Home > Peak Performance > Security Is Not The Point

Security Is Not The Point

November 11, 2006

Articulating the Value of Security…

It’s
an uphill battle to convince the decision-makers in any business that
they need to invest in security. Why? Because deep down, all
professional businesspeople think security is an annoying layer of cost
and inconvenience.

If you walk in and tell them, “We need more security,” they hear, “We need a more annoying layer of cost and inconvenience.”

Getting the buy-in for security products and services today means
understanding what drives your company’s security purchase
decisions—basically, what is going on in the mind of your bosses. Fear,
uncertainty and doubt are not the cleverest tools to use anymore. The
security industry is undergoing changes as it adjusts to the
convergence of IT with physical security, and businesses are changing,
too. Now businesses want something that sometimes seems like a foreign
concept to the security profession: value. If you don’t adapt and start
answering the questions your business is really interested in, you’ll
never get the green light on new projects and upgrades.

Remember, nobody wants security; they want the benefits of security.
That means that the housewife doesn’t want the finest deadbolt on the
front door because of the excellence of its engineering or its impact
resistance. She wants a comfortable, happy place to raise her family.

Businesses also want something other than security. If a bank
manager has a mandate to reduce expenses related to bank tellers, she
has a couple of options. She could fire all the tellers and lock up all
the bank branches, but then the bank would have no interface with its
customers. Or she could take all the money, put it in piles on the
street corner under a clipboard that says, “Take what you want, but
write it down so we may balance your account.” That wouldn’t work
either, obviously.

The best solution for reducing teller expenses is to take the money,
put in on the street corner locked in a box with a computer attached,
and give customers a plastic card for authentication and auditing.

Security was never the point. The bank had a business objective and
achieved it by using some security. That is how we all should think of
security: as a way of helping our companies achieve the goals or value
they seek.

Business managers, especially executives at the highest levels of an
organization, have a very simple view of security: It is a tool in the
corporate toolbox for enabling business. But they don’t even think of
it as security.

The manager responsible for an online ecommerce business wants a few
things. He wants to know who is using his Web site. He wants to ensure
that each one can do everything on that site they need to do. He has a
lot of people doing a lot of things, so he needs an easy way to manage
it. And at the end of the day or the end of the quarter, he needs a
report that tells him what has happened so he can improve customer
satisfaction, reduce errors and increase profits.

In that example we have all four fundamental categories of
security—authentication, authorization, administration and audit—but
the manager doesn’t think of security once! That’s because security is
not the point.

Focus on Value

I have suggested many times that, whenever possible, security
professionals should purge the word “security” from their vocabulary.
Instead, answer the questions inside your boss’s head, and don’t simply
spout the ways security keeps bad things from happening.

Your upper management thinks in terms of money, not security. What
people will be needed? What headcount can we reduce? How much will it
cost? How much will we save? What new revenue can we earn as a result
of this investment? And they think not in terms of security risks, but
in terms of credit risk, market risks and operational risks. That’s
where you can shine.

One U.S. company spent $35 million on physical security upgrades
after 9-11, and $4 million on IT security upgrades. Last fall they
failed their Sarbanes-Oxley audit because of poor security. How?
Visitors were given a badge for the day, but they could still walk
unescorted past cubicles with unattended computers logged into
financial systems. At that moment the audit no longer had confidence in
the integrity of the numbers. Anyone could have moved a decimal point
or added a zero.

If you know your facilities need more security, tell your managers
how it will help them measure or achieve compliance to regulations like
Sarbanes-Oxley: You audit employee behavior, or lock up financial
systems, or shred financial documents, or do background checks, or
secure backup tapes. For any business problem, you should be prepared
to help your management identify the ways that the authentication,
authorization, administration or audit solutions you’re proposing will
solve their problem, or help customers make the gains they hope for.

Remember, it is not our job to secure the building. Our job is to secure the business.

Advertisements
Categories: Peak Performance
%d bloggers like this: