Making the Case for Security: Benefits vs. Costs
Serving an enterprise as a Chief Security Officer today demands an executive who is both a business leader and security practice and technology professional. Creating a world-class security program starts with building a team of experienced people who can adapt to the macro-level demands of the business they work within and still drive the organization’s safety and security mission. CSO’s are required to identify how to build security programs that mitigate exposure and vulnerability while continually delivering savings and efficiencies into the corporate enterprise. The ability to deliver an outstanding security program while watching the bottom line is as much art as science for today’s CSO.
As security programs become more comprehensive and technically advanced, so do the expectations of companies who have a top security official in place. CSOs with technical backgrounds must also understand compliance, regulation, security, and risk beyond the data center. CSOs, whose primary experience is from a physical security, law enforcement or military background require an understanding of cyber risks and the threats they posed to their organization’s overall assets.
Value of Readiness
Organizations are exposed to a wide range of evolving threats that can create a multitude of security risks. In any competitive industry, disruptions to a company’s services and operations, which can occur due to man-made or natural occurrences, can have catastrophic effects on a brand. So, what’s the worst that can happen if your company has no enterprise security risk management plan? A company without a comprehensive risk management plan, including how to respond and manage the event, could face serious repercussions ranging from a supply chain breakdown of a product line, reputational damage, revenue loss, market credibility and shareholder devaluation.
Companies need to plan for all conceivable man-made and natural occurrences, ranging from hurricanes to network malware attacks. Calling a contract security company for help in the middle of Hurricane Harvey, for example, will not be fruitful. We assembled more than 365 security professionals to help with rescue and recovery efforts for clients,” said Randy Dorn, President, Central Region, Allied Universal. “I received many calls from companies that were not clients who were in seek of help. Our priority was to help our clients survive and recover from this catastrophic disaster, not take on new clients.”
Return on Investment (ROI) – Costs and Benefits
The two basic standards used in evaluating ROI are costs and benefits. The Internal Rate of Return (IRR) is calculated on a series of cash flows, both outgoing and incoming. Outgoing cash flows are investments made or costs, while incoming cash flows are the benefits derived. However, an analysis of the ROI for security expenditures is far more complex and evolving.
Physical security has evolved from a “cost center” to an “expense saver” due to the benefits associated with evaluating risk scenarios, costs and integrated solutions from a total cost of ownership standpoint. For example, an analytics program can be applied to a retailer’s surveillance video to determine how many customers come in at different times of day, how long they stand in line and what aisles they browse. That information can be used to reduce costs, boost sales, and improve staffing and inventory. A hospital can use surveillance video to monitor patients who are at risk for falls or self-harm. Surveillance video eliminates or reduces the need for patient sitters, who are paid to stay and monitor the patient.
Security Costs: Budgeting Tools
While a cost-benefit analysis is specific to each enterprise, the methodology is the same. The methodology is a risk management model which ensures an understanding of the corporate assets, prioritization of value and current state of vulnerability based on design criteria. Determining the most cost-effective solution to mitigate that asset varies from corporation to corporation based on the level of risk an organization will accept. Some enterprises are entirely risk-averse while others will accept some level of risk.
Outsourcing support functions not associated with a company’s core business is especially prevalent in the area of personnel-related support functions, which includes security. With more and more companies competing for market share and doing so with enhanced technology, it is imperative to have a workforce that is focused on improving a company’s core business offering.
Security Convergence: Major Component of Overall Program
The convergence of technology with traditional uniformed security and other physical security services is heating up—in a good way. Paired together, multiple solutions can deliver greater security results and maximum budgetary efficiencies.
Uniformed security services are significantly impacted by innovative technologies that deliver greater efficiency and maximum budgetary efficiencies. Therefore more and more CSO’s are becoming dependent upon a comprehensive set of resources, tools and service providers that generate situational awareness and analytics to ensure the integrity of their company’s resilience and risk mitigation in their security functions. Monitoring and response centers have become virtual fusion centers for operations and physical security asset management, coordination and mitigation response. Think, the Internet of Things—the interconnectivity of physical devices, vehicles, buildings, and other items with electronics, software, and sensors to make environments smarter and more effective.
