by Kai Toker

Boards and Security – The On-Off Relationship and Breaking the Cycle

70000. This is the approximate global total of people laid-off from major tech firms following the world economic crisis. Other firms across the private sector have faced similar challenges and will inherently inflate this total. Professionals of varying disciplines in the corporate security sector have been some of the hardest hit by these events. However, this blog isn't about the unfortunate circumstances these people find themselves in. This significant figure and the event itself represent the surface of a broader hidden threat to the security industry. Unseen, behind this number, is the emerging risk of internal cuts to departmental budgets combined with the loss of talent and expertise.

It is well known in the corporate security world that when times get tough one of the first targets for budget cuts is security. In the short term, this seems a totally rational approach for the simple reason that security is generally a cost to companies, the value of which is very difficult to metricise, quantify and justify. All until the time comes, and it will come, when inevitably:

  • an unidentified threat…
    • becomes an unmitigated risk…
      • that becomes an under-resourced crisis…
        • which has a major impact on the business.


The impact point is when the Board literally feels the absent value of a well embedded security capability and is likely forced to re-evaluate its earlier budgeting decision. And so, the cycle of the on-off relationship continues.

Most corporate security efforts focus on pre-emption, deterrence, and mitigation. So if nothing bad happens, it’s either luck or chances are it’s down to a job well done by the security talent. This simplest of performance indicators is the double-edged sword that leads to company complacency and the perception of the value of security begins to wane. Particularly in hard economic climates.

Breaking the cycle is not easy and there is no silver bullet, but there are ways.

Sell. Sell. Sell. Security professionals tend to steer away from selling, despite this generally being the love language of the Board. However, security professionals need to learn fast. Victimising ourselves as security professionals because we are at the behest of the Board is no use. No longer can security professionals just implement standard security capabilities and processes – they need to innovate. Making yourself sellable, and even indispensable, calls for the necessity to break the cycle by targeting what the Board specifically needs. This requires engagement, education (on both sides), but more importantly a vision that slots in seamlessly to the business strategy that makes security vital to the company’s survival.

Empathy - an underestimated skill in corporate security. What is it that’s within your control to help the relationship with the Board grow? How do you leverage the business intelligence you have acquired to put in place interventions that embed your value? Security needs to court the board by understanding what keeps them awake at night and demonstrating how security can ease those concerns. Normally those concerns come in the form of keeping the business profitable and share prices up, but there are offshoots of this security can grasp. Perhaps they are worried about meeting auditing obligations, stabilising business operations in developing regions, protecting their Intellectual Property, reputational risks, or meeting public sector client standards. These are just a few examples that can potentially hit those profits and share prices which fit comfortably in the security domain. Yet the board may not quite realise how security can play a pivotal role in supporting them. Security needs to embed the realisation that they are not just a cost to the business, but an indispensable revenue enabler (or even the unattainable north star of a revenue generator).

None of this easy and much depends on the type of business being represented, but it is possible. To the untrained board member, security are those stuffy guys that give out access cards and guard the front desk. clearly this is far from the case, and innovation prevails in the sector. Just like all non-security professionals the Board needs showing that Security is so much more. Setting out the risks of not having adequate security is important but identifying security as a business enabler is way more effective method. Security can help manage and mitigate reputational damage. It can protect globally travelling sales teams and to help expand markets. It can do the heavy lift on compliance requirements and meet auditable standards expected by clients and customers. It can protect the company from external nefarious actors and can identify those intent on doing damage from within. The state of a company's security presence is important for optics by showing customers and staff members alike the value placed on protecting them and their information - so much so that you are willing to have a world class service in place to do so. The more you innovate and relate to your Board the more likelihood there is to evolve into an indispensable part of the system. This mitigates the risk and breaks the cycle of the on-off relationship.