporting. The SEC calls this process a critical part of "running security as a business."

A "brand" for security and tell the brand story to a diverse set of audiences throughout the enterprise.

This is more than the traditional mission, vision and strategy statements. In order to brand Security as a value service, security leaders:

  • Make sure security programs and services are linked to significant corporate risks and the mitigation strategy demonstrates risk reduction value.
  • Show specific examples where and how security programs are aligned with the business.
  • Promote cross-function team roles that need to happen for the good of the enterprise.
  • Define a way that risk owners and the mitigation team can work together by identifying roles and ownership.
  • Build management confidence in capabilities and long term plan of the security function.
  • Have a brand value story that defines Security’s philosophy and strategy in a way that builds executive confidence and support.
  • Broadcast a brand value message in as many platforms as possible in the organization.
  • Know the security leader is not the sole "story teller"; all of the security team can and should articulate the message

An alignment with their security services and Board-Level Risks™ and the organization's enterprise-level risk assessment.

Security leaders do this to create awareness of the Board-level risks and the role and boundaries of all staff groups (including Security) in mitigating risk. Security program services are defined and mapped against the corporation's most significant enterprise risks using the language of the Board (or senior management). This often results in eliminating duplication and confusion of services across staff departments, identifying gaps in risk mitigation and fosters effective working relationships between staff groups. They also use this alignment during Board-level presentations to show a direct connection between risks that the Board members concerned about and Security’s strategy in reducing those risks – that is, the value of Security.

Download a PDF of these recommendations here:

For More Information on the Topics Discussed Above:

Managing Enterprise-Wide Board Risk

Case Study: Risk Management and Security Metrics at Boeing

The Importance of Security's Brand Image

Turning Incident Based Data into Metrics

Discovering the Total Cost of Security to the Enterprise

Return to Demonstrating Value