By way of example, my company was chosen as one of several, large contract security companies to bid for a top-ranked research university uniformed security program. After a review of the submissions, the Dean of Operations responded that they liked our program but with University expense constraints, needed a lower cost but high-value model. We identified technology solutions that enabled us to reduce the officer cost and increase the technology spend, and an aggregate level, the overall expense associated with the total cost was lower and met the needs of the customers, and thus, we won the bid.
Higher education campuses and hospitals can compare the costs of manned live video monitoring versus the ability to leverage video analytics to repurpose the stationed dispatcher for alternative uses. Increasing coverage and monitoring is much more scalable and cost-effective than simply using manpower alone. Many enterprises are realizing significant cost savings by applying hybrid solutions (security professionals in conjunction with real-time monitoring using analytics) across their diverse range of properties and assets.
Video surveillance solutions that proactively intervene to deliver an unprecedented level of intelligence to mitigate risk at your facility are but one aspect of a monitoring and response center’s capabilities. This virtual hub of threat intelligence, situational awareness and critical event management is quickly becoming the standard in the security sector.
Robotic assistance devices add situational awareness with innovative patrolling, deterrence, forensics and communications. When designing a security program, the addition of a security robot may also reduce the overall program cost associated with security staff and allow capital to be deployed on more strategic initiatives.
Community sourcing from an integration of both public and private sector threat awareness and situational intelligence sharing, is a broad term that focuses on the optimal monitoring and response to the vast amount of threats and intelligence information found across a variety of data streams (which can be human to human, system to human and system to system), is continually evolving. The key to successful integration is being able to proactively and preventatively monitor and respond reactively.
Building the Security Team
When a CSO or other organizational leader makes the decision to begin or enhance a security program, there needs to be careful consideration about what type of team is required. The types of security responsibilities vary from enterprise to enterprise with the right mix of security skills and abilities a vital component. Is a military or law enforcement background required? How important are customer service and facing experience? Will the security officers interact with your employees and visitors frequently? Are technology skills critical? Do you require cleared officers? Will posts and patrols be indoors or outdoors? It should be no surprise that the higher the level of expertise and background required for the security team translates to higher compensation and expectations.
There are many factors to consider in the development of a security program. By defining security program needs, careful recruiting and screening can occur to align candidates with positions where they will excel. This requires a formal approach that systematically evaluates and aligns candidate expertise and work preferences and then brings the right personnel and positions together.
When implementing a security program with a contract vendor, it is important to consider the following four rules:
1) Set a competitive pay rate. Security contractors need to attract experienced people and provide a pay rate compensatory to their skill set. Security officers need to be paid for the skills and expertise they bring to the job.
2) Don’t let procurement drive the decision by selecting the lowest cost solution. Security contractors need to make payroll taxes, pay medical benefits and can offer vacations and 401K plans. The quest to drive down costs will not lower these payables but only result in a low hourly wage. Procurement needs to understand that skilled personnel is mandatory and that they are not paid for their experience.
3) Check local references and meet the management team from the security vendor. Ensure that service is local and that the contract partner has the experience to deliver optimal personnel.
4) Find out what technology is available to security professionals such as tools that provide GPS tracking and electronic incident reporting. These tools provide management oversight, tour confirmations and reduce liabilities by ensuring that historic information is easy to find.
When making the case for security and weighing the benefits versus the costs, it is important to understand that there is no such thing as a cookie-cutter security program. It’s important to identify and partner with a security services provider who shares that philosophy with the resources to provide a tailored security program to meet an organization’s needs. In addition to expertise and a commitment to excellence, formal recruiting, quality assurance processes, local management support, industry-specific training and overall leadership support are necessary for not only getting it done but getting it done the right way.
The protection of the enterprise is vital to the viability and survivability of your company. The key to ensuring risk and resilience preparation is either organizing and centralizing the appropriate tools and products in your organization or building a relationship with a service provider who can deliver the right mix of products and services to ensure your company’s future.