This year over $200 billion dollars will be spent by U.S. businesses on physical and logical security products and services.

While the Security 500 is a unique and useful starting point, our goal is to a profession-wide measuring and benchmarking of the value of security operations, and overall within different industries and organizations.

Many organizations do not know what they spend on physical and logical security or what the get for their spending. As the cost of security has increased, boards of directors, CEOs, CFOs and others are asking that question, especially as spending reaches nearly one-quarter of a trillion dollars.

That does not include professional services or overhead, such as executive salaries or privately-hired or contracted security officers. It does not include the $40 billion that the Security 500's number one organization, the U.S.Department of Homeland Security and its top executive, Michael Chertoff, will spend in 2006. It excludes spending for schools, colleges, police and fire departments as well as facilities spending for non-security line items.

THE CHALLENGE OF METRICS

Measuring security spending at both the macro- and micro-economic levels is a challenge. Most organizations have not singled it out as a strategic area within their organizations or identified the cost as significant enough to be measured and managed. That changed after September 11th, 2001 when it became apparent that organizations could not function without security policies and programs in place. All that changed when security became highly visible and drove the cost of security to a new level.

Still, if you can’t measure it, you can’t manage it. The Security 500 measures the biggest and the best security programs in the U.S. and the executives who lead them. To do so, Security Magazine and its research support started with the basics and then added metrics for the purpose of ranking.

There are three ways to spend a security dollar.
  • Buy insurance.
  • Pocket the dollar and pay after an event or incident.
  • Buy security.


Before September 11th, Katrina, Columbine and increased identity theft, insurance and post-event settlements were the preferred risk mitigation strategies for most organizations, with a give-and-take relative to a hard or soft insurance market. Security spending was set at a compliance level. And C-level executives, as we know, define compliance as uncompensated overhead.

The negative outcome of events and incidents, from tragic loss of life to the economic impact, has elevated “buying” security as the most economical and preferred risk mitigation strategy. Next year, certain additional options may disappear when federal terrorism insurance coverage may go away. The effort for planning and preparation has led to significant budget allocations and spending increases.

As Dave Shepherd, former CSO of the Venetian Hotels, says, “The role has changed from managing cost to preserving life.” And for the Las Vegas Venetian that includes 85,000 people a day covering 7.5 million square feet, 24 hours a day, 7 days a week, 365 days a year. No organization of that size can function successfully without a security strategy. And the best security strategies are aligned with organizational goals, are measurable and add economic value.

The Security 500 reports on the organizations that spend the most money on security products and services as well as the organizations that get the most return on their security spending. And as best possible, Security Magazine and its researchers strove to identify the enterprise-level leader for the organization’s security programs and success.

ACCELERATORS OF SECURITY SPENDING

While most security policy and spending is in response to external factors, there are two key factors that impact security spending within an organization:

  • CEO and/or board of director level support
  • Ability to pay
Among the core spending factors is executive buy-in relative to the value security adds to the overall enterprise and the relative importance of the function. Among the first requirements for the Security 500 is whether a top security executive is deliberately in place, is part of the executive team and defined in the organizational structure.

In some industries, executive buy-in is a direct and economic measurement to prevent a work stoppage. The value proposition is based on business continuity and protecting revenue streams vs. risking a shut down. Casinos and exchanges are just two examples.

Not all CEOs and company directors believe security spending above a compliance level is necessary or valuable to the organization. And in some cases, overzealous risk mitigation is perceived as creating a liability.

For example, some retailers identify their security personnel as “asset protection officers” and no more. If you fall down, get beaten up or go into labor then you are on your own. The legal issues around tasks beyond the employee’s formal training are clear. In other cases, some retailers no longer attempt to physically confront and stop shoplifters as the risk outweighs the reward. One Security 500 retailer has been successful waiting for thieves to return their stolen merchandise for cash refunds and apprehending them at that time.

Second is an organization’s ability to pay. The adage, “if you can’t afford the solution, then it is not a solution,” rings true for the security profession. A significant debate and focus of security work is related to “rightsizing” the money invested in security and measuring the return on that spending. But what is the solution when the solution is not affordable? Consider defining executive buy-in as “will to pay” and lack of resources as “able to pay.

EXTERNAL DRIVERS

There are four external drivers for security spending that bring the security spending discussion past “if” to “how much” and in most organzations more than one of these drivers is in play:
  • Asset value
  • Reputation/brand
  • People
  • Regulation/compliance
Assets include both physical and logical assets such as facilities and intellectual property. The greater the assets and the greater the assets' value, the higher the insurance rates and risk mitigation requirements. The exposure of the asset to terror threats or nature contribute to the security strategy and investment for assets.

Protecting an organization’s reputation or brand includes mitigating risk to avoid a negative impact to reputation, preventing or addressing fraud, protecting revenue and retaining customer loyalty. While public perception is that of the $20 fake Rolex, more often, life is put at risk with counterfeit drugs, airplane parts or medical equipment.

