Are You Ready to Make Your Business Case?
By the Security Executive Council
Value PropositionWhile a business case justifies a specific security action or change, the underlying value proposition lays out the value that the security function as a whole provides to the organization. As such, it lays the groundwork for any business case.
A Security Leadership Research Institute study found that 57% of responding security leaders considered the business value of security to be the most important concept they needed to communicate to management.
Figure 1 below shows that the three top concerns regarding lagging security programs have to do with executive support. In some cases, security may not be providing executives with the value proposition or the larger business case to justify expenditures or change.
Dan Sauvageau, SEC emeritus faculty and former Senior Vice President of Global Security Operations with Fidelity Investments, recommends presenting the value proposition in a succinct one-page format that can be quickly communicated. A strong value proposition "connects to the business, knows its audience, says what you're trying to protect, says what services you have in place to protect those things, and says what's in it for the organization," Sauvageau says.
He recommends the security leader identify what he calls the crown jewels of the organization – the high-level assets (both physical and conceptual) that must be protected at all costs. Nearly all businesses would begin this list with brand reputation and employee safety, for instance.
Then, he says, identify and communicate the internal and external threats to those assets.
Then list the services you provide that protect against these threats.
All this can be communicated in an intuitive, visual document that can be presented or provided to executives and other leaders in the organization.
Building the Business CaseHaving the value proposition already defined will lighten the load of developing a business case, but there will still be a lot of work to be done.
A strong business case is based on data. Build or maintain partnerships with other functions that enable you to access relevant data they have collected. Be prepared to compile and communicate security data in a meaningful way. Review key performance indicators and other security metrics to see how they support your business case.
Brad Brekke, SEC emeritus faculty and former Vice President of Assets Protection and Corporate Security for Target Corporation, emphasizes that the business case must be built upon a deep understanding of the business and security's role and strategy within it.
"I'd recommend you conduct this exercise: Study your business. Know how it operates, how it makes money, how it's set up, what its strategy is – for instance, is it a growth strategy, an expense-driven strategy, a service-driven strategy. Know the culture and risk tolerance of your organization and know the voice of its customer," says Brekke. Brekke also cautions security leaders not to undervalue the importance of storytelling. Each organization has a language that resonates with management. Consider the language of the brand and the language of the organization's business as you develop the story you will tell and as you make your business case.
You may find it helpful to reframe some security language to better reflect business value. For instance, because one of Target's foundational goals was to focus on the experience of the customer, conversations about shoplifting became conversations about enabling the guest experience.
Next StepsDeveloping strong business cases is not a skill that many security practitioners have. It is not something that is generally taught in educational institutions and there is seldom opportunity for gaining experience out in the field. This is where the Security Executive Council can help. We consist of successful leaders of security programs that can apply our knowledge and experience making effective business cases to top organization executives. Contact us to discuss how the SEC can help you gain acceptance for your program.
For more resources on this topic see Demonstrating Value: Communicating Value
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: October 1, 2019
You can download a PDF of this page below: