Home » Security Leadership » Metrics/Budgets

Build Business Cases Like Steel Pistons!

December 01, 2004 — CSO — Bob Hayes, the former security chief for 3M and Georgia-Pacific who now hangs his hat at this magazine, likes to joke that if you don't have good numbers to back up your security program, you'd better get a good tailor. He's got a point. That starch in your crisp white collar can only hold up so much. If you really want to make a good impression, you've gotta muscle in with some numbers. We're talking metrics, babyproof positive that your security program can do the heavy lifting that's required.

To help, we've compiled some dos and don'ts for using numbers to make a case for security, from finding the right metrics to dressing them up real pretty. Here's to getting it all into shape.1| DO Make the most of what you've gotFeel like you don't have much to begin with? Don't despair. It's not just what you've got, as they say, but how you work it.

Suppose, for instance, that half a million dollars' worth of products gets stolen on the way to customers each year. In the greater scheme of things, other executives might not care much about $500,000 worth of goods. (They can send the cash our way if they think it's such small change.) But if you point out that the company has invested hundreds of millions of dollars in its supply chain and that customers aren't getting their orders on time for security reasons, "that kind of talk will get people very interested and concerned," says David Saenz, vice president of worldwide security at Levi Strauss & Co.

"Look at where the organization is going, and see how your work contributes to that, and then link your priorities and service to those jobs," Saenz adds. In other words, good numbers are all about business context.

You might already have more useful numbers than you think. Rate data is one place to start. What did you spend last year per employee on security? Per computer on information security? Per square foot on guards? And what will you spend next year? It's all about finding good metrics within your reams of data.2| DON'T Ignore where you startedWhenever you decide to undertake a significant project, do whatever you can to establish a baseline first. It's like knowing how much you can bench-press on your first day at the gym.

Here's the kind of example you probably dream of. A few years back, Saenz's group decided to act on a businesswide goal of reducing counterfeiting in key markets. The first step was finding out exactly what market share belonged to counterfeit products in China, Italy and the Philippines. The company hired a marketing firm to conduct a survey, and it turned out that 40 percent of the market share was counterfeit Levis, while genuine Levis had only 9 percent of the market share (which still ranked it first among genuine brands). Saenz's group started filing lawsuits against sellers and working with local officials to seize counterfeit goods; over the course of a few years, he was able to show that the counterfeit market share dropped to 15 percent and Levi's genuine market share rose to 12 percent.