The Business of Security is Business

This is a discussion we could not have had in 2009. My journey in the security industry was an interesting one. After an entire career as a Senior Non-Commissioned Officer in the United States Army Engineer Corps, I chose a second career in security as a consultant. I brought a unique set of skills to my security profession, including a strong knowledge of engineering and project management coupled with formal education in business management, including a specialization in Total Quality Management. All of these shaped my thinking upon entering my new industry.

As far back as 2003, with limited technology and whispers of the word convergence, I asked myself why the industry conducts business the way it does. I noted a lot of siloed processes, massive paper-driven reports, and security departments reporting to legal, human resources, operations or facilities management. I knew then, as I know now, that security has a much more significant role to play than just protecting assets.

When I spoke to security department leaders back then, I mentioned concepts like quality management or business process people looked at me as if I was speaking a foreign language. What I realize now is that I was. When conversing with the security manager and mentioning business concepts, I often heard, “What do I need that for? I am security.”

The Tipping Point of Security Concepts

In 2009, the Organizational Resilience Management Standard was published. After certifying as a Lead Auditor for the Standard, I understood that I had found the linkage between the security department and business practice in organizational resilience. The whole point of the ORM Standard was to ensure resilience and the continued operation of the business in the face of extreme adversity. The Standard incorporated security management, risk management, business continuity, emergency management, and crisis management, all under a common umbrella framework. The first step of an ORM program was to conduct an all-hazards risk, threat, and vulnerability assessment.

The same holds today with Enterprise Security Risk Management (ESRM), where the first two steps in the ESRM life cycle are identifying and prioritizing assets and identifying and prioritizing risks.

In both cases, the entire security governance process commences with a quality risk, threat, and vulnerability assessment. Note the use of the word “quality.” The risk assessment must be conducted with vigor, preciseness and documentation if it is used to identify endemic problems. It cannot be reduced to a checklist. A qualitative and quantitative risk assessment forms the basis for all future decision-making. Quality decisions are made with quality data. In reality, all hazards, Risks, Threats and Vulnerability Assessments should be a systematic evaluation that is real-time, persistent, and accurate.

What’s Next?

Now that we have identified and prioritized assets and risks, we have to demonstrate the impacts and consequences of the loss of the asset to the enterprise. At this point, we should be looking at the strategic risk to the enterprise and asking ourselves how the risks identified in the security department impact or contribute to strategic enterprise risk.

For publicly traded companies based in the United States, one place to start is the annually filed Security and Exchange Commission (SEC) Form 10-K. The Form 10-K is an annual report that all public companies must file with the Securities and Exchange Commission. It gives investors a detailed picture of a company's financial situation and highlights future risks. In the form 10-K filing, you will find an entire section on risk factors.

Here are some sample risks from a 10-K,

• Disruptions to our supply chain.
• Severe weather or other natural or human-made disasters affecting a large market or several closely located markets may temporarily but significantly affect our retail business in such markets.
• Labor discord or disruption, geopolitical events, war, terrorism, political instability, acts of public violence, boycotts, increasing anti-American sentiment in certain markets, hostilities, social unrest, and other health pandemics that lead to avoidance of public places or restrictions on public gatherings.

This particular company had numerous risks listed. I selected the risks above because they aligned with the identified risks discovered by the security department. Aligning the risks discovered by the security department with strategic risks helps to demonstrate the importance and value of security’s role in eliminating or minimizing strategic enterprise risks.

When we begin a project with a new company, we are seeking maturity in alignment with strategic risk. With a new client, I start the conversation with three questions.

• Where does the Security Function reside in your enterprise? Does the security function report to another entity, such as Operations, HR, or Legal, and are they valued and have a voice at the corporate table?
• How is the Security Function perceived in your enterprise? Is the security function perceived as a problem solver to which other divisions bring their problems?
• How is the security program funded? Are you a line item in a budget, or do you chargeback for the services you provide? I ask these questions to assist in determining the maturity of the security program.

Quality Management Programs and Their Impacts on Corporate Security

During my early studies into quality management programs, I learned that “a quality management program is a set of actions and policies that a company or an organization implements to ensure and improve the quality and effectiveness of its products, services, and operations.” Like any other business function, quality management programs have their place in corporate security.

