Latest News & Updates

March 13, 2024
 / 
Articles
 / 
Mgmt Strategy

Research finds that company security leaders—as a group—do an insufficient job promoting the value of their function. Things have improved in this regard, but the mission is hardly accomplished. Security’s full range of benefits are still largely unrecognized by the businesses that enjoy them. What can the security leaders at organizations do to get security’s true value recognized? This article provides security executives with a game plan for securing a bigger budget, greater influence, and more prominent standing.  

Key Points

  • The discrepancy between the perceived value of security and its real worth should propel security executives to become better communicators of security’s worth.
  • Communication should extend beyond how the function protects assets and relate the ways in which security crucially supports business activities.
  • A four-step plan can help organizational security leaders: (1) from a comprehensive list of potential benefits, identify the ones that security meaningfully provides to your organization; (2) highlight the value internal security provides to external partners/customers; (3) develop a communication plan; (4) investigate additional value streams.

Security executives have a habit of keeping their heads down and—without much fanfare—getting the job done. While it’s a noble trait, it probably hasn’t done the industry any favors, according to research based on a survey, group discussions, and one-one-one interviews with security and other business professionals (“Beyond the Protection of Assets: The Broader Benefits of Security,” Perpetuity Research & Consultancy International). The study concluded that security’s value is not fully recognized—and that security professionals haven’t done all they can to address that problem.

“One issue that cropped up time and time again, was that even when senior managers were on board, this may not filter down through the organization. As a result, staff may only truly value security when things go wrong and they need help,” according to the research.

“Indeed, the primary conclusion from this study is that security generally has undersold itself.”

The significant discrepancy between the perceived value of security and its real worth should propel security executives to become better communicators of security’s worth. And there is plenty of work to do in this regard, suggests the research. Even the very definition that many people have of security—that of “asset protection”—works against it. This limited view ignores the broader benefits of security and the ways in which it crucially supports business activities.

Security directors have been complicit by failing to sell the true, broader value of security, the report concludes. “The worst part of it is that the security sector has kept many of the benefits it generates a secret and permitted a focus on bad security with all its power to disrupt and undermine good business,” notes the report. “Security staff have not been good at promoting security and the impacts it has; security typically adopts a rather self-defeating stance.”

What needs to change?

Security leaders should not limit their communication to how the function protects assets. Instead, they should relate the ways in which security crucially supports business activities. Don’t let security be merely a backdrop—providing protection and ensuring compliance only to be noticed when things go wrong. Steer the discussion of security toward the benefits that it provides to the business functions that it serves.

It’s not an easy job, as there are significant barriers to change. For example, since security is largely intangible and often difficult to measure in concrete terms, its value can be hard to gauge (much less promoted). And the stakeholders whose perception you need to change are both varied and numerous. Finally, there are also real limits to what security leaders can do, as responsibility for security is diverse, and many of those with security responsibilities are not well placed to extol their virtues.

What does it take? Communication is key. “A key challenge for security is to better communicate the benefits and in doing so, to better ‘sell’ itself,” says the report. “If this is not done, security will continue to be associated with negatives rather than positives.”

Derived from past research and recent interviews with industry leaders, here is a 4-step plan to earn better organizational appreciation of security’s value.

1. Make a list. Security benefits organizations in myriad ways, from preventing financial losses, to protecting reputation, to driving operational efficiencies. Depending on an organization’s business, some security benefits are more critical than others, and to promote security’s value, security directors should make a comprehensive list of benefits to which their security departments can legitimately lay claim. For a comprehensive list from which to compile your list, consult Understanding, Calculating, Communicating and Maximizing the Value of Security.

2. Focus on customers. One of the most critical business benefits to security is that it fosters good customer and client relationships. In business surveys, it is common for company CEOs to agree  that customers and clients are less likely to trust organizations with poor security. What does this mean for security leaders? It indicates that to successfully sell security’s value, security directors should develop a deep understanding of the ways in which their department helps to foster positive relationships with customers and clients, and then make that case to internal business managers and other internal stakeholders.

One frequent link is that “security engenders trust, which is also an enabler for good working practices between colleagues, management, clients, customers, and partners,” notes the study. For example, a company with robust security can allay customer concerns about being able to supply goods and services in an emergency. Understanding the role that internal security plays with respect to external partners, clients and customers is key to highlighting the value of security.

3. Develop a communication plan. The discrepancy between the perceived value of security and its real worth should propel company managers that represent the security function to become better communicators of security’s benefits. There is plenty of work to do in this regard, according to academic research. Communication about security is usually fear-based; that is, what might happen if security fails. The positive aspects of security are less often promoted.

What, then, might an internal communication plan for security’s value entail? Some recommended communication strategies:

  • Aim to be an ambassador for security. When security directors accept this role, security is more likely to be appreciated, the report concludes.
  • Use security metrics when they are appropriate and meaningful. They’re another avenue for communicating the contribution of security.
  • Use a variety of communications tools, e.g., newsletters, security awareness training, and meaningful, helpful engagements with staff during routine activities. Generating a good feeling about security is in part about communication, notes the report.
  • Focus messaging on security ‘integration’—not in a technical sense—but with the goal of making security a part of business operations.
  • Engage staff with simple security messages. The best way to get staff to appreciate security is to “have simple messages that people can understand and follow,” said one retail security manager.
  • Investigate new communication channels. Technology and social media afford security departments the opportunity to engage with the organization and its stakeholders more directly and meaningfully. But as an industry, security has yet to fully exploit it, according to the Perpetuity Research study.

4. Investigate new value streams. Research shows that the existing benefits of a security operation probably aren’t appreciated and need to be better communicated to senior management, middle management, and staff. However, security leaders shouldn’t only aim to communicate existing benefits better; they should also examine how security might drive additional organizational value. Security solutions today are not just tools for incident and loss prevention, they are business tools that help companies make better-informed choices and solve problems. 

Some security executives said it helped them to think of themselves as an entrepreneur/CEO and the security department as their company. Using this mindset can help security executives focus on ways to “grow their business.” The director of global security at an IT consulting firm explained at an international security conference how he used this approach, encouraging his firm’s IT professional services to include advice on the physical security of network systems as part of its consultation services to clients. “Our department raised its hand and said, ‘you need to include physical security in our offerings to customers’. It was a missing piece that offered value to customers,” he explained. His organization took him up on his proposal and included physical security within its IT consulting services portfolio, netting his company more than $100,000 in annual sales revenue. 

Of course, a business can also grow by gaining market share, something security departments should consider whenever management wants a new program that needs an owner. “Our company wanted to offer a shuttle service for employees to the public transportation station, and that is the kind of thing a security department needs reach out and grab hold of,” explained another CSO conference presenter. By expanding its services, a security department (the “company”) becomes more indispensable to the organization and increases opportunity to translate service into value.