Guide to Proving the ROI of Operational Security

Security leaders out of the loop

This is in an era of elevated security risk. Catalyzed by the pandemic, the cyber threat, in particular, is at an all-time high. 

Remote workers are using less secure networks. Organizations don’t always have the resources to monitor the activities of employees and contractors who have access to sensitive data. Oftentimes, the family members of employees even using work devicesⁱ. 

Add to the mix: security leaders, tasked with running security operations, are facing unique challenges of their own – challenges that are seriously compromising their ability to function effectively.

What’s going on?

According to survey data from the Ponemon Institute, only seven per cent of security leaders report directly to the CEOⁱⁱ. That’s even with three in five respondents saying that they should report directly to the top to increase awareness of security issues throughout the organization. 

As a result, nearly two in three security leaders cite insufficient budget to invest in the right technologies. More than half of polled security leaders believe they lack executive support.

They are right; security leaders are being kept out of the loop.

CEOs, intentionally or not, don’t see their security deputies as stewards of overarching business goals. They often consider the security program itself as an administrative burden rather than a value-adding function.

What can security leaders do to change the calculus?

Talking ROI to senior management

Security leaders, for their part, will have to step up. 

That will entail developing comprehensive knowledge of the business objectives that are most important to the top brass and the board of directors. Don’t know what those objectives are – start asking around.

In a publicly traded company, financial statements to federal regulators often yield the important information.

What if you already know what the top business objectives are at your organization – then, you will need to start demonstrating that knowledge to the people that matter.

How to go about it?

You can start by aligning the priorities of the security function with the wider goals of the organization. To do so, marshal the metrics that will help prove the ROI of your security investments in the same lens as larger business goals.

Such metrics can include any of the following:

• Time savings
• Cost savings
• Improved time to detection
• Improved time to response
• Improved compliance
• Reduced security risk
• Reduced reputational risk

Making the operational security program a value-added investment

Indeed, time and cost savings are likely already on your radar. However, CEOs often need to hear what the time and cost you save can be re-invested in. 

Here, security leaders will need to demonstrate that savings on the organization’s time and resources can be pumped back into value-added tasks. 

What’s more, security leaders will also need to put a price tag on security breaches – whether cyber, physical, or a combination of the two – and be able to tie the cost of such a breach with the security solutions in place (or proposed) to address the threat and reduce future risk. 

Don’t neglect compliance in the process. More and more jurisdictions are covered by data privacy arrangements, with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act being two of the best examples. 

These frameworks put a high price tag on non-compliance. For instance, GDPR infractions can result in fines in the hundreds of thousands, even millions. The relevant infractions don’t just include failure to stop data breaches either but also failure to notify affected parties in a certain time frame.

ROI-focused investments in security management technology

It’s not all doom and gloom for security leaders, though. More than ever, top executives understand the escalating risk of security incidents. And fewer executives are likely to think that security incidents won’t happen at their organization.

Security leaders, however, must still add valuable context to these increasing threat levels. The take-off in remote work, for one, has created serious vulnerabilities, as reported to researchersⁱⁱⁱ. 

Physical infrastructure is also under threat, with the staggering increase in civil unrest – 244 per cent increases over the last decade, according to the 2021 Global Peace Index^iv. 

The name of the game, though, is getting the right operational security tools to help you achieve your goals. Those tools, including software platforms, need to perform two key functions:

• Improve the organization’s security profile
• Enable you to measure and communicate relevant metrics to senior stakeholders

The two functions go hand in hand. You’re liable to get more program funding (to improve security) once you can demonstrate that the investments you have already made are beneficial to the organization and align with larger company goals.

Certain capabilities will allow you to do both. And so, when going on the market, consider the following:

Collects information from across the organisation.

Digital solutions should enable the capturing and documenting of all aspects of a given corporate security incident. There should also be a consolidated, streamlined process in place, whereby those incidents are reported – preferably via mobile-optimised software applications that empower all security personnel to report incidents (including near misses) as often as possible. 

Functionality to look out for include:

• Real-time analytics. Pre-configured analytics templates to communicate real time security insights to any stakeholder in the organisation or the ability to build on best-practice templates to create your own.
• Automated reporting. Automated reports to be sent periodically to chosen stakeholders or best-practice templates built to your own specifications to meet unique requirements.
• Create and share custom reports. Custom reports easily created, driving better understanding of your operations.