I have found that the teachings by American Industrialist W. Edwards Deming, who in the 1950s founded the concept of Total Quality Management, still have great value and application today. These continuous improvement processes have been incorporated into the International Standards Organization (ISO) publications.

The International Standard for Quality Management adopts several principles of quality management. Security professionals can use these principles to guide their organization’s processes toward improved performance. These principles have been adapted for application in the security industry.

Customer Focus -- The primary focus of any organization should be to meet and exceed the customers’ expectations and needs. When an organization can understand the customers’ current and future needs and cater to them, customer loyalty increases revenue. The security department can also identify and satisfy new customer opportunities. When business processes are more efficient, quality is higher, and more customers can be satisfied. For security, this translates to what services you provide for your organization, what is the value of these services to the organization, and how you ensure satisfaction with the services you provide. We will discuss metrics and measurements to determine this later.

Leadership -- Good leadership results in an organization’s success. Great leadership establishes unity and purpose among the workforce and stakeholders. Creating a thriving culture provides an internal environment that allows employees to fully realize their potential and get actively involved in achieving the security department’s objectives. Employees in the security department possess great insight regarding what is working and what is not. Senior Security Executives should involve all levels of employees to set clear organizational goals and objectives. This motivates employees, who may significantly improve their productivity and loyalty.

Engagement of People -- Staff involvement is another fundamental principle. Senior security executives and their leadership team should engage staff in creating and delivering value, whether full-time, part-time, outsourced, or in-house. An organization should encourage employees to improve their skills and maintain consistency constantly. The principle also involves empowering employees, involving them in decision-making, and recognizing their achievements. When people are valued, they work to their best potential because it boosts their confidence and motivation. When employees are involved, it makes them feel empowered and accountable for their actions.

Process Approach -- The performance of an organization is crucial according to the process approach principle. The approach principle emphasizes achieving efficiency and effectiveness in the organizational processes. The approach entails an understanding that good processes result in improved consistency, quicker activities, reduced costs, waste removal and continuous improvement.

Continuous Improvement -- Every organization should be actively involved in continuous improvement. Security departments that continually improve experience improved organizational flexibility, increased ability to embrace new opportunities, and superior performance when confronted with risk. The security department should be able to create new processes continually and adapt to new market situations.

Evidence-based Decision Making -- Businesses should adopt a factual approach to decision-making. Businesses that make decisions based on verified and analyzed data have an improved understanding of the marketplace. They can perform tasks that produce desired results and justify their past decisions. Factual decision-making is vital to help understand the cause-and-effect relationships between different things and explain possible unintended results and consequences.

Relationship Management -- Relationship management is about creating mutually beneficial relations with other aspects of the organization and suppliers. When an organization manages its relationship with interested parties well, it is more likely to achieve sustained business collaboration and success.

What are the Tough Questions?

As an organization begins the process of implementing a quality management program, security executives and staff must be able to answer several key questions about who your clients are and how security services impact them and the organization. (See Sidebar).

Once these questions have been debated, strategized and worked into a framework, the process of value and quantifiable metrics begins in earnest.

What does it cost? -- Does your organization track and understand the costs of providing your services? Often, we have found that the costs are not tracked, and therefore the services are undervalued by the rest of the organization.

What value do you bring? -- Through the provided services, we assist the enterprise in avoiding risk, including strategic risk. With old-school thinking, our budget would be cut if nothing happened. By embracing quality management principles and measuring what we manage, the security management function can identify the value of risk avoidance. The value of risk avoidance can be exponentially more significant than the money spent on the services provided.

How do we measure? -- I usually begin with comprehensive benchmarking processes. By conducting a 360-degree review, enterprise security can gain insights into multiple dimensions of productivity, including organizational size and structure, pay grades, spans and layers, contracts and technology.

