Security has long been regarded as a reluctant necessity, a "grudge purchase" made to guard against worst-case scenarios.. A "grudge purchase" often refers to the cost of doing business and something that does not generate revenue. Security gets this label because the first time a business experiences security is as a condition of insurance; a cost of doing business. Therefore, when security providers introduce new products and services, they face a buyer already disinclined toward them. In addition, buyers are often overly positive and suffer from optimism bias, ‘I don’t need more security, it won’t happen to me’. However, given enough time and exposure, many of the risks security providers highlight will occur and bring with them significant operational disruptions, reputational damage, and financial loss.
In a less certain world with new emerging threats, business resilience, the ability of a business to absorb and recover from shocks, is becoming mission critical. Security must present itself as part of the business resilience mix and become part of businesses’ core strategy.
In this article Andrew Tollinton from Sirv and the team at Toro examine security’s grudge purchase label and ask what could be done to change the buyer’s perception of security.
Why Security is Seen as a “Necessary Evil”
Security is often seen as a forced purchase, as part of an insurance policy, a regulatory requirement or as a safeguard against unlikely scenarios. As a result, the buyer begrudgingly signs-off the expense each year. When the accountant queries security expenditure and asks ‘what’s its return on investment?’, most buyers look quizzical and claim it’s a necessary evil. However, in truth the rationale for buying security follows the scientific world’s ‘precautionary principle’: Buyers adopt precautionary measures when evidence about a hazard is uncertain, and the stakes are high. This approach is crucial to security’s business case: Precautions may be successful but showing buyers their effectiveness is very difficult. It’s not easy to evidence a failed force entry or thwarted hostile reconnaissance.
Security as an Enabler, Not a Disabler
Security is often seen as a brake on expansion and innovation. But, in reality, it's a necessary condition for growth. When approached with business aims in mind and presented correctly, it gives business a competitive advantage, supporting digital transformation, enhancing customer trust, and ensuring uninterrupted operations.
Far from being a necessary evil, security allows organisations to pursue opportunities with confidence. Not only does it protect assets it can provide a competitive advantage. For example, Apple’s approach to data privacy has built trust to the point it’s one reason people choose it over rivals. Changing the narrative around security requires moving away from fear-based messaging to one focused on enablement, showing how security supports the mission of the business and its goals and opportunities.
With security spending projected to increase 15%1 year-on-year, it’s important we position security as an enabler for innovation and business growth.
The Cost of Insufficient Security
Incidents such as, ransomware attacks not only disrupt businesses but erode customer trust, with costs far outweighing the price of prevention. Security as part of a wider risk and resilience programme, therefore, safeguards revenue streams by preventing and mitigating risks that could impact core functions.
Effective security aligns with business growth objectives, enabling safe market expansion and innovation. To reshape perceptions, security professionals should emphasise how measures enable opportunities and support revenue generation, rather than focusing on fear-based scenarios that while true, are often not understood and believed until they happen.
Embedding Security into Business Culture
Resilient organisations have security embedded into their culture, making it a shared responsibility. Effective security is not just about compliance or protecting assets but fostering a collaborative approach where every employee understands its importance.
This requires clear communication, regular training, and integrating security into daily operations. When security professionals are treated as partners in achieving strategic objectives, businesses can align values.
Measuring Value Beyond ROI
To demonstrate security’s value, organisations should look beyond traditional ROI metrics. Metrics such as incident response times and resilience against disruptions can highlight security’s role in supporting business goals.
Change communication: From Insurance to Assurance
Key to successfully reshaping the perception of security is framing it beyond insurance to assurance. Something that proactively prevents risks and ensures smooth operations. In this context, security can better help a business to manage risks.This will help reframe security from a necessary evil to a necessary good and an important business asset.
The Path Forward
In a follow up article we explain how reframing security will take it from a grudge purchase to an enabler for business growth and success. This can be viewed here.