Getting Your Security BCase Approved
admin No Comments

Two of the more influential moments in my career have been when I was asked to measure the unmeasurable. You know that you are doing interesting work when the Engagement Partner on a project says, “I’m not sure how you’re going to do it, but we (meaning me) need to figure out how to do it because it’s in the contract.”

The “it” in question was a business case to support a strategic roadmap to centralize and standardize IT service desk operations at Halliburton. I wasn’t happy with my situation. It felt impossible.

Best case scenario, we had about half of the financials, operational metrics, workflow, and resource data available. We (I) was flying blind. A number of you reading this blog are in a similar situation, trying to make a business case for security resources (money, people, time, or all of three).

  • The impact of security on customers and revenue is often unclear. Most organizations do not include security as a factor in their business strategy and annual budgeting process. The presence of security is assumed. The absence of security is ignored.
  • People will lock the door or tuck their heads into the sand when they hear “security.” Business and technology leaders fear missing their commitments or goals. They believe that security will slow them down.
  • The current state, i.e., your starting point, is uncertain. Without a clear starting point, defining the end state is challenging. Operating in China has been a long standing priority for a number of companies, despite the shifting landscape and uncertainty. In the case of making security a priority, organizations use uncertainty as a risk for doing nothing.

The culture at Halliburton was not receptive to long narratives, but they valued data based decisions. They were reasonable people. Reviewing 100 pages in an hour simply defies the laws of physics.

I also learned that the reason that my team was on site in the first place is that the first two business case presentations to present the same strategy had failed. It was a naked power grab without backing data. The prior attempts were also boring and uninteresting.

Here is the framework and approach that I used to get the business case approved at Halliburton back in 2006. I have repeatedly used this framework to articulate business cases for board level approval. It is clean, easy to understand, and does not require months to create.

Visualizations are Your Friend.

Most business cases are word salad, involving pages of 10 point font are inscrutable. There are other frameworks available, but the Value Levers are well received visualization. I first used them to make our case at Halliburton. We had an executive summary presentation, focusing on visuals, supported by detailed data (as much as we could attain) for those that were interested.

Essentially, you are taking known facts and industry trends to your specific business context, e.g., the cost of acquiring a new customer, current sales, and the voice of your customer.

Here are the Value Levers, applied in the context of a jewelry manufacturer and retail supplier.

Getting Your Security BCase Approved

Business Value.

In the example above, we are making the case for Security as a key part of our strategy. Security is often seen as a cost center, rather than a competitive advantage. Given the number of customers, particularly Fortune 500 customers, that are taking a hard look at supply chain continuity from the perspective of information security. Customers will leave untrustworthy or risky businesses, if they have alternatives available.

  • In the example above, we are naming well established customers and applying those anecdotes to the larger data set and case for business value. We’re making assumptions grounded in small data sets since we do not have access (and we may never have access) to a complete data set.

Top Line Impact.

Articulate the positive impact that Security improvements and focus will have on capturing new customers and retaining existing customers. Incorporating Security into your marketing messages, sales demonstrations, and customer facing activities may not directly drive a sale, but using reasonable assumptions

  • For example, Security as a competitive advantage would make a difference in 10% of our sales or retention efforts, you can shift the view of security away from being a pure cost center. In the example above, Security (and a lack of Security at a competitor) may be the deciding factor for a potential customer like Wal-Mart or an existing customer like Target.

Bottom Line Impact.

Most Security business cases focus on this half of the business equation. Unfortunately, these cases are typically focused on the existential fear of a breach or data loss. Those are valid points, but business executives typically speak in revenues and costs. How will Security help them avoid costs or improve productivity? Understanding their pain points and the pain points of their staff allow you to tap into that narrative.

  • For example, in the case above, the Target findings, frustrations with multiple logins and passwords, and the near miss with the departing salesperson are all likely a part of the office narrative. Those events were probably discussed a number of times over the water cooler or represent a fair volume of the support calls received by IT. Beyond the frustrations that these friction points cause, there is a real financial cost.

No Surprises.

There is an art to running executive meetings. The best advice that I can give on this subject is to avoid surprising your audience. Surprises are only fun on your birthday and only if they involve cake and presents. Individuals taken by surprise that hear a proposal or a request for a decision for the first time in a public setting are highly unlikely to decide in the moment.

Meetings before the meeting

  • Before meeting with a full group or committee, identify your key stakeholders and influencers. At least a week before your presentation or business case is due, set up time to review it with the influencer(s).

Summarize the decision

Do not assume that the full case will be read. If your audience reads the materials, that is a big step toward ensuring that no one is taken by surprise.  executive summary assumes that people will not read the full case. On three slides or less, the request, return on investment, and recommended path forward is clear. Save it as a PDF and send it so that people can easily consume the document on their tablets or smartphones.

  1. What are the problems that we are trying to address and what is the ask?
  2. What is our high level return on investment, e.g., the Value Levers?
  3. What are our assumptions and your recommendation?

48 hours

Share your presentation and business case with the audience at least 48 hours in advance. How many times have you been on your way to a meeting, only to receive the agenda and supporting documentation as you dial into the web conference? I find this immensely irritating and it does not put me into a mood to make a decision. Most executives feel the same way.

Run It.

You can find plenty of articles focused on running a meeting. Here are my suggestions for running a meeting to review the business case for security.

Step through the Summary

Three pages. 10 minutes a page. Leave half of your time for questions and dialogue, particularly if your desired outcome is a decision.

Manage by Exception

Do not read to them. Politely and gently explain in terms that they understand, using the Value levers to drive your terminology and language.

Understand their Mindset

Security is likely unfamiliar, highly technical, and scary to your audience. They are running from meeting to meeting. They didn’t read because they didn’t have time.

Live to Fight Another Day

If the decision or your desired outcome is tabled, take the win. The practices and habits above, from the Value Levers to the actions before the meeting are highly unusual. Common sense is not very common. Which is why you can differentiate your business case and move to the hard work of implementation.

Guest Author: Matt Leathers, Senior Consultant, at Kettle Consulting Group, with over fifteen years of consulting and industry experience, working for some of the leading consulting firms in the world.

Leave a Reply

Your email address will not be published.