In the third installment of this series, Tim Wenzel, CPP, Co-Founder and President of The Kindness Games, explains how security leaders can move beyond the “cost center” misconception.
Alright! So you’ve found yourself! At least according to my last article:
Now your message is catching on.
Stakeholders are starting to hear you and see the value in these ideas.
Meeting after meeting, momentum builds and now, you get to make your pitch to the decision makers.
As you deliver your closing line, your supporters are all smiles and then the C-something or other asks: “This sounds like a big issue. Why are we just now hearing about it?”
You regale them with the tales of coffee meetings, garnering support among a coalition and finding your message, “which really showcases our maturing department. In security we pride ourselves on being quiet professionals.”
C-something: “I see your point. You’re right, we don’t normally hear from security… but this is a timely issue, how is this impacting our organization? What metrics are you tracking?”
Security Director: “Well, we see this issue affecting this entire industry. All your peers are grappling with this right now. It is quite clear that it will be impacting the company in the future, but as of right now, we haven’t seen any incidents. You can’t really prove a negative.”
C-something: “Right! It’s good that we haven’t been impacted yet. What are the atmospherics which would help us understand when this is becoming a problem for us?”
Security Director: “That can be difficult. We have a world class team working diligently to monitor the threat landscape. We have many deterrents in place as well, so it’s difficult to know if our organization is not being targeted in this way, or if our security apparatus is so effective that they’ve chosen other, softer targets. To be safe, we really need to invest in this new security program to mitigate this risk if a threat actor were to choose us as their next attack.”
C-something: “I’m glad to know we have such an advanced security department! What would it take to get this program up and running?”
Security Director: “There are many ways to accomplish this, we’d have to do some research to understand what would be best for the company. I would say the range is $500k to $2m annually.”
C-something: “That’s a big range. $2 million is quite the budget expansion. Without hard data how could we justify this addition?”
Security Director: “Well, we should have a bigger budget, we’ve had to cut back over the past couple years and you know, being a cost center, it’s hard to be identified as a priority by the enterprise.”
C-something: “Let’s think about it! Do that research and send some solid numbers to my EA. Good luck!”
Last year at the Converge conference in Anaheim, I gave a presentation on the Modern Corporate Security Organization.
I identified the following lies we in security believe about ourselves.
What’s more, we’ve convinced our organizations to believe them as well!
Grow up!
It is time to discard and burn every legacy mindset that we’ve brought from government service.
These are all excuses as to why we are “special” and should not be treated like a business unit!
This is exactly why we aren’t treated like business units. This is why we have no budget, are the first to downsize, no career trajectory, no influence…
If you look across the Fortune landscape, the biggest cost centers are legal departments.
They cost far more than you and I and they have far more influence.
Legal can get the reputation of being the “department of no,” but when they say no, the conversation is often over.
We’ve been saying no for years and our organizations just stopped listening to us.
Lawyers are masters of risk management, in the legal sense.
They have trained themselves to follow logical paths to conclusion.
They can see the most probable outcomes at the end of each option and they can tell you how it will unfold with striking accuracy.
Security Director: Don’t promote a good security idea or trending issue just because it is a good practice or trending issue.
Work with your stakeholders and find out exactly how this might impact your organization in varying degrees of severity and identify the parts of the business impacted.
Lawyers tend to be dispassionate.
They talk and act like they don’t care one way or another.
They generally appear to be unfazed by questions, criticism of a strategy or the questioning of the likelihood of an outcome. They don’t take it personally!
Security Director: Don’t fall in love with your ideas or dream programs.
Build a good case for what you need and why. Do the research, price out all the options and understand how the options will impact and to what degree they will protect your organization.
Get the case studies and tell the stories of similar companies who have and have not done these things and how it worked out for them. Be fair and equitable in these case studies.
Not everyone who doesn’t do something has a cataclysmic incident. Be dispassionate, provide the facts and learn what the atmospherics are that apply to your organization.
Lawyers tend to know exactly how often a specific legal issue surfaces within their company whether it negatively impacts the organization or not.
How do they get these metrics?
Security Directors: We have an irrational fear of not being ready to save the day.
The best way to get data is to ask for it. If you see a vulnerability that needs to be addressed.
If you think you need a security program but you can’t quantify the need, you should ask the organization.
Provide training to the employees about whatever it is you need to be able to measure.
Teach them what the problem is, how they can recognize its potential or if it’s actually happening within the organization and how to report it.
Use follow up surveys to increase engagement and to tailor your approach.
Why do you think you have to do legal and ethics training so often?
It’s not your job… By training the employee base, people begin to recognize the issues and they can report them, bringing you real data.
You’d be shocked to know how many C-somethings are unable to recognize security issues or incidents because they’ve never been told that it’s a security problem.
This takes us back to question 1: Why are we just now hearing about this?
Finally, now that you have a true business case built, complete with proper stakeholder input and engagement, you banish that vulgar cost center term from your filthy mouth!
Be confident, you’re on your way to becoming a business unit, just like legal…
What other lies has security believed?
What myths must you dispel from your organization?
Find the full A Seat at the Table series here. Keep an eye out for the next installment, coming soon!