TAKE A LESSON FROM CISCO

May 1, 2005 12:00 PM, BY MICHAEL FICKES

While a lot of people talk about creating returns on investment or ROI with security technology, it really isn't security technology that produces ROI. It's the business strategy behind the technology.

Every day, executives directing core company businesses roll out business strategies that aim to boost their companies' profits. Sometimes those strategies use technological tools. Sometimes they use other tools. Either way, these executives have sold their programs to management by running numbers that demonstrate how their strategies will, over time, produce ROI. Security directors should do the same.

Ten years ago, Bill Jacobs, senior manager of security, technology and systems for San Jose-based Cisco Systems Inc., developed a security strategy that shadowed his company's business strategy and ended up producing an enormous return on investment.

When Cisco was a kid

In 1996, Jacobs was pondering forecasts that projected enormous growth for the 10-year-old Cisco. Between 1985 and 1996, the company had grown from two employees working in a small San Jose office to 8,259 employees working in multiple offices around the world. Looking forward, Cisco officials believed the company could quadruple in size within 10 years.

With those growth projections in mind, Jacobs decided to build an enterprise security strategy. His goal was a company-wide system that could be managed consistently by a few highly skilled administrators from no more than a handful of locations, no matter how large the company grew.

At the time, enterprise security was a departure from conventional wisdom. In the 1990s, the most common security models placed a security manager in each facility. Larger facilities would get a dedicated manager. At smaller facilities, security managers might have other responsibilities as well. One might double as the safety director. Another might combine security responsibilities with facility management. Still, someone would manage and administer security at each site.

Jacobs saw problems with the conventional model when applied to a company growing as rapidly as Cisco. He worried that numerous site security organizations would be difficult to coordinate consistently from site to site. Individual facilities would deploy unique access control and closed circuit television (CCTV) technology. Managers would outsource monitoring responsibilities to local vendors and bring in local contract security officers to work the lobby and patrol the facility, and security policies and implementations would vary from site to site.

“Without consistency, you do it one way here and another way there, and you can never be sure of quality,” Jacobs says.

Jacobs identified other serious problems. Individual facility security operations would have difficulty taking advantage of Cisco's ability to negotiate volume-purchasing agreements. The overhead costs for equipment, maintenance and upgrades would be higher than they had to be. Likewise, placing administrative security personnel at every facility would produce high labor costs and drain resources from Cisco's core enterprise.

Still, no one had ever built an enterprise-wide physical security system as large as the one Jacobs envisioned.

“So we engineered a solution,” Jacobs says. “Our goal was to monitor and manage cardholder records, access levels, alarms, and response from central locations. We worked closely with manufacturers to accomplish this.”

The strategy paid off. Today, Cisco has around 45,000 employees working at 300 sites around the world. The sites use a total of 6,600 card readers and 2,800 cameras.

“We think we built the first and largest enterprise-based physical security system,” Jacobs says. “I think it is still up there.”

Thanks to Jacobs' strategic focus, just four security operations centers administer and monitor all of Cisco's access control and CCTV systems. Instead of 300 security administrators for each of 300 locations, Jacobs' administrative staff totals three people.

“Because our strategy was right from the beginning, the four of us manage the entire enterprise security solution for Cisco,” he says. “While our system holds down management overhead, it is not about reducing headcounts; it is about not hiring headcounts in the first place. More importantly, it is about providing better services. With one operations center in each of our four major business theaters, we can provide a more consistent approach to policies, procedures, and administrative functionality. That's ROI.”

A strategy that keeps ROI coming

Cisco's enterprise strategy provides other opportunities to generate ROI and improve security quality. For example, Jacobs has tied the company's access control systems into central database servers used by the Human Relations Department. When employees are hired at certain levels in particular theaters, the connection automatically generates access level provisions for each.

“That helps hold down headcounts in database administration,” Jacobs says.

Cisco's enterprise system is not inflexible, either. It allows Jacobs to add capabilities that also add ROI. For example, a significant portion of the company's 6,000 card readers control access to research and development labs that constantly update permissions related to personnel engaged in research projects.

Up until a few years ago, a researcher that needed to alter his or her access permissions e-mailed the lab manager, who e-mailed a security manager at a central station. The security manager would set up the new permissions within 24 hours. It was cumbersome and slow. Jacobs developed a program to improve the service while generating an ROI.

“We built a Web interface into the access control system to enable lab managers to program users on their own,” Jacobs says. “Ultimately, the lab manager owns the space, not security. All we do is administer, monitor and respond. This tool produced a tremendous savings in management time.”

Another example: Jacobs has converted Cisco's analog video systems to send video across IP networks. Now security can call up any of Cisco's 2,600 cameras in any of 300 sites with three mouse clicks. It's easier for security. But it also has produced a return on investment since security can assess and validate alarms before dispatching a patrol service.

Jacobs gets the money to execute new security initiatives because they fit into his overall enterprise strategy and because he includes an ROI number with every proposal.

“When I go to the CFO and ask for money to put in technology, I have to have an ROI answer,” he says. “Generally, our presentation says this technology fits the company's strategy in this way, and it will produce an ROI in 12 to 24 months.”

SHARE YOUR STORY…

This page offers an opportunity for readers to share management lessons they have learned and to provide other helpful information to their peers in the industry. To offer suggestions, or to contribute to this page, contact Larry Anderson at (770) 618-0118 or e-mail landerson@primediabusiness.com

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue