Q&A: How to Build a Better Business Case
Security applications and endpoints generate massive amounts of data, from alarm incidents to network analysis to video analytics and more. The use cases for this data seem endless, but sheer data isn’t always the best metric. To get that support for new programs, security leaders need to do their homework to devise the best possible presentation for executives.
Mohammed Atif Shehzad, managing director, founder, and co-owner of security consulting firm Atriade, spoke with Security Management about how to build better master plans for security projects, how to connect with the C-suite, and how analytics can support a business case.
An excerpt of the conversation, edited for length and clarity, is available below.
What are some of the solutions your end user clients and partners are currently asking for, particularly around analytics and big data?
MS. It varies a little bit from end user to end user. Safety seems to be always top of mind. It’s interesting that while the focus is on security, executives are much more concerned about safety situations. So if a fire or an active shooter or an active threat incident happens, they want to know how many people are affected and where they are. And that’s where technology and data can come in. Can I use RFID tagging? Can I use wireless and Bluetooth tagging, or can I use facial recognition? Or should I just use more conventional methods like anti-passback or mustering outside? So that's one area where big data and data analytics get a lot of traction.
The biggest pain point I see is device management. Especially as the Internet of Things (IoT) changes building management, people are constantly telling us they don’t know the lifecycle of devices, they don’t know the maintenance cycle or when that particular device or piece of software was installed. If I don’t know the age of my cameras and their maintenance history, how do I know when they’re going to fail? And if they fail, then I haven’t created a funding stream, which I now have to talk about with my executive leadership for approval. It’s not proactive.
What sort of elements go into master planning from a security lens? What should a CSO or security end user have prepared to help inform this process?
MS. As much information as they can have on the current state and their needs. We always tell our clients: don’t be shy, don’t worry how bad it is or how good it is. Tell us everything. How do you operate? What are the operational pain points? Then we’re going to talk to not just the CSO, not just a security director or administrator—we want to talk to the guard. We want to talk to a security officer at the reception desk. We may even want to talk to some of your nonsecurity entities. We want to focus on establishing what is your current state of operations, and then evaluate technology and devices. That is really what helps us recommend or put together a master plan.
We have walked into end user environments where they are asking for turnstiles because they’re inundated with people in that area, only to find out that their signage is bad. All they need to do is create a $50 sign. We had one end user with signage that was developed the right way, but it was pointing in the wrong direction. And that caused 50 percent of unauthorized traffic on the campus. They were looking for a security solution, but there was no security technology issue there. We wouldn’t know that if we hadn’t sat down and asked them to explain what exactly they were dealing with and how they were trying to solve it. A current state of operations is very important.
The second most important thing in more complex environments nowadays is the C-suite. How do they communicate with you? How do they communicate about your needs? How do they communicate with you on funding? When we want to go in front of a CFO, president, or CEO and present a security master plan, we spend about two weeks to a month preparing for that person. What is it that they like to hear? What are their concerns? What’s important and relevant to them? What type of business case do they focus on?
You can create the greatest master plan, but if your C-suite is focused on a different priority, it’s not going to succeed.
What are some common approaches to how you present data to the C-suite? How does it vary depending on which executive you’re briefing?
MS. The best way to gauge that is a series of questions and discovery, but also having enough data points.
We also found success if we don’t go straight from the security director all the way to the CFO with a plan. Maybe go one or two steps in between and validate the approach you chose. People who are closer to the executives tend to know more and have a broader understanding of their priorities. In one particular end user’s case, we met with the executive’s assistant and essentially presented to her what we were going to propose. This assistant really knows the executive very well; she’s her right-hand person. So we went to her first and said, “We want to present this to your boss. What are the things that are important to her?”
It’s a series of questions. It’s not just assuming one lens, but looking at different perspectives, listening to different people in management, because then you start to pick up pieces of intelligence—not all executives are going to be really focused on security. This particular executive wants to understand risk, or that particular executive wants to understand costs. And you may not get that understanding from asking just one person. You may have to talk to multiple people to figure out what to emphasize.
What sort of metrics can end users leverage when they are presenting to the C-suite?
MS. Quantify risk instead of being subjective. In one case, when preparing for a presentation on securing a new building, it became clear that this particular executive was interested in two metrics: user experience in the building and what other organizations of similar scale or size were doing.
At that point we developed the presentation to talk about the proposal, but we very heavily focused on the visual data of what the security journey would look like. Once you visualize a security journey of an employee, visitor, or contractor into your space, it makes it so much easier for people to understand.
The second thing that we did was conduct and present a very detailed benchmarking of organizations similar to this end user’s. And it wasn’t all about the number of cameras. We went much more granular than that. Where are they installing cameras? Where are they installing card readers? What type of sensors are they using?
Another end user’s executive did not care about benchmarks. Her focus was risk. How are you going to solve this risk for my organization? Have incidents happened in our offices? How do you know? What was the severity of those incidents? That was the data she was looking for. How is this million-dollar project going to solve any of that?
We went back and looked at all the incident logs for the whole year, identified locations, and created a heat map. We showed her what the current security profile looks like and what value the company is getting out of the current security coverage based on incidents. Then we showed if they do these new measures, coverage of these incidents will increase from X percent to Y percent.
You wouldn’t know to research that if you didn’t have a series of conversations as to what’s important to the audience. What I always recommend to our end users and security directors is have the data and then understand your organization’s culture and what stakeholders find relevant in terms of risk and safety. Then support your case against those priorities.
What sort of actionable analytics have you seen collected in the field that can be useful in supporting that business case?
MS. Collecting alarm data has been useful. Network traffic data is very useful these days for business cases, especially when working with IT. Privacy data is very useful. One of the big concerns that is starting to emerge is whether any type of new technology is going to encroach on the user’s privacy. So collecting what type of data the systems are transmitting is critical.
Now on the other side, new analytical access control tools are coming out, so they detect if I attempt my badge five times on this door or if I am connected with the facial recognition camera and five people are going through the door with me. I think that is going to be useful because then you don’t have to put a guard out there at the door for 30 days to get a picture of behavior. You can collect that data a lot easier and faster. That is going to be very helpful.
Most CSOs seem to want to know that my intellectual property is preserved, my reputational risk is preserved, and that what I’m paying for is going to solve a tangible problem.
That's the key. It’s not about money, it’s about giving them the right business case.