Hewlett-Packard Features Enterprise Resilience

Regulation may be the driving force behind much security spending today, but security investments can also contribute to business goals, reputation, stock price and the bottom line.

We’ve all read the horror stories of millions in lost productivity, ruined reputations and other consequences of poor IT security. But, just as photos of diseased lungs don’t deter many smokers, scare talk only goes so far in motivating businesses to spend more than a minimum on security measures.

That’s because companies see security as a burden, one that doesn’t necessarily contribute to the bottom line. “Companies tend to look at the direct benefits,” while overlooking the business benefits of security measures, says Dr. Barchi Gillai, director of research for the Stanford Global Supply Chain Management Forum at Stanford University. Since security’s direct benefits consist largely of preventing negative consequences—fines from regulators, lawsuits from customers and partners, or bottom line loses due to downtime or supply chain disruption—it can be hard to see how good security can advance business goals.

Studies by industry groups and academics are beginning to suggest, however, that security measures can bring positive benefits to businesses. That’s especially true when security becomes integral to enterprise risk management and resilience, according to Debra van Opstal, senior vice president at the Council on Competitiveness and author of a report on enterprise resilience. “When security is integrated across the business organization, there are direct financial benefits: streamlined processes, elimination of unnecessary redundancy, improved productivity and often lower insurance premiums,” van Opstal says.

For example, Gillai and her Stanford team recently studied a handful of companies innovating in supply chain security and found that nearly all reported their investments had provided tangible business benefits, including

• improved inventory management (14 percent reduction in excess inventory, 12 percent increase in on-time deliveries);
• speed improvements (29 percent reduction in transit times, 28 percent reduction in delivery time windows);
• better supply chain visibility (30 percent increase in timeliness of shipping data); and
• improved product safety (38 percent reduction in theft/loss, 37 percent reduction in tampering), among others.

Some companies even turn their security measures into profit centers, according to the Council on Competitiveness study. For example, following a break-in at a landfill, one North American waste management company invested in high-tech security systems, using smart video monitoring, GPS tracking and alarms. It now sells secured services to small and midsize companies who find it more efficient than setting up their own monitoring centers for “witnessed and certified” product destruction and other safety-sensitive needs. The project’s year-over-year productivity and financial return increased from $490,000 in 2004 to more than $5 million in 2006, according to the report. In addition, a chemical sector company sells its open source software system for integrating safety, health and security information, and some financial services firms actively market security products and processes to peers, the report also notes.

Brand, Reputation and Trustworthiness Impacts

It’s clear that a company’s brand, trustworthiness and reputation can be impacted negatively by a security breach. A 2006 CMO (chief marketing officer) Council study found that nearly half of business executives and more than half of consumers polled said they would consider taking their business elsewhere in such circumstances. In addition, an Emory Marketing Institute report cites two studies that found on average a firm can lose from 0.63 percent to 2.1 percent value in stock price when a security breach is reported. (That’s equivalent to a loss in market capitalization values of $0.86 to $1.65 billion per breach, the studies say.)

Still, publicizing and branding high security efforts remains little exploited, found the CMO Council study. While nearly 60 percent of CMO Council members see good security as a marketable asset, about the same portion say their companies haven’t tapped it.

The companies most aggressively marketing their security measures today are those that have been hardest hit by breaches, according to Greg Thomas, director of research at the Emory Marketing Institute, a collaborative research group at Emory University’s Goizueta Business School and author of a portion of the CMO Council’s brand trust study. “ChoicePoint is a good example of a turnaround,” he says. “They had a breach of their data and now are advocates for security” hosting a special Web site on privacy and highlighting security in consumer interactions.

Publicizing good security might counteract (or at least soften) the blow of a subsequent security failure, the study suggests. The Emory study found that security is integral to brand trust. And, brand trust “leads to greater customer empathy and, therefore, a willingness to accept a business error, including a security breach” the CMO Council report summarizes. In fact, 63 percent of participants in the Stanford study reported increased customer satisfaction and half observed higher customer confidence related to security initiatives. In addition, 25 percent saw reduced customer attrition and 13 percent reported an increase in new customers.

How Do They Do It?

There’s no simple recipe for making security investments pay off in business dividends. In fact, experts say that not every security investment can. However, Gillai noted that the organizations she studied shared some characteristics (and programs) that might offer clues to their success:

• Security innovators make significant investments in security (beyond the minimum required by law).
• They are aware of the value (both direct and collateral) that security investments can bring to their organizations.
• Some have special security teams that are in charge of identifying vulnerabilities and determining ways to address them.
• Some have processes to determine the potential business value of security-related (as well as other) initiatives.

The Council on Competitiveness urges companies to integrate security into their business planning, rather than viewing it as a necessary evil “bolted on” after the fact. Twenty years ago, “business leaders thought that quality was a luxury they couldn’t afford until the Japanese demonstrated that building quality into processes and production, rather than inspecting out the rejects, was a better formula for success,” a Council study remarks. Likewise, in a world of increasing global interdependence and risk, companies must also learn to build in security from the bottom up.