Security GRC: cost center or profit center?
I’ve had a lot of conversations over the course of my career about the value of Security Governance, Risk, & Compliance (GRC) for an organization. GRC generally sits within Security or sometimes Legal, which are both classic cost centers. Some companies do have GRC broken out as its own department, but it’s still under the larger G&A cost center. However, most of what a GRC program actually does is the definition of a profit center.
My perspective here is obviously biased, but the distinction is important because the support and value placed on the GRC function can either unleash the function’s potential to drive revenue growth for the business or box it away to do the minimum possible.
So what’s a cost center vs profit center anyways?
It’s just business jargon for what departments have potential to bring in new revenue growth versus the departments that are necessary to support the business.
A profit center directly adds or is expected to add to the entire organization's revenue and is responsible for managing both their revenue generation and their costs. The classic examples are Sales and Product.
A cost center incurs expenses or costs and is not directly involved in the generation of revenue. Cost centers are only responsible for managing their costs.
The business is primarily motivated to run cost centers as lean as possible because on paper, they are a drag on profit. This is how companies continuously wind up under-investing in departments like IT, Security, and Legal and find themselves in the middle of a major security breach or lawsuit. When a cost center is adequately funded, the return on investment can be really difficult to measure because the department is actually successful in preventing the negative events that would have otherwise occurred. There is a balance to be had here, but in my opinion, most companies hold themselves back by preventing the cost centers from effectively supporting the business and being a force multiplier for the profit centers.
So why do I think GRC is a profit center?
The primary purpose of most cost centers is to support the business and protect it from negative events and larger costs. For example:
Security protects the organization from breaches and the subsequent fines and lawsuits.
Legal protects the organization from lawsuits and regulatory fines.
IT/Infra prevents the company from outages and other business interruptions.
However, GRC functions actually unlock new revenue streams, markets, capital investment, and can be a competitive advantage. For example:
Attaining attestations and certifications like SOC2, ISO 27001/2, and FedRAMP unlocks new customers that were previously unattainable.
Meeting laws and regulations like UN R155/6 or GDPR unlocks entire new markets that were previously off limits.
Complying with CFIUS derisks millions or billions in capital investment for the business.
Demonstrating how the organization has an industry leading security program through a Trust Center provides a distinct competitive advantage between two similar products.
For many companies, PCI is the foundation that enables up to 100% of their revenue generation.
All of these things directly affect new and existing revenue streams for the business and this revenue would immediately be in jeopardy without an effective GRC program.
That all being said, I'm not naive to the argument of GRC being a cost center. At the end of the day, GRC is a supporting program for the specific products or services of the business. Without those products and services, there is no GRC program (there’s also no company, but I digress).
What’s my point with all this?
The GRC program has outsized influence on the business and the revenue it generates. Companies need to lean into this and use GRC as a force multiplier in the product and company strategy. I’ve seen some early startups do this well and overcome a lot of barriers their competitors were facing when trying to land larger customers that have serious third party security and privacy requirements.
As GRC professionals, we need to tell this narrative more often and more effectively to influence the perspective of top leadership and ensure GRC initiatives are prioritized as part of the product roadmap. We need to ensure the GRC program is treated like a profit center and gets the visibility it needs to proactively and transparently build trust with customers, regulators, and investors.
View this post and associated discussion on LinkedIn as well.
