Cost versus Investment: How Does Management View the Security Function?
The term “Value” is one of those words like “suspicious” or “reasonable”; it means a little something different depending on who you ask to explain it. For security (a very important division for any company but one that typically does not generate revenue for its organization) it is an even more difficult term to define. One of the age old questions for security is how to prove your preventative value as related to criminal activity since the bad actors are not willing to tell us if they decide not to commit a crime because of our presence or the use of our tools (cameras, access controls, etc.). There are a few ways, however, that professional security practitioners can describe our contributions and attach some tangible and intangible ”value” to them, and this starts with a change of culture, such as using the term investment rather than cost when describing security related resources. A new CCTV or access control system should not be presented as a cost of doing business, but an investment towards a safer environment, and similarly many of the services that we provide today can be described better when presenting to company management.
A few basic principles for proving ones value is to define what you do for the organization (duties, operational plans), why you provide them (cost efficiency, safety), how much you do (metrics) and how well you provide them (key performance indicators). For example, often security personnel are assigned non-traditional duties such a minor maintenance functions after hours. If we apply the previous principles to answer why this type duty is important, then one might explain it by defining the duty itself (checking a boiler setting), why security is doing it (to prevent overtime costs of calling a maintenance person back after hours and to provide a safety check on critical equipment), how often you do it (hourly) and well this service is provided (no unexpected downtime or issues related to boiler events for the past 18 months). As you can see, describing almost any duty or responsibility in such terms is not that difficult to do, but it does require practice and discipline in order to appropriately document it routinely and in such a manner that the information can be beneficial when validating resources.
So let’s take this basic premise and use it to translate one of the easiest and most effective ways that a security program can increase its value to the facility and positively affect the overall culture of the organization, that of security related education of employees. First determine what types of security related training would be most beneficial to the staff of your particular organization. While there are many to choose from, a very common and topical issue currently is that of reducing workplace violence. Workplace violence can run a very broad spectrum from simple intimidation and verbal threats all the way to active shooter events, therefore it lends itself as a great topic for the creation of a significant number of separate and equally valuable educational opportunities that security can provide to the organization. You could start with one of the many facets of workplace violence (effective de-escalation and conflict resolution techniques for example) and then after sufficient research begin using the principles that were described earlier.
What will such training consist of?
- Why are you providing this training?
- How much training is needed?
- How valuable will this training be?
The last point is the real test of your ability to translate such a program into both tangible and intangible value as a necessary investment to your management.
Let’s begin with the intangible value, which is usually much more difficult to translate into dollars and cents. Some of the more common intangible and important benefits that an effective workplace violence training program can provide includes the strengthening of a security culture across the organization, a positive impact on staff and client satisfaction (perhaps an increase in positive customer service survey scores) and the meeting and exceeding of any regulatory requirements (the penalty for not doing so ranging from negative branding of the organization to fines). While each of these benefits is very important, they are difficult to assign as far as a clearly defined financial impact. This is where you as the security professional need to do some research.
If you calculated the cost of such a workplace violence prevention program, you may find that such a program could cost hundreds if not thousands of dollars when using a third party to provide such a program (this includes associated costs such as travel, lodging, per diems and any fees of the instructor). Alternately, if you were to invest the time in learning these concepts and becoming an instructor in a similarly themed program, the same financial impact to your organization would drop dramatically. Take this same approach to multiple programs and you can very quickly validate the investment of teaching such classes in-house as well as provide the many intangible benefits mentioned previously.
The same principles of cost avoidance can be applied to many of the physical countermeasures that security often replies upon as force multipliers (since we typically cannot afford to have security personnel in every area 24 / 7). Imagine the expenditure of installing multiple duress alarms in a facility (to include the devices themselves, wire pulls and other labor, the sealing of any penetrations to meet fire codes, etc.) as opposed to researching the implementation of a virtual cloud based application that could not only summon assistance from any enrolled portable device (no equipment purchases or labor costs) but could also be expanded to meet the growing needs of your staff and clients through simple programming updates and provide real time notification to the people that need to know when a adverse event occurs. Such a technology enhancement not only saves tangible dollars, it creates a proactive security culture in which every person is a key stakeholder by empowering them with the ability to share vital information easily and quickly.
Validating appropriate resources for security can be a difficult endeavor, even more so with an increased “more with less” approach for non-revenue generating departments. Since the preventative value of security is difficult to prove, each professional security practitioner must do his or her best to take existing data and translate it into a language that your C-Suite will understand. So is appropriate security an investment or a cost? It depends upon how one approaches the issue, but keep in mind that one cannot purchase insurance coverage after an adverse event has occurred, and it’s too late to add additional security measures after an event has taken place. Better to build a good security reputation than to try and repair one after it has been damaged.
Punch Alert can add value to your organizations security
“Bryan Warren is Director of Corporate Security for Carolinas HealthCare System, based in Charlotte, N.C. He holds a bachelor’s degree in Criminal Justice, an MBA with a focus on legal foundations of healthcare and has over 27 years of healthcare security experience. He is a former President of the IAHSS, a member of ASIS, and participates in a number of professional associations and national taskforces. Bryan has been named as one of the Top 20 Most Influential People in Security by Security Magazine and as one of the Top 30 Voices in Healthcare Security by Forbes”.