Discussions of security's potential to serve as a business center are often met with skepticism from both the security practitioner and the business itself. We all know security has historically been viewed as an overhead function-a necessary evil, a cost of doing business. Don't get me wrong; for many organizations this works just fine. However, it is not a given situation, nor for that matter is it necessarily a desirable end state.
Organizations generally justify security expenditure by citing risk mitigation and management, loss prevention and loss reduction. This limits the scope of security somewhat. My view is that security is a dynamic and challenging function within the organization that has a direct impact on the bottom line.
In this article we'll explore several models of security's function in the enterprise that contribute to the bottom line in different ways. Are there other models? Of course there are. Will your organization fit neatly into only one of these? Not necessarily. You may have elements of all of these models in your operation. The important thing is to review your own security department and ask yourself, "Is my operation where I want it to be?"
The Commodity Model
The Commodity Model represents the security operation that is seen purely as overhead. In this model the organization spends as little time, effort and money as possible to accomplish the task of security. The organization wants to provide the level of security that is expected within its business sector. To that end, the organization evaluates the security programs of other businesses in its sector to determine best practices, then gives the security practitioner a set of expectations and tasks based on those evaluations. The end result is that they frequently end up cloning someone else's approach.
Although little effort is necessary to design a security program under the Commodity Model-other businesses have already done most of the work-change in this environment is generally very slow. Management reacts to new ideas by asking if other, similar firms are already going that route, and if the answer is no, your new ideas have little chance of survival.
The bottom line in the Commodity Model is cost control. Security services purchased from vendors are treated as commodities, so vendors will engage in bidding wars to offer you the lowest price. I can't tell you how many cold calls I've received from guard services companies that guarantee they can save me 10 percent on the expenses associated with contract guards, without knowing who I contract with at present or what I am paying for that service. It doesn't take a great deal of effort to figure out that the savings these providers offer frequently comes at the expense of training, salaries, benefits and equipment quality. Be on the alert for such lapses in this model.
The Business Partner Model
In the Business Partner Model the security role is less standardized. The focus is on the needs of the individual business, not of the business sector in general. The business and the security department work together to define the tasks that security will be asked to address by first discovering the business needs of the company, then assessing the security risks, and finally creating an appropriate program to meet the need.
In this model the security practitioner is a trusted advisor who provides solutions on a variety of issues. This is frequently the case in larger organizations with a broader set of products and services that plays in a broader market. Each facility may be unique in some way, which requires a different approach to properly address security. The security staff must be well versed in multiple disciplines and have access to many sources of information in order to design appropriate controls.
The Business Partner Model works well when there needs to be a close working relationship between security and other departments. For example, say the real estate department needs to remotely manage HVAC and power management systems for a field office. Creating a stand-alone system would be cost prohibitive, as would maintaining staff on site.