A primary role of security remains as it has for decades - to mitigate risk through proper identification, definition, evaluation and response of real and perceived threats while establishing control measures designed to protect all facets of the organization.
As these threats change, evolve or otherwise gain visibility within an organization, capable people in that organization, or contracted professionals, must assess the totality of the situation and anticipate the likely impacts these threats have on the organization. While there still remains a certain level of latitude in how much risk an organization may tolerate and, in essence, accept as the "cost of doing business," it is important to note that several industries have regulations, statutory codes or established "standards of care" that dictate security measures to be taken to adequately protect its people, product, property and proprietary information.
Yet, at a time when the list of threats identified by businesses continues to expand in virtually every industry sector, many companies appear to be taking a step backwards in how they select and use the uniformed officers assigned to protect their executives, employees, assets and sensitive information.
What Do We Need From Security Personnel?
We live in an era where the security risks experienced by U.S. corporations have expanded to include threats beyond the traditional criminal element. Today's uniformed security officers are placed in situations where they must not only identify suspicious behavior or activities associated with terrorism, workplace violence, fraud or violations of a company's work rules - but they are also asked to control these situations, collect evidence, engage appropriate resources for resoluton, document all aspects of this response and, in some cases, conduct a preliminary investigation. As advancements are made in security system technology, these officers are also required to go far beyond standard computer literacy to effectively manipulate complex integrated systems while staffing NASA-like control centers. These are no longer the entry-level positions that they were 10-15 years ago.
As corporations are asked to do more with less, businesses that possess Corporate Security functions are given fewer resources to develop and maintain traditional security programs. They are often asked to provide higher levels of protection to company assets while managing reduced budgets and maintaining tighter scrutiny on operating costs. Businesses without a formal security function often rely on other established functions such as Human Resources, Facilities, Legal or Property Management to "wear the security hat" in addition to their normal duties. In both instances, the responsibility to protect and the duty to respond to a broad range of security and safety situations gets placed on members of the organization that are unlikely to be sufficiently equipped to respond.
What Have We Done To Prepare?
Recent research suggests that safeguarding of the workplace against criminal, terrorist and workplace violence threats remains high on the list of concerns by executives and employees alike. In response to this need, the security industry has taken great strides over the last decade to elevate the expertise and professionalism of personnel operating at all levels of security.
Universities across the country have developed specialized curriculums and offer degrees in the areas of security management and administration. A predominant and highly regarded security trade association, ASIS Intl., continues to develop standards, influence legislation and conduct research around mitigation strategies and their effective deployment. Threats to American businesses continue to evolve in our post-9/11 era and many within security believe that industry professionals are poised and prepared to respond. Regrettably, many of the corporations and businesses requiring this protection have been slow to understand the level of financial investment and operational support necessary to adequately deliver this service.
The more innovative security departments and contracted security providers recognize the need to provide more than gates, guards and guns. They recognize that security personnel, systems and the policies and procedures adopted by an organization must work in harmony to gain efficiencies and complement one another as part of a strategic security program - ideally one that is endorsed and supported by top levels of management. Unfortunately, when faced with creating value beyond the basics, few companies challenge themselves or their suppliers to assess these efficiencies in an integrated approach that represents the total cost of ownership. Uniformed security service providers, technology manufacturers and integrators typically have different agendas and focus on their piece of the puzzle rather than the larger picture being created.
While many companies value the importance of these elements when looking for a security vendor, and even take steps to incorporate these requirements into the selection process, current economic pressures are forcing corporations to reduce costs. This condition has reinforced an old adage: "you get what you pay for."
During a time when the need for highly trained and competent security personnel is at an all-time high, organizations continue to use an RFP/vendor selection process that forces security providers to cut corners, resulting in poor hiring decisions, slipshod practices and a greatly increased liability for the companies they should be protecting. Security vendors interested in bidding these opportunities are often placed in the difficult situation of having to balance sufficient training, competitive wages and benefits against unreasonable pricing parameters, shrinking margins and decreasing profits.
It is very tempting for decision-makers to choose the lowest bid when contracting security services. However, many organizations are learning there is a greater price to pay when taking this approach. Low-bid contracts result in a baseline service that may end up costing more in the long run if incident respose is not properly accomplished. I recall a comment made to me by a long-time security professional responsible for directing the global security operations of a notable U.S. food manufacturer:
"I am not paying that security officer at the front gate to check vehicles and IDs, nor am I paying that control center operator to watch surveillance cameras and acknowledge alarm systems all day. I am paying for them to respond appropriately and make solid decisions when the [stuff] hits the fan and my operations and my employees are at risk. If the officers are unable to handle the crises when they arise, I have wasted $5 million of my employer's money."
His point was well-taken. The employment of site security personnel, and the corresponding compensation and training they receive should not be aligned with what they do when all is calm. Rather, the emphasis should be placed on providing competent, properly trained and equipped personnel adequately prepared to handle the more critical scenarios that are likely to occur at that facility. The training, compensation and skill sets of these officers should be focused on meeting these expectations; however, this concept is sometimes lost in the RFP process where perceived value is associated with routine day-to-day duties over that of a well-orchestrated and appropriate incident response.
