Security has traditionally been positioned as the guardian at the gate: vital for protection but standing in the way of business agility and innovation.
Regrettably, most business cases for security reinforce this perception. They are built around risk avoidance – striking a balance between best practice, regulations and risk appetite. Moreover, they’re often developed in a silo, with IT teams working apart from other stakeholders.
Throughout my career, I've also witnessed the chasm this creates between IT teams and other stakeholders, making it hard to connect the value of security to wider business objectives. When this happens, security initiatives receive reluctant nods rather than enthusiastic support, and security teams find themselves working alongside—rather than integrated with—the rest of the business. But it doesn’t have to be this way.
When making the case for investment, I firmly believe security teams must break out of the negative, fear-first mindset that focuses on the consequences and cost of a security breach. Instead, we must reposition security as an enabler of business growth and better outcomes, while simultaneously improving security maturity – ultimately forming a key part of what we at Turnkey call “Digital Enterprise Resilience”.
Building a performance-based security practice
So how does this work in practice? The first step is for security teams to understand what the business is trying to achieve as a whole and how security fits into that bigger picture. This means proactively engaging with key stakeholders to understand goals, challenges, and risk appetite, and thinking about how security and controls can make positive contributions to business performance.
Bridging the gap between security and the wider business creates more persuasive business cases for security and controls investment. Not only that, but the engagement with stakeholders naturally primes key decision-makers to be more receptive to investment proposals, too.
For example, one of our clients recently wanted to consolidate their SAP systems into one interconnected ecosystem. The business goal was to generate operational cost savings by managing and running one system rather than five, and security’s contribution was to ensure the same controls and data segregations were applied to the integrated system. This is exactly the type of business-aligned approach that transforms security from a blocker to an enabler.
The same principle applies to identity solutions, where we streamline processes for organizations so they can connect the right people to the right access much faster.
Another shining example comes as SAP moves its customers toward the Full Use Equivalent (FUE) licensing model. Herein, as security teams reduce excessive and unused access—and improve security in the process—they also achieve significant cost-savings for the business.
Measuring security's contribution to business performance
Reframing security as a performance driver transforms how we demonstrate return on investment and the value that security—and the security function—deliver to an organization.
Typically, these improvements include (and are by no means limited to):
-
Speed of access: Enabling faster access to systems removes a major barrier to daily productivity, so that businesses can get more from their existing talent pool.
-
Streamlined processes: Giving people the right level of access reduces the complexity and friction of business processes.
-
Cost savings: Trimming the fat from license provisioning drives substantial savings in operational costs.
These contributions may not always fit neatly into traditional ROI metrics, but they represent powerful business value that resonates with stakeholders far better than little-understood security jargon. Aligning and relating their efforts to organizational objections means security teams can move away from creating abstract security-specific metrics or quantifying materialized risks that have limited relevance to the wider business.
Evolving security capabilities
Applying this principle to its fullest extent, security teams must evolve from a service provider role into genuine business partners to drive performance—the last of our “three Ps”: Protection, People and Performance.
At Turnkey, we’ve developed a Security Maturity Model that illustrates this evolution and provides a roadmap for security professionals looking to reposition their function within the organization. This model isn't just theoretical—it represents what I've observed repeatedly in our 20+ years of security engagements across industries.
The key difference between each level is how security aligns with business objectives. As teams progress through this model, they shift from imposing security goals on the business to integrating with and enabling broader organizational objectives.
At level one, security teams typically begin their journey as guardians, focused primarily on protection—an essential but limited aspect of their potential partnership with the business.
Then, as security teams shift focus from their own goals and start to consider those of the wider business, they become a trusted service, meaning they’re addressing both protection and people. At this second stage, security teams support the necessary change management associated with security and other stakeholders begin to invite them into business conversations and decision-making, not just those that directly relate to security.
Over time, this evolves into the third stage, covering all three Ps: protection, people and performance. As security teams develop more of an understanding of business processes, they can start linking security and controls into them and become more of a business partner and strategic adviser.
Reaching the third stage doesn’t mean abandoning good security practices for the sake of the business; instead, it means considering security measures in a more balanced, holistic context that aligns with what the wider business is trying to achieve.
Security as a growth catalyst: The Turnkey vision
Security isn’t the first business department to have undergone this type of internal repositioning. Over the past two decades, finance and human resources teams have also moved away from purely functional operations to become business partners. As a result, it’s now commonplace to think of these departments as fundamental contributors to business success, especially when planning and implementing new initiatives.
With an eye toward performance, security professionals can transform the way their work is valued, evolving from perceived blockers into recognized business accelerators, driving growth through strategic security enablement.
At Turnkey Consulting, the elevated role of security is expressed as Digital Enterprise Resilience, where organizations are better placed to grow and withstand disruption thanks to robust, well-aligned security and controls, and positive workforce engagement with them. We’ve already helped countless businesses achieve Digital Enterprise Resilience, turning security from a cost center into a business enabler – and we can do the same for you. Contact our team today to find out more.
