Proven Methods for the Quiet Security Professional To Own Their Narrative

Hear from Ontic Co-Founder, Tom Kopecky, and President of Exlog Global, George Taylor, on how security leaders can articulate the bigger picture to the rest of the business.

Having worked with many men and women in the security profession who have dedicated their entire careers to keeping others safe, a common theme emerges when discussing what drives them – and that is never-ending sacrifice. Whether coming from the military, law enforcement, government, or private security/intelligence services, these professionals often commit themselves to a task or mission without regard for the personal or professional toll it may cost in the long term.

Many endure tumultuous schedules involving frequent travel and minimal time off, sacrificing their well-being and relationships for the job’s demands. Ask most people in our industry what vacation they just returned from, and most of the time, you just hear crickets – it almost never happens. 

Backing this up, a survey by Security Magazine revealed that 90% of security professionals admit that they work on vacation, while 32% claim that they have their lives interrupted by work every single evening. It’s also interesting to look at the statistics and see that almost 20% stated that they dedicate at least one full unpaid workday to their company every single week. Why do they do it? Almost half of those surveyed responded that it was due to loyalty to the company.

Despite recognizing the need for change, breaking this cycle isn’t that simple. While dedication and humility are valued, failing to assertively communicate your and your team’s value to the business will lead you… nowhere. Accomplishing this takes a three-fold approach:

Speak effectively to the ‘business of security’

Track and report on metrics that matter

Flip the dialogue, and start owning the narrative with a level of urgency 

Speaking the ‘Business of Security’

As many have learned the hard way, transitioning into the corporate security environment requires one to start speaking a new language: the “business of security.” This is where your sacrifice and quiet professionalism can derail your best efforts. Surprisingly, your heads-down, hard-working approach has created a harmful byproduct: Many people don’t actually know what you do, and the quality of your work doesn’t always speak for itself. You need to talk about your work in a way that other people can relate to. 

You are often interacting with people who know very little about your department and how it can drive value to other areas of the business. “Knowing how to interpret, contextualize, and communicate the information around us is crucial to keeping others informed of impending risks,” says George Taylor, President of Exlog Global. He adds, “It’s often shared without factoring in who is on the receiving end.”

People occasionally assume that if no threats impact the business, security must be performing well. The reality is that if nothing happens, stakeholders often perceive that security is less relevant to the business, potentially leading to budget cuts. Security often is commingled into non-critical expenses of an organization, and the team’s footprint (i.e., budget) can be reduced.

Unfortunately, security teams usually do a mediocre job when it comes to educating stakeholders on their impact and the value they drive to the business. By neglecting to present metrics and victories to leadership, you could inadvertently ensure that your team is seen as a cost center in a spreadsheet that a disinterested financial analyst is reviewing. Current economic headwinds only exacerbate this problem.

Tracking the Right Metrics

Communicating effectively with stakeholders means tracking the metrics that matter most to the business. This may depend on the company’s vertical, leadership priorities, culture, and other factors. Beyond spotlighting what security is doing behind the scenes, we need to properly communicate how effective that work is: What did it solve for? What did we stop from happening? What risks were detected, disrupted, and mitigated due to our team’s relentless efforts? 

Reporting should encompass both performance AND effectiveness metrics. A crawl, walk, run approach is important because, over time, teams can generate more advanced insights that include the impact of a threat vs. likelihood. Also, tangible, transparent metrics are more likely to be understood and viewed as credible when risk reports are reviewed. Below are examples of how both performance and effectiveness are measured:

Measurement of Performance = The work the team does

  • Volume of threat signals proactively detected by the team as well as those that were passively received
  • Volume of Incidents observed, recorded, and triaged
  • Number of Investigations and/or assessments conducted
  • Number of BOLO Reports generated/shared with other teams

Measurement of Effectiveness = The outcome that can be quantified

  • Number of legitimate threats detected, triaged, and mitigated
  • Number of Persons of Interest (POIs) detected and added to your database
  • Reduction in time to close (investigative efficiencies)
  • Operational business efficiencies (time saved)
  • ROI – can you adequately quantify your mitigation efforts in dollars
  • Insights gained, enterprise-wide – How do your efforts impact other areas of the business?

It’s important to remember that just being busier does not mean that we are more productive or effective. We need to learn this sooner than later so that we can pivot and execute on what matters most. George Taylor of Exlog states, “Establishing a well-understood risk profile is critical. Monitoring risk is what drives action so that all efforts are aligned, measurable, and effective, we can’t simply be busy for the sake of doing something.”

Flipping the Dialogue 

Consider some of the key phrases security professionals use when talking about the need to demonstrate value. We hear things such as ‘Let’s get a seat at the table’ or “We want to be recognized as trusted advisors.’  We know we need to have better operational influence, and at the core, we also know that business units don’t always understand our usefulness. We once relied on our expertise, hard work, and reputation to speak for itself but in our current roles, clear communication is essential.

The cost/benefit of security is one of the most difficult formulas to communicate to an audience. But now more than ever, we must showcase our quiet efforts, our key wins, and better convey how we contribute to the business ecosystem. We need to articulate what life would look like without the right team in place. Most of the time, only a very serious and compelling event will generate buy-in from senior leadership, potentially resulting in headcount or budget approvals. We can’t afford to wait for the next compelling event to win over senior leadership.

Final Thoughts

In the end, it’s not just about sharing data. It’s about articulating the bigger picture and speaking to teams in a way they understand – a common operating language. Whether you’re speaking to legal, finance, or safety departments, tailor your message to resonate with their priorities. We can’t get distracted by small data points that don’t make sense to the recipient. Using this approach, your team gains recognition and validation, and you will help document your impact on the organization.

Now is the time to turn up the volume and recognize the often-unseen sacrifices and successes of security leaders. We can’t assume our work will speak for itself. We must embrace the habit of showcasing our victories – both big and small. There is no other way to ensure that the people around us will know the invaluable role we play in the success of the business. 

Written by: Thomas Kopecky, Co-Founder and Board Member, Ontic and George Taylor, President, Exlog Global

Download Now

How to Prove the Value of Corporate Security

Tom Kopecky