F.U.D is dead
Security and Risk functions need to become revenue oriented!
Over the last two decades, Fear, Uncertainty & Doubt – (or FUD as it is referred in the trade) have been the driving force of risk and security management projects.
It typically goes like this. Usually a security related incident, such as hacking, fraud, physical breach or fatal accident triggers the mindshare of senior management and an ‘assessment’ is sought.
Typically, a specialized team carries out a ‘risk assessment’, painting possible (and often wildly alarming) scenarios and their consequences to the company. Then, using some sort of financial modelling, the assessors try to arrive at a monetary cost of each threat, if it were to manifest. Eventually a risk assessment report’s purported intention is to aid leaders in strategic risk management. In reality, it becomes a lobbing forum where various groups, both internal and external to the organisations, advocate their own agendas, leveraging the time-tested troika of risk assessment. Fear, Uncertainty and Doubt.
For long, security professionals have cited anecdotal evidence and horror stories to advocate investments in risk management technology across the gamut of areas such as cyber security, physical security, technologies like facial recognition, biometrics, CCTV surveillance and even armed response provided by the state to critical infrastructure and private companies. They do it because it works!
Empirical data on social behaviour shows that any ‘outrage’ or ‘shocking incident’ drives investments in otherwise neglected areas. The hacking of a CEOs mail, defacement of company website, breach of a secure space or losses due to industrial unrest etc amplify the mindshare of security.
There is also an ‘industry mindshare’ or ‘regional mindshare’. For instance, after the Peshawar School attack in Pakistan, there was a spate of advisories and security assessments in schools all over the world, most of which faced no such danger whatsoever. Similarly, the Mumbai attacks of 26/11 spawned off an entire industry in terms of hotels and hospitality security which continue to suck resources eleven years down the line.
As indeed the anti-drone technologies have been catapulted to boardroom meetings after the Saudi – Armco attacks. Never mind that Saudi Arabia, with a defence budget twice that of India, with just one major asset to protect, which is also US owned and therefore benefits from the latter’s air defence umbrella, could not protect their crown jewels. That however, does not stop CEOs from evaluating and in some cases ending up buying technologies with fancy names (with the necessary smattering of ‘shield’, ‘dome’, ‘iron’, ‘airtight’ etc) that have no meaningful reduction of risk whatsoever.
FUD clearly works. But only for the security fraternity and that too at a high cost to the organisation as a whole. In some cases, FUD might actually be counter productive both for the organisation and the security fraternity. This is why.
The strategic objective of any risk management program should be to provide the highest desirable security at the lowest total cost of ownership. If security budgets start becoming a disproportionate slice of operational outlay; or risk management controls start curbing the agility of the organisation; then they defeat the very purpose of risk management. Two simple examples illustrate this.
Shoplifting (or shrinkage as it is known in the trade) is an operating reality of the retail industry. Sure, technologies can be implemented to reduce theft, but taking shrinkage to zero, is counterproductive, because it severs the ‘touch and feel’ advantage of physical retail outlets vis-à-vis an online experience by preventing interaction between the customer and the product. So, while reduction of theft is desirable, obviating it altogether - is counterproductive.
Secondly, advocacy using FUD scenarios have diminishing returns. Management gets FUD Fatigue and every new fear is taken a little less seriously. Fear works as a driver when the overall situation is sanguine. But in a VUCA world, the baseline itself is fraught with uncertainty and volatility. In such an environment, any ask of a cost center (which is what the risk management and security functions are) gets relegated to demands from the revenue generating functions. As a doyen of the industry once remarked after witnessing an ethical hacking demonstration by a Red Team “You have shown me how I am leaking and you suggest measures to stop this diarrhoea, but I am dying of starvation”.
A bit dramatic, but it hits the nail on the head. Strategic leaders are now bombarded with too many overt and subliminal stimuli of fear, uncertainty and doubt, that touting fearful possibilities is unlikely to achieve project championship in the long term. There may be disproportionate mindshare in the aftermath of a security incident or ‘simulated attack’, but it is rarely sustained. Risk and security functions must accept that cost centres will always be second priority in tough times.
And that is why risk and security professionals need to reinvent their mindset and value chains of their functions to become revenue oriented instead of cost drainers. I believe the security function is best poised for this paradigm shift right now.
Most organisations don’t realise that the it is the security department which has the best understanding of the customer! This seems counterintuitive, but is true.