One Step Forward, Two Steps Back?
Most organizations using contracted services and are challenged with continually reducing the cost of the contract or service agreement. This includes negotiating with the current supplier, obtaining discounts for term commitments, competitively bidding the contract and aggregating multiple facilities into a corporate agreement for volume discounts. A recent trend to get the absolute best price is the introduction of a reverse auction designed to get two or more finalists to blindly "out-bid" one another by posting lower rates than their competitors in a live auction. In a desperate attempt to gain business within a very competitive market, security vendors find themselves bidding lower than what many would view as reasonable or rational, given the skill-sets and professional qualities required to deliver high-quality service.
The expectations for performance rise while the costs associated with delivering this service are expected to go down - something has to give.
As well-intentioned as many security providers are when they prepare to deliver the services that were sold, over time it can become very challenging to sustain the following service elements:
- Comprehensive Background Checks: Background checks vary significantly in the scope of data that is checked. The cost can range from $20 to more than $120 each, based on how information is obtained and evaluated. For example, a person with a criminal record in Nebraska may relocate to Louisiana without his criminal record appearing in a standard check. A comprehensive check with sufficient identifiers, while costly, is more likely to uncover misrepresented or omitted information from an application. Some service providers reduce the scope of these checks or postpone background checks due to cost and wait to see if an employee will "work out." Other firms forego these vital screenings altogether. As a result, convicted criminals end up guarding critical assets and employees. In fact, a known computer hacker was recently hired as a guard at a Dallas hospital and was later arrested for accessing the institution's computer systems in an attempt to orchestrate a distributed denial-of-service attack.
- Training: Today's security officers often require very specialized training. Administrating sophisticated security systems, detecting and deterring criminal activities and appropriately responding to a growing number of emergency scenarios require more than just a "physical presence." Also, those not properly trained in how to handle more tense security situations, such as dealing with a violent ex-employee or member of the public, can expose a company to serious legal liability. Unless mandated by contract, security vendors may be tempted to default to the state-mandated training requirements which are quite often very limited or, in some cases, non-existent.
- Account Management: As in any profession, a lack of management oversight can result in lapses in staff performance, protocols and established practices which invites control failures and unwanted exposures. When margins are squeezed and profits reduced to razor-thin levels, it becomes increasingly challenging to keep highly qualified management personnel dedicated and focused on each account. As mentioned earlier in this article, we are operating at a time when this expertise is vital and necessary to sustain a quality security program.
- Pay & Benefits: Like any industry, money and benefits motivate employees. Obviously, under-compensated security personnel are not as dedicated to delivering quality service and are more susceptible to becoming complacent, unreliable, or on occasion, an insider threat themselves.
Case in point - A Security Manager at a distribution site commenced an investigation after learning that $10,000-$15,000 of electronics were missing from their inventory. After spending roughly $2,000 investigating these losses, they discovered that the thief was a security officer in possession of dock keys. A dock worker and accomplice paid the officer $300 to leave the dock door unsecured for 30 minutes over the dinner hour, allowing enough time for the "insiders" to load up a delivery van with the goods while supervision was reduced. The officer made $9.75/hr. The time of year? You got it - early December.
Poor pay and limited benefits also result in higher guard turnover, which means less-experienced personnel are conducting the assigned duties and the service provider is faced with incurring additional costs associated with recruitment, uniforms and repeated training.
The Commoditization Paradox
If you accept the premise that the threat profiles to businesses are becoming more complex and an investment needs to be made into the training, development and retention of security personnel so they may provide a service of protection in a professional and effective manner, then you will most likely also agree that the process by which security vendors are selected has created a paradox in the industry. It is not always feasible to "do more with less."
The process used to select security vendors is attempting to commoditize the industry at a time when additional investment is needed to raise the qualifications and skill sets of the security personnel providing these services. It is also a time when security service providers should be given the opportunity to differentiate themselves by marketing the value-add services and industry expertise that their clients need to solve security concerns and adequately protect their operations.
In a true commodity market, many companies compete on a playing field where no one enjoys a competitive advantage, meaning that each provider has equal access to technology, capital, clients and labor. The process of commoditization is the dilution of a market sector's internal differentiation and competitive nuances in favor of a mass market where price alone determines consumer decisions. The industry's mode of competition thus moves away from innovation of the underlying, commoditized product or service.
This is not healthy for an industry that relies on innovation and continuous evaluation to assess the ever-changing risks that threaten today's businesses, one that also requires ongoing development of techniques and training to sufficiently prepare security officers for their role in protecting these organizations.
Putting security vendors in the position of playing the "how low can you go" game only serves to drag down the industry when the level of expertise, professionalism and quality of service needed by today's businesses is at an all-time high.
Anton Bommersbach is Vice President of Midwest Operations for Andrews International. With a successful 23-year career in corporate security, his background includes extensive knowledge of physical security design and standards, supply chain security controls and crisis management planning. Among his previous positions, Bommersbach was the Global Director of Corporate Security at the Wm. Wrigley Jr. Company, and the Regional Security Manager for 3Com Corporation, managing security operations within North and South America.