Getting Your Security BCase Approved
admin No Comments

Last month, I shared an approach on getting your security business case approved. This month, I will break down the approach into actionable details, expanding on the Visualizations are your Friend concept and the value levers that I shared.

Know your audience:

Your security business case requires time, resources, and funding. Even if the plan is to start every meeting with a “security moment” for five minutes, approval and buy in from leadership will determine success or failure.

What challenges keep your colleagues up at night?

Ideally, these issues and challenges are already clear to you. Frequently, security and technology professionals are measuring a completely different problem set.

When your colleagues are speaking a different language, acronyms and terminology are going to confuse and frustrate them. NIST scores, GDPR requirements, and phishing campaign results are abstract. Same store sales, stock outs, Monthly Rate of Return (MRR), and renewals command attention. Most of your business counterparts focus on three things:

  1. Acquiring customers
  2. Keeping customers
  3. Supporting customers

As a Key Enabling Function, your Security business case needs to articulate how it adds value and reduces risk to Customer focused activity.

  • Are you planning for supply chain uncertainty?
    • Security Focus:
      • Do your supply chain continuity plans include a way to audit and verify second and third tier supplier information security?
  • Is Amazon casting a shadow over your industry, products, or services?
    • Security Focus:
      • As we make investments or acquisitions to drive growth, are we including information security risk as a part of our decision?
  • How do you enter new markets successfully?
    • Security Focus:
      • How do we ensure that new products and the people that we hire to support them are safe, secure, and efficient?

Frame the value of your Security business case in the context of Acquisition, Maintenance, and Support. How will improvements to your Security metrics help the business or organization across these three dimensions?

Use the Familiar:

French Bulldogs in a business presentation are memorable. However, they are not appropriate for a presentation to investment bankers or the audit committee. If you know your audience, you will know what is acceptable and what is not, but use photographs.

Photos:

Photographs create empathy and understanding. They can crystallize a concept or idea. Business leaders are used to seeing data visualized in a “flat” manner.

For example, if I was speaking to business leadership to get support for a plan to include Security in our M&A activity, I would include a screen grab from the New York Times’ coverage on the Marriott – Starwood breach to kick off my presentation.

Note: I don’t have rights to the Times’ content. Attribute your sources and creators. https://unsplash.com/ and https://thenounproject.com/ are great sources of free, attributable content.

Flow:

Outline work in the context of people, timing, and the tools that they use. Anchor your Security plan in the context of how you will help make work consistent, efficient, and innovative. Demonstrate how you will remove friction, rather than adding friction.

Below is an example of a Supplier Onboarding process flow from a Delivery and Logistics client:

In order to talk about how we would securely onboard Supplier relationships, we had to understand the context of how our sales, warehouse, and finance teams worked. By spending an hour in a working session, we identified key personnel, key steps, and key tools.

In the context of the diagram above, we identified unnecessary levels of access and duplicate systems that made work harder, rather than easier. Using this level of detail, along with their Supplier dashboards and customer satisfaction reports, we aligned Security improvements to improving Top Line and Bottom Line business metrics.

Figures:

Charts and diagrams are often visually dull or “flat” data that do not inspire decisions or actions. Be judicious in terms of how you use information and data to support your business case.

Note: Presentation Zen by Garr Reynolds, Catharine Madden’s blog http://catherinemaddenrelay.com/, and Hans Rosling’s TED talk have been helpful to me. https://www.ted.com/talks/hans_rosling_shows_the_best_stats_you_ve_ever_seen?language=en

For example, I gave a talk a few weeks ago on the importance of Key Enabling Functions to businesses and organizations that grow and thrive sustainably. My audience was a mix of technology and business entrepreneurs. The graphic below is the only graph or chart that I used in the 45 minute presentation.

Using the figure above, I talked about the importance of achieving a Level 3 of Resilience in the context of playbooks. Security professionals will notice parallels between this scale and objective measures, e.g., NIST, CIS Controls, etc.

Everyone has a methodology or a playbook. The question was whether or not long term success was viable or sustainable as people, rules, and technology trends change. People intuitively understand the concept, but having a familiar foundation made the difference between constructive vs. confusing.

Recap:

Most business leaders are well aware of the need for Security. Anchor your case in visualizations that are high impact, familiar, and illuminating.

Guest Author: Matt Leathers, Senior Consultant, at Kettle Consulting Group, with over fifteen years of consulting and industry experience, working for some of the leading consulting firms in the world.

Leave a Reply

Your email address will not be published.