Let’s take a five-star hotel or a mall for example. There may be a general belief that the front desk or guest relations understands customers best, but it is security which has actual footage of a customer’s behaviour through its CCTV cameras. Every other department has secondary information about its customers. It is only security which observes the primary behaviour of customers. For instance, at the end of a meal, the restaurant staff may obtain a feedback from a diner – which is secondary information. But the CCTV footage will show that the diner did not touch a dish regardless of what rating she may have given in her feedback. Security knows the footfall of every customer from the time she walks into the premises and leaves. They know which display attracted her attention, which billboard she spent time watching and which garment she came back to try - twice. The security department is best poised to help design micro-customer experiences by intelligent leveraging of security technologies.
Every security technology offers opportunities for revenue generation. Here are some examples.
Most organisations are experimenting with facial recognition especially for physical access to premises. The same technology can be leveraged to dynamically change advertisements or other messaging, depending on the gender or age of the person in front of the display. Similarly, mass alert systems can be leveraged to sell idle capacity. Mass alert system is a technology that allows security teams to send targeted messages to individual phones depending on their geo-location. A simple use case will explain this.
Consider the situation of 26/11 wherein the police needed to inform the guests trapped in the hotels to barricade their doors and remain inside until asked to come out and also needed to send a mass message to thousands of onlookers to move back from the hotel as NSG began its operations. This could be achieved easily by a mass alert system which would allow different messages to be relayed to different geo-locations by simply drawing a ring on a digital map and typing in the message to be sent to all active phones in that demarcated area.
The same system can be used by a multiplex to sell its idle capacity of empty seats at discounted rates literally minutes before the movie begins or for that matter even after the movie has started; by sending out a mass alert in the immediate vicinity of the theatre.
Similarly, modern CCTV based video analytics can identify abandoned bags. That very same technology can be leveraged to recognize the fact that a customer is carrying a Bottega or a Michael Kors bag and therefore be able to segment her as a high-networth client. Number plate recognition software can be leveraged to identify frequently returning customers and they can be guided to coveted parking spots to achieve customer delight. I think of the number of occasions when the guest in a sprawling Five Star properties starts walking towards the reception with her baggage. What does it take for the security control room which is seeing this customer walk with luggage to inform guest relations so that a buggy is immediately despatched to intercept and delight that customer?
These examples only serve to illustrate the power of imaginative thinking to leverage security technologies and turn them into business generators rather than cost consumers. But this requires a mindset change amongst risk and security professionals who have been brought up on a diet of FUD. Security must learn to earn its own keep. This also requires new skills. Very few security professionals ever bother to learn the nuances of the businesses they support. Without deep business understanding, they are unable to develop revenue generating business cases and hence default to the FUD model. And therein lies the existential challenge for the security and risk professionals.
The traditional talent pool of risk and security professionals are from the military, police, other uniformed services, auditors, hackers, security technology vendors etc. While all of these backgrounds are steeped in domain knowledge, often requiring tough exams to attain and retain their certifications; they have little or no exposure to business or revenue side of the ecosystem. They haven’t been trained on discerning business opportunities or building persuasive business cases with a tangible return on investment. And that could be the Achilles heel of contemporary risk and security professionals.
The Chief Risk / Security Officer’s portfolio will undergo changes like other CXO portfolios did over the last two decades. ‘General Manager IT’ gave way to the Chief Technology Officer, the ‘General Manager Accounts’ gave way to the Chief Financial Officer, the ‘General Manager HR’ gave way to the CHRO. The driving force in all these changes was not domain expertise. Instead it was an appreciation of the revenue side of business which made these portfolios fungible from core qualifications. So much so, that a company like Infosys shifted its CFO to the CHRO’s portfolio when the latter needed focused attention.
Going forward, the position of a Chief Risk or Security officer will not necessarily be ‘reserved’ for former military or police personnel for their subject matter expertise. Instead this portfolio could well be helmed by business heads with an ability of leveraging security technologies and processes to create revenue opportunities. And there is jurisprudence in that, because the true definition of a risk head is one who can truly appreciate the risk of business operations, and therefore have the ability to contribute rather than just expend. To more than earn their keep in the organisation!
The author is a former soldier, founding CEO of NATGRID, business head and was last President Risk, Security & New Ventures for Reliance Industries. He tweets @captraman and his website is www.captraman.com