What’s the thinking, here?

The more incidents captured and reported serves to increase visibility and line of sight to senior leadership – the latter preferably facilitated via seamless notification processes. 

That way higher ups will begin to appreciate the ROI of the corporate security operation.

Personnel decisions can then be more easily justified, with clear data that shows where, when, and how incidents are happening and how teams are responding to and investigating those incidents thoroughly –however rare. 

Quantifies the impact of incidents on the organisation

Digitising security incident data is one thing. Leveraging that data once in a digitised format to quantify the impact of incidents, particularly when multiple, related investigations are happening simultaneously, is quite another. 

Why does it matter? As the security threat grows, organisations, particularly those in higher-density facilities, are likely to see larger number of incidents. Responding to these threats effectively is also likely to involve third parties. 

Further, increased security caseloads mean triaging those that do come in via centralized reporting. That way teams can track and manage action items that emerge from analysis. Chain of custody might also need to be secured to show proper collection and handling. 

This entails effective digital case management. Data users can then more efficiently interact with the wider environment of information, resources, and services to make quicker, data-driven decisions throughout the life cycle of an investigation.

The result: detailed investigations, which better track losses and recoveries as well as provide more information to law enforcements, mitigating the severity of future incidents.

How to get there? Well, for investigative work, access to digital technologies with configurable workflows is key. 

Those workflows automate key facets of unpredictable work to increase visibility into complex operations, improve collaboration, and facilitate better stakeholder engagement. 

Intuitive user interface and experience (UI and UX) also cater to the varying demographics and technology skill levels of investigators and their supervisors. Access to these other digital case management platform capabilities is also important:

• Business process management via key business workflows, to help automate and optimise business processes, making them easier to track and measure (See more below).
• Data capture via digitised forms, to eliminate human error associated with manual data entry, while also lowering cost and time outlays. Data that’s input digitally can be extracted within the same flexible system, as well, making it easier to retrieve relevant information. 
• Information management, to provide real-time situational awareness of an ongoing case, with security controls limiting visibility of sensitive information.
• Compliance management, to ensure an auditable trail of evidence and communications, in compliance with regulatory requirements. 
• In-system communication (e.g., chat, e-mail, case notes, etc.), to facilitate collaboration, while the communications themselves remain centralised and accessible.

Focus on digital case management capabilities for security operations 

To get the best ROI, the following operational processes should be supported by digital workflows:

• Triage of referrals, claim requests, and complaints to prioritize work
• Automate case creation, review processes, and user notifications following pre-defined workflow rules to reduce unnecessary human intervention
• Track case lifecycles at any time
• Create high-quality digital forms
• Upload and centralize documents from all external and internal sources, regardless of the format
• Create and record tasks, case notes, meeting notes, conversations, and more
• Create shareable outputs
• Get notified when processes are going off track 
• Dashboards to track team performance analytics, e.g.,
  – Security clearance, e.g., number of cases by vetting officer, number of cases by priority by stage, cases completed by month
  – Security investigations, e.g., number of referrals by month, number of complaints by month, number of open cases by case manager, active investigations by investigator
  – Parties of interest. Number of parties by type, number of related incidents by POI, number of related incidents by organization of interest, number of related incidents by vehicle of interest

Reduces the frequency and severity of incidents by optimising resources

Beyond digital case management for corporate security operations, the best ROI will come from taking root-cause data to highlight areas of improvement and improve emergency response times. The relevant data can also be leveraged to implement proactive measures in alignment with larger organizational objectives.

What would the proposed investment look like – insystem dashboards designed to suit diverse types of law enforcement/investigative work. All system users get easy access to the information most relevant to their responsibilities in a single-source-of-truth platform where they can efficiently complete their tasks. 

For law enforcement investigations, specifically, potential use cases serviced include:

• Security clearance. Particularly valuable when vetting is subcontracted out, digital case management software provides a centralized location for collected information, which might need to be reviewed for auditory purposes. 
• Security investigations. In addition to law enforcement agencies, customer-facing organizations, like retailers, might need to
  conduct security investigations, either based on
  internal referrals or client complaints. 
  
  Once submitted, those referrals and complaints might go to a triage officer who will determine whether they become official cases to be investigated further. Should they, the officer will need digital tools to send communications, add tasks and documents (including photos, videos, witness statements, etc.), as well as log updates.
  
