Security is a business enabler. Business-savvy security professionals intuitively understand this, but it can be challenging to articulate the security team’s value to the leadership team and other business units. The design and function of security program’s design and function will vary greatly based on an organization’s industry. And some business units view the security team as one that restricts proposed activities as ‘too risky’ instead of a team that advises the business on how to mitigate risks for key objectives.
However, there are consistent principles that can be used to create and fund a program – and show that security is a business enabler. Topo.ai strategic advisor Bob Pocica has written a series of articles, “How CSOs can Strategically Keep Security on the Map,” for Security Magazine. It explores how to help an organization understand that security is a business enabler, by thoughtfully designing, measuring and evaluating a security program.
Pocica explains that a CSO needs to conduct due diligence on a company’s operations and profitability, prior risk experience, risk tolerance and existing programs before they initiate new strategies for managing the company’s risk profile. One aspect of that due diligence is understanding profitability:
Understand the Key Drivers of Profitability
The drivers of profitability (and market capitalization) might not be obvious to you, but they are salient to the key business leaders. As a CSO (or ranking security officer), you need to be a business leader who can connect safety and security to the organization’s bottom line.
If you haven’t already, you should conduct a detailed assessment of your organization’s business model, assets and structure – and know how they relate to physical risk mitigation. There are several places you can gather this information. Industry/trade publications can be a fantastic source. If your organization is publicly traded, its 10-K will be instructive – as will the 10-K of any competitors. You can search for them, along with other public filings, using the US SEC EDGAR database.
Your colleagues can also provide invaluable guidance. Make sure to speak with key stakeholders and business leaders at different levels of the organization and look for any available data to inform your analysis.
At a high level, what are the strategic assets that drive revenue or profitability for your organization?
The answer to this question relies on many factors, including the applicable industry, organizational structure, primary product(s) and market(s) and others. You want to address this question with a balanced level of specificity. For example, a manufacturer of consumer electronics relies heavily on in its intellectual property (e.g., product design and capabilities), its highly skilled workforce (e.g., to design and test the products), its manufacturing facilities and personnel (e.g., to produce the products) its distribution channels and networks (e.g., so the product can be shipped and retailed) and a variety of other tangible and intangible factors that make it unique among competitors. All these characteristics create different facets of an organization’s risk profile.
Here are some assets to examine as part of your analysis:
- Facilities that store valuable assets, with an emphasis on high-value inventory, data centers, large sums of cash, sensitive/restrictive areas and any other factors that make a given location important or indispensable to the organization
- Production facilities or development offices
- Distribution centers and systems
- Key suppliers
- Retail centers and key customers