In our webinar we invited representatives of key C-suite stakeholders to discuss how physical security leaders can navigate buy-in for security.
Our panelists gave valuable insights into how and when the C-suite makes decisions, which data to present to make the case for physical security investments, and how to make the best impression with high-level executives who have the ultimate say and buying power.
Here are the top things we learned:
1. Quantify impact and demonstrate that security supports other necessary business functions
Something we're pushing in the security industry is moving security from a cost center to a business driver. Communicating that effectively is one of the most important things in getting executive buy-in. A few ways that I've seen organizations be successful is demonstrating that a robust business impact analysis has been done to quantify the impacts of not appropriately investing in security. Also leveraging the work that's done in security to demonstrate that security can support other business functions throughout the organization. As we saw during Covid, for example, a lot of security data was leveraged for standing up crisis management teams for better business planning and identifying what offices can close and what offices need to stay open.
- Rebecca Sherouse, Director of Account Management and Security Advisory at HiveWatch.
2. Connect security to business continuity and prove ROI through material and safety costs to the company
It's an easy sell if it's being driven by a regulatory requirement, where the law says we have to do this. If we can't or don't do whatever this is, then we're going to get in trouble. That's a pretty obvious and easy sort of thing. Some other drivers in the physical security space are loss, protection, and major cost issues that might come up. If you're seeing significant losses from a money standpoint happening because of a physical security issue, that's something that we definitely would have to mitigate. You can put it in dollar terms.
On top of that there's business continuity issues, if there’s a critical business process that might affect revenue generation. For example, everybody's going to want to keep online and physical data secure. And if somebody breaks into that data center, security will help catch that. Maybe they're not going to be able to steal any data, but they can bring business functions down. That's an issue that makes it a little easier to sell. Also safety, threats and executive protection. If there's something that is going to be bringing actual physical harm to people. Those are the kinds of risks that are easier to visualize and conceptualize for a lot of executive decision-makers.
- Cody Wamsley, Associate General Counsel for Security at Coinbase.
"When we build security programs, if we don't get the building blocks right, often it costs the organization a significant amount of money to rip and replace that function, whether it be travel, security, workplace lines, prevention, event security, because security touches every facet of the organization. It spans the globe."
3. Build champions in other departments and do the work to have the right questions answered beforehand
The first question that we ask people internally is: What am I solving for? What risk? What issue, what regulatory requirement? Am I replacing something? Do we already have a solution that's just not working? Is there going to be overlap and spend that we're going to have to eat for a while to bring on a new different solution? What are the benefits of that?
And then we really drive people to make sure that they've done their homework, and we hold people accountable to the results of that. It's really important to make sure that you have what I call a package overall, and also working on getting buy-in from other internal influencers. There's obviously the executive team that holds a lot of power and influence over the organization, and they feedback loop things within the organization. And sometimes those right-hand people are more dialed into conversations or things that have been happening. So it's also about making sure that you've worked to say, “Hey, let's align on this purchase, or let's align on XYZ” and then they'll help you tease out where there might be gaps in your thinking, or how you might be trying to present a particular solution, or saying that this is really important to the organization.
- Tiffany E. Buchanan, SVP, Finance at CrowdStrike
4. Tie security in with revenue generation and consider both the owner and customer’s perspectives
The closer you can tie security to revenue and revenue generation the more successful you're going to be. You really have to understand the business, thinking like an owner, and thinking like a customer. So if i'm thinking like the owner of the business, considering what are the things that are creating profit for me and it. Do I need more customers? Do I need to reduce my costs? What is it that I need? And then how can a security solution fit into that? And then, similarly, thinking like a customer. I can tell you that trust is everything, and nobody's going to want to do business with a financial institution that they can't trust. Security is closely related to revenue generation in the financial services space. By having better security, It's easier to sell to customers, and therefore more customers would be willing to come on and provide revenue for the business. If there's a security solution that can increase efficiencies, we've already talked about reducing overall costs and improving profits. Those kinds of things-that's really the golden ticket to getting a solution implemented.
- Cody Wamsley, Associate General Counsel for Security at Coinbase.
5. Communicate scalability in your proposed solutions and consider reputational risk
Another thing that is successful is talking about scalability, and how important the building blocks and a security function are, and the costs associated with having to rip and replace certain security technology and software. When we build security programs, if we don't get the building blocks right, often it costs the organization a significant amount of money to rip and replace that function, whether it be travel, security, workplace lines, prevention, event security, because security touches every facet of the organization. It spans the globe.
In many cases, it’s important to communicate, “Let's do things right at the onset to save ourselves from a lot of heartache in a couple of years,'' as well as in organizations where they're growing. Scalability of solutions is a key thing to communicate. We all know the cost of investing in a cheaper solution. Again, whether it be programmatic or technical, and then realizing down the road that it doesn't have the ability to scale with the business.
The last piece that often gets overlooked is the consideration around reputational risk, but also security reputation in general. When stakeholders use benchmarking as a way to communicate the value of investment, that works really well, and resonates with leaders to say, "Here's what our peers in the industry are doing. And here's where I think we need to be." What is the impact, reputationally, if we don't effectively invest in security? How can we benefit, whether it be employee retention, a vibrant security culture at the organization, if we effectively invest in tools that make doing business easier.
- Rebecca Sherouse, Director of Account Management and Security Advisory at HiveWatch.
If you’d like to learn more about how HiveWatch can help you scale your security systems or leverage data for buy-in, request a demo or read about our operating system for physical security.