Who Really Pays?

Oct. 27, 2008
Dateline: Baltimore Washington Parkway
I'm driving from Washington , DC , to Baltimore to speak at a conference. As usual, I have an all-news station on the radio to not only get the latest local updates, but to monitor the never-ending traffic congestion areas. As I mindlessly crawl along another clogged section of the highway, I turn up the radio to hear a news host interviewing an elected official from a local county school board.

The interviewer asks about the county's plan to manage their recurring budget crunch. The school board member explains there should be no problem this year. The interviewer sounds incredulous and inquires why that would be the case with a projected shortfall in available funds. The school board member explains that the board has drawn up a plan to shift responsibility for certain food programs to a federal bureau, and student transportation costs to a regional governmental transportation agency.

I wonder if I've heard correctly. The school board can handle its budget for the coming year if it can shift some financial burden to other government entities? What an incredible admission! As the traffic report begins, I find myself wondering how much better my wife and I could handle our budget were we able to shift responsibility for some meals and our transportation needs to, say, our neighbors next door. It would certainly be easier to make ends meet, and I suspect they could afford it.

That same mindset appears to be at work on the national stage. Take the hot topic of healthcare costs, for example. It is no secret that American society is aging, and obtaining competent healthcare is very expensive. As a Baby Boomer myself, I am acutely conscious of the challenges my wife and I will face as we grudgingly enter what are euphemistically called the Golden Years. But every party impacted by this issue seems to be trying to solve it simply by shifting the financial burden to someone else.

Industries that years ago promised their workers free or reduced healthcare for life are now struggling under soaring costs as their work force ages and retires. These same industries seem to be contributing in record numbers to politicians who are promoting government-insured healthcare systems. Once enacted, such programs would immediately shift retirees' expectations from industry leaders to the government. So who really pays? Taxpayers.

Some workers and politicians instead advocate shifting healthcare costs onto employers. What these people seem to forget (or choose to ignore) is that companies do not pay taxes, they simply collect them. If laws demand a company pay for healthcare, companies would raise the prices of their goods and services to pay for these new obligations. Who really pays? Consumers.

This is a complex and difficult issue. I am not advocating any particular course of action. However, those who choose to ignore or minimize the economic impacts of their proposals are making grave mistakes and may even be accused of misrepresenting the value of their plans to mislead potential voters.

There is already a vibrant marketplace for people who wish to spread the risk of catastrophic financial loss among a large group of like-minded individuals. It's called insurance. The insurance industry is simply one of shared risk. Each individual pays into a common financial pool, and those who experience a loss are compensated from that pool. The company extracts a certain amount from the pool as operating expenses. Life insurance alone is nearly a trillion-dollar business in the United States at this writing.

From a personal level, most of us are keenly aware of what happens if we become a burden on our insurer. Let's take automobile insurance, for example. If we consistently report minor scrapes on our cars and expect the group to fix them, or we are accident-prone, we are charged accordingly and our rates will rise dramatically. We may have our coverage dropped completely.

When government becomes involved in mandating certain levels of insurance-provided care as in the case of healthcare, insurance companies and healthcare providers necessarily collude to ensure the long-term viability of their respective entities. As a related example, if the government requires automobile insurers to repair every minor ding and chip on everyone's car regardless of their ability to contribute to the insurance pool, we would all be taking our cars to high-priced repair centers for every conceivable blemish. We would not be mindful of the true costs because we will not be forced to be financially responsible for our actions. In such a situation, body repair shops and insurers would seek to extract their true cost of doing business from those most likely to reimburse them adequately, and their assessment for services would be inflated to help cover losses from less responsible drivers.

When it comes times to pay, people naturally want to assign this responsibility to someone else. However, we all pay. Governments do not create wealth. People do.

People create wealth through their ideas, hard work and investments. Companies are fictional economic entities, and as such are just the vehicles through which wealth is created. By assigning them human characteristics such as greed and the ability to pay taxes, we do ourselves a disservice. It is important to ensure we look beyond fanciful Utopianism and the very human desire for someone else to carry our personal financial responsibilities to understand how we all need to manage our health risks.

As security professionals, we need to be mindful of the organizational investments and expenses for which we are responsible. Usually we are not the pointed end of the spear, as we used to call it in the military—the group that is charged with mission accomplishment. Where I work, those are the sales professionals. Security is most often a cost center—a business expense to be managed.

Helping your organizational leadership manage this vital investment is a critical part of your job function. I am not going to advise you to simply shift costs to others as they tried to do with that school system, or to try to ascribe it to the larger corporate entity to endeavor to hide the true costs, as they do with healthcare. I am advocating, however, for a common-sense way to apply your costs to those areas or cost centers most likely to be receiving the benefits.

Assigning costs where your security safeguards are providing the most impact can make a lot of sense. Instead of simply absorbing them into your burgeoning and difficult-to-justify “security budget,” perhaps you should investigate ways of accounting for new and expanding requirements within the purview of operational costs. In other words, if you need to provide a guard force for a new facility, is that a hit to the security budget, or is it best accounted for by ascribing the costs to the facilities team responsible for the new building? Or maybe it is best to plug that increase into the operating expenses for the organization or group that will populate that new space.

As an expert, you will need to help develop a plan to accurately track and manage all security expenses. However, you should be wary about decision makers who try to lump them all into a common security budget. As requirements, and ultimately, expenses grow, it becomes very difficult to always defend a negative. That is, your job becomes purely reactive, because you are always requesting more fiscal resources to prevent bad things from happening.

Look to make your job more proactive when managing costs. You must look for alternatives to target security spending to those cost centers that receive the most benefit from your deployment and management of vital safeguards. Shifting the responsibility for paying is not always a good idea. Straightforward visibility and direct responsibility is always the best way to manage limited corporate finances. Always ask yourself, who really pays? You may be surprised at the answer.

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].