Throughout my career, I have noticed that security is most often sold using Fear, Uncertainty and Doubt (FUD). However, security is viewed by executives as a sunk cost or an insurance policy based upon the balance of probability that something bad may happen. Threat-risk is difficult to quantify and weigh against business risks, which are measured in 💵. As they say, “If it can’t be measured, it can’t be managed”. There is limited persuasive weight to FUD pitches, in the absence of a clear and present direct threat, or stringent and prescriptive regulations which hold corporate officers or public servants personally liable.
Frame Security as a Business Enabler
Rather, I have found that leading with security as a business enabler resonates more effectively with the C-suite. By this I mean, articulating how security can help:
- increase sales,
- produce valuable business intelligence,
- improve competitiveness,
- derive process efficiencies,
- reduce costs and losses.
If successful, solving for compliance and threats are bonus features to your solution.
An Example in the Canadian Market
A major Canadian Company was subject to substantial capital-at-risk owing to fraud from organized crime, misuse of services by clients, and deliberate cyber attacks by nation states. However, much of this was unseen and off the books. The case for enhanced security was solid but failed to get the attention of C-Suite who were consumed with more obvious business risks like operating costs, quarterly sales, competitive market pressures and pricing regulation.
I got their attention only after I was able to demonstrate, with security instrumentation and concrete examples, where the company could save over a billion dollars, increase sales with market intelligence and recover a hundred million in fraud. An interesting consideration was that security systems were able to detect misconfiguration, bad process flows, financial mismanagement and business inefficiencies on the way to looking for deliberate threats. They also helped management understand a lot more about the business. Similarity, I used business intelligence systems, network health monitoring, call centres and financial monitoring to assist in security investigations.
So here are some ideas for pitching security as a business enabler aimed at specific Strategic Business Objectives:
Talent Acquisition and Retention
Enhanced security measures, enable sound, evidence-based acquisition choices. Active, vetting protects the health and safety of your staff, while thwarting infiltration. Continuous monitoring provides early warning of incidents, performance issues, accidental and deliberate threat behaviour, intellectual property theft and insider threat detection. Active security controls provide privacy by design and organizational resilience value.
- Pre-hire screening
- Indicators of potential adverse behavioural shifts
- Infiltration indicators
- Resume falsification
- Inappropriate or non-professional on-line behaviour
- Insider Threat detection
- Protection of employee online health, safety, privacy and security by early detection of social media enumeration and pretexting
- Inside sales and communications
Technology Enablement and Process Improvement
Multi-purpose business systems generate economies of scale and allow for cross-domain analysis. Solving the security challenge enables the business. Sensing, fusing and correlating big data across all business intelligence systems provides contextual narratives through visual analytics and an executive dashboard. Enhanced situational understanding of the business. Real-time evidence based decision support. Optimizes business process flow by examining behavioural norms.
- Integrated business intelligence and security systems
- Real time data collection and analysis of network access and activities
- Early detection of anomalies
- Insider Threat detection
- Executive dashboard
- Big Data with AI/ML
Business Operations Service Delivery
Vulnerability analysis and threat risk assessment establish an asset inventory, make value and impact assessments, determine systemic weaknesses in the business and identify likely exposures from a wide spectrum of threats. A security practice which focuses on risk identification and mitigation will ensure resiliency, continuity and viability of the business by identifying efficacy issues, cost reduction, and cost recovery options.
- Situational Analysis
- Threat and Risk Assessments of internal and external challenges
- Active, ongoing threat mitigation strategies
- Business Continuity planning§ Response and Recovery planning, testing, and execution
- Net Revenue and profitability
Competitive Business Intelligence
Intelligence operations will identify malicious actors, competitors, partners, suppliers and clients as part of a continuously secured ecosystem. Profit centre Scanning the global market for MARCOM threat intelligence. Supply chain vulnerabilities & Business Intelligence methodologies will deliver unique and valuable insights, not achievable through traditional approaches. Lawful exploitation of data sources and individuals are increasingly a business imperative in a hyper competitive, globalized environment. Synergies can be achieved by amalgamating business intelligence, security systems and big data.
- Upstream security information
- Early threat detection
- Business situational awareness
- Optimized business opportunities
- Early warning of competitive shifts
- Regulatory and compliance insights
- Global information coverage
- Integrated information stream
- Global Cyber Threat Intelligence
- Cyber Threat Hunt and adversary pursuit
Integrated risk management framework for multi-order and cross-domain risk compliance audit and scorecard.
- Real time risk assessment data generation
- Optimizing risk management and performance indicators
- Cross-domain Accountability measurement
- Automated audit reports
- Converged security and privacy solutions
- Active Cyber Defence and automation
Profitability, partnerships coopetition, brand protection.
Intelligence-lead sales, qualitative business case, targeted messaging and marketing, influencers, power mapping.
Innovation and Trends
Disruptive technology trending, Over-the-horizon risk and opportunity forecasting.
Strategic Planning and innovation, capability development, threat fore-sighting.
Brand Marketing and Communications
Influence activities, Counter narrative, data leakage, deception, message high jacking, impersonation, etc.
Measure message resonance and impact, enumerate vulnerable positing, social network and adversaries (identity and narrative). Social engineering protection.
Strategic Business Planning
SWOT matching and converting.
Application of format risk mitigation process.
Break down stovepipes, and silos confidentiality integrity and availability physical, personnel and cyber domains.
Common attributes of confidentiality, integrity and availability. Code of conduct and business ethics.
Network, Supply Chain Management and Critical Dependencies
Interdependency contagion econometrics, geolocation, social semantic and connectivity, contagion of malware, toxic content and toxic assets.
Counter-shaping, Supply Chain security (Availability, resiliency, reliability), Recovery effectiveness, Partner risk assessment, Supply chain efficiencies.
Let's Position your Business for SuccessContact Us
To see full published article, click here
To see full published article, click here