Some recognized governance processes for benchmarking include efficiency, time and motion, and zero-based studies. An efficiency study measures effective operations by comparing service production as measured in energy, time, and money costs. A time and motion study reviews the steps, tools, and effort required to perform tasks. According to McKinsey and Company, “using zero-based principles to assess organizational spending and capabilities combines effectiveness (What do we expect people to accomplish for the organization?) and efficiency (How do we create a lean, agile, and responsive organization?). With this approach, companies can capture significant efficiencies while upgrading capabilities and increasing value across functions. Moreover, these principles can ensure that the highest-value roles within the organization are clearly identified and staffed with the most qualified workers.”

We can apply these studies to the various functions of the security department to identify and resolve inefficiencies. In many of our studies, we have identified inefficiency in several primary areas, including security forces (contracted or proprietary), operations centers, and physical security technology.

Let me provide you with a couple of examples. One of our clients had a $ 25,000,000-a-year expenditure for contracted guard forces. We employed the principles above and found we could replace 48 lobby guards with a technology-driven and centralized visitor management function. We also found significant savings by consolidating numerous fixed posts into a patrol service model. Upon completion, the company realized immediate savings of $4.5 million. The investment in technology that enabled the change was realized in the first quarter of implementation.

In another instance, we studied a client’s global security operations center. We found that the impacts of the nine-year-old technology stack were creating a significant expense in many areas, including system maintenance, patching and updates, and using human beings to perform the duties that the in-place technology was incapable of doing. For example, one person on each shift was tasked with scouring the internet for any mention of the company. This function consumed 70% of that operator’s shift leading to their inability to monitor the physical systems, which should have been a primary responsibility. In this case, the cost of 24/7 monitoring by reputable software was less than that of a human at approximately $230,000.00 a year.

Key Performance Indicators and Metrics

In the words of Peter Drucker, another U.S. industrialist, “You can manage what you don’t measure.” A KPI or a key performance indicator is a quantifiable value used to measure progress against goals.

To be effective, a KPI should also be SMART:

There are three principal types of KPIs, including process, qualitative, and quantitative KPIs. Process KPIs are explicitly used to identify the performance of a process. A typical process indicator is KPIs focused on customer support. Qualitative KPIs can measure customer satisfaction with a particular service the security department provides. A percentage or number measures quantitative KPIs. For example, we can measure the performance of a contract guard force by measuring how many shifts or late arrivals have occurred in a month.

KPIs are an excellent tool for measuring the performance and effectiveness of various operations in enterprise security. KPIs can be worked into contracts and service-level agreements as an effective means to track contractor performance and client satisfaction.

Maturity Modeling -- Maturity models are an excellent tool for improving efficiency and performance; they can also identify opportunities for improvement or barriers to progress. We utilize maturity models for assessing GSOCs, Security Manager competency, and levels of compliance with Enterprise Security Risk Management principles. A five-tier scale is commonly used:

Ad-Hoc- there is a strategy in place.

Repeatable- governance for the indicator exists.

Defined- there is an understanding and awareness of the key performance indicators in the security department and with key executives.

Managed-the indicator is managed, measured, and continuous improvement is taking place.

Optimized and aligned-there is an alignment of the security function with other enterprise disciplines.

Visioning -- The last tool we use is called visioning. Nothing is static. Change is constantly occurring. If you remain stagnant over time, your program will become inefficient and costly. Visioning is a great tool to imagine where you want to be and provides a roadmap and strategy for getting there. Visioning functions best when we have all the stakeholders at the table for a facilitated session. One of the visioning tools we prefer to use is MindManager MindManager:

What Does Data Provide?

Within the security department, many devices produce data. Almost every physical security system produces some data. Additionally, artificial intelligence, robotics, and machine learning are being incorporated into many new technologies. Capturing this information from the “data lake” and placing it into valuable data sets enables new measurement tools and a proactive approach to risk. But this is an extensive conversation for another day.

Finally, the Budget

When I started this article, I intended to provide you with methods, governance, and metrics to show the value the security department brings to the enterprise. With data-driven knowledge and a walk-and-talk approach, security leaders can confidently demonstrate their positive impact on the enterprise by preventing and mitigating strategic risk. The goal is to gain respect and a budget commensurate with your organization's value. Imagine your budget if you did internal chargebacks for the services you provide! In many cases, the Information Technology and Human Resources departments are already doing it.