A data-driven security program helps justify costs to management

Dec 1, 1998 12:00 PM, MICHAEL A. STUGRIN

At the American Society for Industrial Security Conference and Exhibition last September, more than 150 senior security practitioners packed a seminar session at the Dallas Convention Center to listen to a presentation by a specialist in strategic security planning. The topic of the session was "Building a Data-Driven Security Program," and the attendee feedback was uniformly enthusiastic.Clearly, the topic touched a concern that has preoccupied the security profession for years - how can security practitioners justify to executive management a considerable and usually growing annual security budget? A recent Pinkerton survey of Fortune 1000 corporate security directors confirmed that the security program and its managers are becoming more visible within those companies. More than 80 percent of respondents said they have more contact with their CEO than ever before and that they are increasingly expected to demonstrate a convincing return on investment (ROI). More than 60 percent said that quality measurements are gaining priority as well.Two important implications of the survey are:- First, and quite obvious, that using anecdotal evidence to justify spending on uniform security, electronics and other safeguards does not suffice. In any given year, the non-occurrence of major theft or workplace violence does not, of itself, prove that a security program is well-planned, well-managed and paying an acceptable return to the corporation. - Second, the realization that security is more than a must-have expense. The security profession is evolving rapidly as a mainstream, valued business function, which means formidable challenges - and opportunities - for security practitioners. Dennis Dalton, in his new book, The Art of Successful Security Management, writes: "Lacking empirical data or knowledge of security, executives are justified in asking what the cost-benefit ratio is of employing one security plan over another. Security of people and assets, while critically important, needs to be measured in the same way that any other requests for expenditures are measured. And to accomplish that ... it is critical to design an integrated security plan which includes data collection and measurement processes and tools that can track the security program's effectiveness."Such a conscious approach includes four ongoing phases:- Risk assessment: Using well-documented site security surveys and audits to establish a baseline of the threats and risks that a corporation faces. For U.S. sites, Pinkerton pairs a site survey with a CrimeCast report from CAP Index Inc. that assesses the risk of crime at a site based on historical incident data. Software-based survey tools for general facilities and electronic networks can provide baseline consistency in determining risk levels across multiple sites or networks. - Strategic planning and design: Adopting the disciplined planning process used by other corporate business functions requires the security director to think through and articulate, in writing, the threats, risks and potential costs of risks the corporation faces, and then to outline integrated safeguards intended to mitigate those risks. Then comes development of the security organization's annual business plan and budget.- Strategy implementation: Using recognized program-management processes - with firm budgets and timelines for each component - either the security director or, more frequently, an outsourcing partner implements and coordinates the required security services and systems. Quality metrics are agreed to by security management and security service providers and are tracked immediately. During implementation, you will see the emerging paybacks from individual initiatives, such as cost savings derived from rebalancing the mix of electronics and security officer services, performance and cost efficiencies derived from a new networked access system and the risk reduction benefits of workplace violence and crisis contingency plans.- Data collection, tracking and measurement: Key to an ROI-based justification of the security program is reliable and consistent incident collection and tracking. From electronic security guard-tour management systems to incident reporting and tracking systems, there are powerful electronic tools that collect and analyze data relating to the effectiveness of a security program. The incident data, as well as data generated by access control systems, and even, on the human resources side, applicant background screening data, can come together into a rich data repository that can help a company better understand and manage risk.This kind of structured, data-driven security management approach, practiced over time, provides at least two key benefits: First, it is a solid, demonstrably effective security program that protects people and property and reduces risk; second, it gives security directors and executive management a common and productive basis for communication and understanding.

Focusing on integrating security equipment and technology with the human element - private security officers - to maximize security system effectiveness, the column draws on the expertise of members of the National Association of Security Companies (NASCO). The column features different writers addressing aspects of the roles security officers play in today's systems. The author of this month's column, Michael A. Stugrin, CPP, is corporate vice president of strategic planning and marketing for Pinkerton. He has a Ph.D. in English from Pennsylvania State University. His background includes many years in the computer industry.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue