5 Essential Metrics and Methods to Prove Your Corporate Security Program’s ROI
Business executives are taking a blade-like approach to stabilize their budgets in today’s challenging economy.
The technology industry is feeling the brunt of the cost-cutting measures. According to the Wall Street Journal, tech giants like Alphabet, Dell, and Meta are cutting an estimated 28,000 jobs combined. Banking behemoths like Goldman Sachs, McKinsey, and PayPal plan on eliminating more than 7,000 jobs this year.
However, according to (ISC)², an international non-profit association for security leaders, cybersecurity teams are the least likely to be affected by layoffs. Their study revealed that 10% of C-Suite leaders, not including CISOs and CIOs, expect reductions in cybersecurity teams, compared to 20% in other areas.
Additionally, 87% of executives surveyed said that reductions in their security teams would increase risks for the organization. The report also reveals that more than half of respondents will prioritize rehiring cybersecurity workers.
While research points to executives seeing corporate security as a business imperative, showing the ROI of a corporate security team on the business’ bottom line remains necessary.
Security industry benchmarks are hard to find. Each organization measures different things. From budgets and access protocols to executive protection and threat response strategies, designing metrics with a one-size-fits-all approach doesn’t work.
1. Measuring time saved
Organizations are creating their own metrics to measure the impact security teams have on the bottomline, and we discussed this with a panel of security leaders at the 2023 Ontic Summit. For example, Alana Forrest, Director of Global Safety and Security at Intuit, measures her team’s influence in time saved.
She reports on the efficiency her team gains instead of cost-savings because security software can be expensive.
“We were able to show the amazing amount of time my team was saving, specifically in GSOC and our risk analysts,” Forrest said. “We went from anywhere from 40% to 90% reduction in time just by going from all this manual craziness to software platforms that really worked for the team that they understood and that they were able to implement right away. And when I showed those data points to my boss and said, ‘This is what your money is saving you in time effort,’ he was like, ‘Oh, wow.’”
2. Sharing cost savings
Reporting on cost-savings was another metric a different corporate security leader uses to prove the ROI of his program.
“So when we put in interactive analytic capabilities and time delay, time lock smart devices in that space, those units that we were able to improve, we’re $164,000 more profitable than the beta units down the street,” Francis D’Addario, Emeritus Faculty Strategic Influence and Innovation at the Security Executive Council, said.
He continued saying that when his CFO asked him for details about the camera and audio devices on the system, he reminded him that’s not what’s important.
“I said to him, ‘You made a $15,000 investment, and we proved its ROI in the same month,” D’Addario said.
3. Storytelling to demonstrate impact
Cost-cutting measures are constant for businesses in a global economy. Even so, corporate security leaders are using an age-old tactic to maintain or increase their budgets – storytelling. And it’s working.
Sharing real examples of how the company’s corporate security team responds to crises brings understanding and relatability. For example, Forrest said how she uses storytelling when talking to board members.
“If there’s an event that’s happening anywhere in the country, and if it’s less than 10 employees that might be affected, our GSOC and our threat analysts call those employees, Slack them, or email them to make sure they’re okay,” Forrest said, “I don’t know how many times that story, whether it was the Texas snowstorm a couple of years ago, any tornado, or any sort of wildfire in California when we tell that story to the C-Suite it’s like, ‘Oh my gosh, I didn’t even know you guys did that.'”
Making the Case to Fund Your Corporate Security Program
4. Tying metrics to a human story
Coupling the human stories with metrics creates a sense of human connection and personal relatability for board members. For example, Eric Boger, Vice President-Solutions Evangelist at Ontic, explains there is an authentic way to share how investing dollars into corporate security initiatives does more than protect the company. It protects employees and their families.
“When [security teams] are asking for investments in technology or team size, we need to note that the investment isn’t just about getting the latest tech, or making the team more efficient, it’s important to capture the human element,” Boger said. “Explain how it will make the whole enterprise safer, or try tying it back to a real life story of someone who was made safer by the capacity unlocked by these investments.”
Bridging between the businesses’ bottom line and emotional connections illustrates another way to tell the story.
“We put a contribution on the bottom line that was north of 200 million in addition to saving management that agonizing meetup at a funeral or a hospital,” D’Addario said. “If you can see the value of that person in a non-number sort of way, you’re going to find yourself going home every night and knowing that you did everything that you could do and having a compelling business reason to be guiding the conversation.”
5. Partnering to build evangelists
Corporate security is becoming more than one department’s responsibility. Groups across an organization are becoming aware of the constant state of insecurity and uncertainty, also known as permacrisis. And security teams are taking advantage of this opportunity to break down communications silos.
As one security leader explains, building partnerships amplifies the team’s wins to the right people in the right places.
“Partnering with different teams, different functions within a company that’s worked out tremendously,” CJ Parson, Head of Global Security Operations for Peloton said. “Partnerships are essentially going to be your spokespeople. They’re going to speak up to the C-Suite.”
All in all, no silver bullet explains the ROI of corporate security. Yet, leaders can pull several arrows to prove their teams’ impacts on companies’ business objectives.
Showing metrics like reduction in time and cost-savings remain critical proof points. Plus, telling human success stories behind the protection efforts is becoming a valuable method to help board members understand the team’s impact.
Corporate security chiefs are taking control of the situation, too. With few industry-standard benchmarks, leaders create their own that shows the impact on the bottom line and their employees’ well-being.
Looking for more resources on how you can prove the value of your corporate security program? Take a look at our resource library.