Security as a Business Center

Oct. 27, 2008
Organizations generally justify security expenditure by citing risk mitigation and management, loss prevention and loss reduction. This limits the scope of security somewhat.

Discussions of security's potential to serve as a business center are often met with skepticism from both the security practitioner and the business itself. We all know security has historically been viewed as an overhead function-a necessary evil, a cost of doing business. Don't get me wrong; for many organizations this works just fine. However, it is not a given situation, nor for that matter is it necessarily a desirable end state.

Organizations generally justify security expenditure by citing risk mitigation and management, loss prevention and loss reduction. This limits the scope of security somewhat. My view is that security is a dynamic and challenging function within the organization that has a direct impact on the bottom line.

In this article we'll explore several models of security's function in the enterprise that contribute to the bottom line in different ways. Are there other models? Of course there are. Will your organization fit neatly into only one of these? Not necessarily. You may have elements of all of these models in your operation. The important thing is to review your own security department and ask yourself, "Is my operation where I want it to be?"

The Commodity Model
The Commodity Model represents the security operation that is seen purely as overhead. In this model the organization spends as little time, effort and money as possible to accomplish the task of security. The organization wants to provide the level of security that is expected within its business sector. To that end, the organization evaluates the security programs of other businesses in its sector to determine best practices, then gives the security practitioner a set of expectations and tasks based on those evaluations. The end result is that they frequently end up cloning someone else's approach.

Although little effort is necessary to design a security program under the Commodity Model-other businesses have already done most of the work-change in this environment is generally very slow. Management reacts to new ideas by asking if other, similar firms are already going that route, and if the answer is no, your new ideas have little chance of survival.

The bottom line in the Commodity Model is cost control. Security services purchased from vendors are treated as commodities, so vendors will engage in bidding wars to offer you the lowest price. I can't tell you how many cold calls I've received from guard services companies that guarantee they can save me 10 percent on the expenses associated with contract guards, without knowing who I contract with at present or what I am paying for that service. It doesn't take a great deal of effort to figure out that the savings these providers offer frequently comes at the expense of training, salaries, benefits and equipment quality. Be on the alert for such lapses in this model.

The Business Partner Model
In the Business Partner Model the security role is less standardized. The focus is on the needs of the individual business, not of the business sector in general. The business and the security department work together to define the tasks that security will be asked to address by first discovering the business needs of the company, then assessing the security risks, and finally creating an appropriate program to meet the need.

In this model the security practitioner is a trusted advisor who provides solutions on a variety of issues. This is frequently the case in larger organizations with a broader set of products and services that plays in a broader market. Each facility may be unique in some way, which requires a different approach to properly address security. The security staff must be well versed in multiple disciplines and have access to many sources of information in order to design appropriate controls.

The Business Partner Model works well when there needs to be a close working relationship between security and other departments. For example, say the real estate department needs to remotely manage HVAC and power management systems for a field office. Creating a stand-alone system would be cost prohibitive, as would maintaining staff on site.

The security director can assist the real estate manager by tying existing monitoring and surveillance systems together with the building management systems to provide a conduit to the building engineers for remote management. The end result does not increase the security coverage or reduce the security department expenses. However, it does reduce the cost of managing and servicing the building remotely. By helping others win, you win. The bottom line in this model is helping other units in the company meet their needs.

The Quality Model
Many corporations today focus on quality. They enlist the aid of quality-focused consultants and service companies such as ISO and J.D. Powers and Associates to help them benchmark their effectiveness and customer satisfaction based on the quality of the products and services they provide. This carries through to the security operation as well. When the focus becomes doing the job right, especially on the first try, the approach taken to provide security needs to reflect quality.

There are several ways in which a security operation can adopt this approach. One of them is to only use products and services that are provided by companies that have achieved a high quality standing. If you purchase high-quality equipment you have an excellent starting point. To keep it high-quality, you must routinely test, adjust and re-certify all your systems.

Compare the nature of a commodity guard service, where cost has been trimmed, to a guard service that specifically markets quality. In the commodity service you would likely see minimum levels of training, often given only upon hiring and indoctrination of the officers. Sometimes this training comprises only six to eight hours of actual coursework.

In the Quality Model, not only are the officers given substantially more training upon hire, they usually will have regular training updates and continuing education that are not only site specific, but also industry specific. The result is a guard service that is much more versatile and competent to deal with a variety of challenges. Of course this also means that the officers will cost more. If quality is what you want, then you need to have the funding to support that quality.

