As CIOs and other IT pros well know, lapses in security pose serious threats to most modern organizations. Companies like Target, Home Depot, the IRS, Anthem, CareFirst\u2014and scores more\u2014have taken huge hits, in terms of reputation, fines and financial losses. Sometimes the CIO is ousted.\nBut in an era of constrained resources, how can you get your company to focus on doing security right\u2014not just because it's ethically and legally correct, but because it's financially sound?\nResolve security problems to compete better\nDespite the catastrophic effects of security problems, very few companies can provide evidence that they have addressed key areas of security risk and compliance. Usually, security is thought of as a giant money pit, and it\u2019s easier\u2014until something awful happens, that is\u2014to just hope that your company won\u2019t be next.\nEven fewer stop to think that\u00a0just doing a superior job at addressing\u00a0security risks can be\u00a0a competitive advantage for\u00a0companies that do things right. How can that be? Organizations that reduce security risk are often better run in other ways\u2014because they\u2019ve evaluated their processes and thought through how to improve them. In this light, security and compliance are key aspects of managing a well-run company.\nCan your company profit from compliance?\nAnd usually, there is even a way to profit from compliance.\nFor example, 8x8, the enterprise cloud communications company where I\u2019m CSO, made a conscious decision several years ago to do the work required to thoroughly address key areas of risk and brought in reputable third parties to provide validations.\u00a0 By offering \u00a0third-party, validated-compliant HIPAA communications services and promoting this \u00a0as an advantage for our customers, our company has made huge inroads into insurance and healthcare organizations, precisely because for these CIOs, security and HIPAA compliance are the number one priority for buyers of cloud communications.\nFinancial companies, too, are now turning their security features and processes into marketable services, such as Discover\u2019s \u201cFreeze It\u201d feature, which lets people who have misplaced their cards to freeze it against new transactions and later \u201cunfreeze\u201d it if they find it later.\nThat\u2019s a feature that requires a lot of behind-the-scenes work to do economically. Discover must be sure that its processes work automatically, seamlessly and above all, reliably. (Security features you can\u2019t rely on, aren\u2019t.)\nBut now that the company has done the work, Discover can offer a feature that cuts its own risk due to lost cards that people are reluctant to shut down right away. Plus, it gains marketing advantages over other cards that can\u2019t offer that capability.\nIn my experience working with a wide range of companies, almost every company can find a way to market tighter security and compliance, but each company\u2019s potential is usually a little different. Start thinking now about what your company\u2019s \u201csecurity and compliance dividend\u201d could be.\nHow to get upper management buy-in\nSecurity and compliance directives rarely work unless they come from the top, so you have to get upper management to 1) make a commitment and 2) understand that it will take resources, investment and reinforcement of good behavior\u2014and maybe even exposure of bad practices\u2014to make the commitment \u201cstick.\u201d\nThe key to this is quantifying the negative financial effects of a breach, and the positive effects of being an industry leader in the field, or of providing extra-secure products and services. It is also often helpful to mention that how security is handled is often seen as a critical indicator of whether or not he or she is in charge of a well-run company. What executive wants to argue with that?\nWhere to start\nThe biggest challenge is often making the pitch. Schedule a meeting with top decision-makers, and be ready to:\n\nSummarize key security risks at your company and talk about the potential for losses from such risks. You need not have actually suffered a loss\u2014you can talk about what might happen. You can do cost estimates of incidents arising from similar risky situations, especially if they happened in your industry.\nDiscuss the impact, root cause and economic benefit of avoiding incidents.\nPresent a short, high-level summary of your plan\u2014basically, a prioritized road map\u2014to raise the level of awareness of security, compliance and their value to the company.\nDiscuss reasonable short-term and long-term goals\u2014both for the overall company and on a department-by-department basis. Department directors are usually more willing to support goals that align with the things they\u2019re already being evaluated on.\n\nFor instance, an IT goal might be to reduce the number of social engineering attacks, or reduce the number of unsecured desktops at the company. A customer service department might have goals concerning the detection of social engineering attacks by people impersonating legitimate customers. (Incidentally, a good VoIP phone system or contact center software can help to achieve this goal, since they integrate with CRM systems such as NetSuite and Salesforce and match the incoming phone number, automatically \u201cpopping\u201d previous contact information to the phone or screen.)\n\nTalk about quantifiable training objectives. Most security and compliance standards\u2014including Sarbanes-Oxley, HIPAA, and FISMA\u2014have explicit training requirements. Present a roadmap explaining how you propose to get there.\nPaint a picture of what success looks like\u2014and how you might leverage a more secure, compliant company as a business improvement. Could you use improved security in ad campaigns? Could you reduce losses and improve the bottom line?\nTalk about what IT can do to make the change easier. And be ready to train and mentor others in the company and support them in their efforts to run more secure, compliant operations.\n\nYou CAN do this\nSometimes it might seem tough to win the fight for security and compliance. But most people who prepare thoroughly\u2014and can talk details about security and compliance\u2019s effect on the bottom line\u2014can get top management\u2019s support. Good luck!