  Several concurrent investigations might also spin off from the same case, which digital case management technologies better help clarify. In their absence, relevant documents would instead be scattered across multiple systems (e.g., CCTV footage) rather than collated and available in a centralized location. 
  
  
• Parties of interest. Digital case management technology provides registries of persons, organizations, or even vehicles of interest. Instead of manually capturing and updating information, these platforms capture details, such as gender, ethnicity, eye color, height, hair color, distinguishing features, build, age group, hair color, weight, or details, like license plate information, brand, model, photos, as well as information about authorities and affiliates.
  
  Other law enforcement cases, including offender management, might be approached similarly to POI investigations. An enforcement officer might have a given order, such as extended supervision or continuing detention. 
  
  Right now, those orders might be managed manually, which means expiration dates won’t be flagged dynamically. A digital case management platform, on the other hand, will make relevant information more accessible for case managers and executives.

Integrates with Work Safety

Corporate security doesn’t exist in a vacuum, either. Even the best-trained and equipped programs are only as good as the teams working around them. 

Security incidents themselves typically cross domains, often falling under the purview of Work Safety and the Emergency Operations Centre (EOC), as well. 

Getting alignment with these teams not only improves early warning detection capabilities but also helps with conducting varied activities in a uniform, consistent manner.

Why isn’t that possible with a siloed approach to corporate security?

Well, that approach typically involves standalone systems. However powerful, these systems are likely to have been implemented at different times, by different teams following different directives. As such, they don’t communicate well with each other – if at all.

A poor investment of company resources, noninteroperable systems are likeliest to exist between safety and security, where disparate safety and security management systems (often locked apart from each other) aren’t set up to share relevant information, despite the demonstrated fact that security threats cascade into safety incidents (and vice versa). 

The result: these technologies don’t provide a cohesive means of viewing all relevant incident information, let alone making sense of it. The organization that made a generous upfront investment in proactive protective security strategies and structures will still run the risk of ROI-depleting duplications and redundancies. 

Those slow down incident response.

What can be done, instead, to improve ROI? 

Here, integrated operational security management platforms cut down on the overhead (cost and personnelwise) of ensuring that separate point solutions keep communicating with each other. In addition to improving collaboration with Safety to neutralize common threats, these technologies improve access to operational, non-incident data, so often crucial in predicting future security incidents.

Too often, that data, e.g., intelligence on non-obvious threats or other incident causes that not apparent to human analysts, isn’t in the traditional bailiwick of corporate security.

However, better ROI comes from having the capabilities to synthesize cross-domain data from multiple sources, including from the public. Here, the following tools come in handy:

• Gather reports from the public. Public forms enable anyone to report incidents, tipoffs, observations, and hazards directly into the system before applying a workflow to automate triage, notifications, investigations, and action close out reminders.
• Manage operational activities. Shifts managed using real-time dashboards. Dashboards pull together all incidents, breaches, alarms, observations, dispatches, and patrols into one place, enabling security dispatchers to dynamically manage and log shift occurrences.
• Centralize information from external data sources. Information is pulled in from external data sources including live weather events and news feeds as well as integrated with CCTV and access control systems to enhance situational awareness for the entire security team, on any device.

Finally, the security threat has never been higher – across multiple vectors. Nevertheless, security leaders haven’t secured the seat at the table that their responsibilities demand.

Doing so won’t be easy. Security officials, for their part, will have to couch investment priorities in the language of larger business objectives. 

The work must be done, though. Investments, including operational security software platforms like Noggin, are invaluable. 

Approached thoughtfully and implemented efficiently, such ROI-enhancing products can help improve your organization’s security profile while enabling the team to measure and communicate relevant metrics to senior stakeholders.

Sourcess

^i. Business Wire: 93% of Security Leaders Do Not Report to the CEO, According to New Research From LogRhythm. Available at https://www.businesswire.com/news/home/20210622005029/en/93-of Security-Leaders-Do-Not-Report-to-the-CEO-According-to-New-ResearchFrom-LogRhythm.

^ii. Ibid. 

^iii. Luke Irwin, IT Governance: The cyber security risks of working from home. Available at https://www.itgovernance.co.uk/blog/the-cyber-security-risks-ofworking-from-home.

^v. Karin Strohecker, Reuters: Analysis: Pandemics & protests: Unrest grips developing countries. Available at https://www.reuters.com/world/pandemicsprotests-unrest-grips-developing-countries-2021-0728/.