The Business Enabler Model
If your business is attempting to expand by broadening its range of products and services, you may find yourself in the Business Enabler Model. Often new territory comes with additional security challenges and risks. If the organization becomes limited in its ability to explore these new markets due to security concerns, then security has the opportunity to become a strategic enabler of business functions.

I'll use an example of an information security situation to illustrate this point. Your company desires to have a more mobile workforce, particularly in sales and services. Management wants to use remote system access for e-mail and other system services over the Internet to avoid expensive leased lines and private networks. However, many companies have shied away from using the mobile workforce concept because of the serious dangers involved in using the Internet as a means of remote connectivity.

Here is an opportunity for the forward-thinking security staff, working in close cooperation with the IT department, to create a remote access security architecture that provides secure and safe connectivity. Establishing that secure environment takes financial support and project assistance. When security can anticipate the benefits of creating such an architecture and work proactively; the security department clearly becomes a business enabler.

This kind of model requires close working relationships with other departments. It also requires creative thinking and strong communication skills. The security director needs to research solutions from a larger range of sources across multiple industries to design the proper solutions. The bottom line in this model is to help other units explore new avenues for success that they did not even know they had available to them, all of which contributes to the overall success of the company.

The Visionary Model
Now let's break all the rules. In the previous models the work was always done using established and tested methods for providing security. In the Visionary Model we are focusing on creating something unique.

We all face challenges and have to come up with solutions to meet them. Sometimes there is no known way to deal with a problem. This is where the synthesis of new ideas and concepts comes about. Instead of throwing up your hands, you focus on finding a new and creative way to do the job. This kind of security director refuses to accept the answer that it can't be done.

For example, a security director is faced with a merger of companies and is tasked with consolidating security controls and reducing cost. The business suddenly comprises multiple new sites, each of which already has CCTV and alarm systems from different proprietary vendors. Some of these sites have patrolling security officers, some don't. An analysis of the situation indicates that the systems cannot be integrated natively and that a significant increase in staffing will be necessary to meet the corporate standard.

The first option is to rip out the legacy systems and replace them with the corporate standard equipment, hire a bunch of new security officers, and establish command centers for each office. This obviously equates to a lot of cost and upheaval. The security director in this case does not accept the situation and concocts another way to solve the problem.

He finds a new software solution that takes the inputs of multiple systems for CCTV and alarms and integrates them in the background. The solution uses the corporate network backbone to communicate, eliminating the need for additional wiring. The security director works with IT to establish the necessary connectivity over the backbone. By working with the software vendor in a cooperative dialog, he helps to shape the new product to meet requirements for his company. The installed security systems are not directly modified; instead the means of connecting and managing them is modified and centralized to the home office, eliminating the need for local command centers. The CCTV systems are evaluated and modified to enhance their coverage and utility, reducing the need for more security officers. The result is a minimal overall increase in spending, with a substantial increase in security coverage and services. It's a classic example of making security systems work smarter and run more cost-effectively, while still being more secure. The bottom line here is to not take no for an answer; find a way and make it happen to the benefit of the company.

Mix and Match as Needed
No security operation will easily fit within just one of these models. Each of us has a variety of challenges that require us to use several of these models to accomplish the goal. If you reflect on your operation and find that you use one of these models predominantly, ask yourself if you're using the right model.

You may need to use all of them at different times to fit different needs. Don't allow yourself to be trapped within a single approach. There will be times when the commodity approach is simply the best answer because the solution is well defined and does not require anything other than standard treatment. There will be other times when you need to employ groundbreaking methods. The bottom line is to be flexible and aware of the best approach to dealing with each challenge you face.

Make your decisions based upon the situation at hand. Be aware of the business realities of budget and risk for your company. Know the goals and objectives of other departments. Become familiar with the financial state of the company so you know what areas may need your help. Most important, know how your own operation is contributing to or hindering the financial health of the company. By adjusting your approach to fit the needs of the business, you can truly become a business center for the organization.

Eduard Telders is chief security officer for PEMCO Financial Services. His responsibilities include physical security, information security, corporate contingency planning and safety programs. Mr. Telders has been providing security management for information and physical security in the banking, insurance and financial industries since 1981, from Fortune-500 to medium-sized companies. He is active in a number of security trade groups and associations such as ASIS and ISACA and has been a frequent contributor of security articles and speaking engagements for journals, conferences and seminars.