People are both the number one asset security protects and the number one threat to security. Most CEOs say that their people are the business and without them, there is no business. At the same time, people are the problem. The security budget related to “people” receives the lion’s share of security dollars. Organizations that deal with the most people (citizens, employees, customers, students, commuters, patients, passengers, fans) spend the most dollars to make people secure and ensure security against those same people.

At a minimum, security spending meets a regulatory, insurance or compliance requirement. These requirements are often tied to a government body or a supply chain relationship (business continuity planning). Spending limited security to meet compliance requirements that may or may not improve security is a focal point of this area.

HOW THEY MEASURE

Each industry breaks down the four “buckets” (asset value, reputation/brand, people, regulation/compliance) into units within their industry to measure and manage an organization’s performance. For example, within the compliance category, different regulatory bodies impose minimum standards on those organizations within their authority. And security programs within specific industries mirror those rules and requirements.

As an example, government regulation in the energy industry has created a significant environmental health and safety (EH&S) function within energy companies. Typically the senior EH&S executive also has responsibility for security. Beyond the compliance rules, organizations rightfully focus on those measures within their industries.

An interesting example can be found within U.S. port security. Seaports and airports use different measures and employ different security strategies. Houston is the top seaport and measures volume in metric tons for liquid shipments such as oil. Los Angeles is the top seaport measuring volume in 20-foot container lengths. Memphis is the number one airport for metric tons of cargo while Atlanta is the top airport in passenger volume. Each measure identifies what they are securing and creates the need to find the most effective and efficient security program.

The two common denominators in the research are people and amount of revenue. Other measures include:
  • Data sensitivity and location
  • Transaction volume multiplied by value
  • Asset value and sameness (e.g. jewelry)
  • Square footage in real estate
  • Number of facilities managed
  • People volume
  • Value of an asset
  • Assets under management
  • Agricultural land and harvests
Each of the four security “buckets” is impacted or multiplied by a risk factor. Factors include geography, value, nature, target appeal, people, transaction levels and the industry served.

More risk is impied for 2,000 students from one New York City high school than for 2,000 rural high school students from 10 different schools. New York City has a higher risk multiplier than a rural school district with lower density rates. At the same time, New York City public schools have one of the top public school safety, security and intervention programs in the nation.

Energy companies and airports have a higher risk multiplier than public schools, for obvious reasons. Large, public areas such as cities, reservoirs and the top spending organization on this year’s list U.S. Homeland Security have the most risk to mitigate and the largest multipliers.

Natural disasters and terror threats include somewhat unpredictable events beyond the ability to mitigate risk. Hurricanes, tornadoes, fires, attacks, floods or hazardous material accidents to the potential pandemic threats are within this category where significant planning is done, but the likelihood of such an event taking place is unknown and the prospects for a successful execution of that plan are unproven.

At the other end of the risk spectrum is loss prevention. Loss prevention managers know shoplifters and thieves will show up at work tomorrow. And they know the ways to secure their goods and reduce both the risk of loss and respond to events. Yet, shoplifting will not create a systematic business outage and put the entire organization’s existence at risk. Retail loss prevention spending is significant in an effort to protect revenue and brand, but the “risk” to the enterprise is low.

MEASURING SPENDING

An interesting trend in security strategy maturity is the very use of the word: “security.” While some organizations have not put their toe in the security water and named or identified a clear leader, the more mature organizations have named a leader, typically a chief or vice president of security.

A new trend is emerging at the most advanced levels; some organizations have integrated security into their business. For example, security may be a component of the environmental health and safety function at an energy company or part of patient safety in a medical center.

As a result, Security 500 research identified situations where the security dollar is included within broader business initiatives:

  • Investment, including security as an application, but not the only purpose for expense.
  • Safety, including training and protection.
  • Product safety/tampering/quality control.
  • Intellectual property and competitive intelligence security across the organization.
  • Compliance (only focused organizations consider compliance spending as security spending. Industries with significant regulatory demands project high security spending, even when they are spending at a regulatory minimum.)
  • Facilities management, including security as a non-line-item. Fire and safety maintenance spending are commonly allocated this way for calculating tenant rents and fees.


the BIGGEST AND THE BEST

U.S. Department of Homeland Security has 180,000 employees and a $40 billion budget in 2006. Created in 2002 as a response to the September 11th attacks, its original charter focused on preventing terrorism within the U.S. However, the addition of other organizations such as FEMA under DHS and their response during Hurricane Katrina show that its scope and influence have expanded beyond terrorism.

There are many sub-organizations within DHS that will set execution strategies or allocate funds for security programs. But breaking those down departmentally would deflect from the sheer size and impact DHS will have in the way security is planned and implemented. Standards, funding, federal compliance and bureaucracy (petting zoo security aside) will be heavily impacted by this mammoth, centralized organization.

On February 15, 2005, Judge Michael Chertoff was sworn in as the second Secretary of the Department of Homeland Security. Chertoff formerly served as United States Circuit Judge for the Third Circuit Court of Appeals. He is the Security 500’s top security executive with the biggest budget in the United States.

Elsewhere in this special Security 500 reports, we overview leading organizations in vertical markets to provide some qualitative insights on those security executives who are leaders in their industries

SIDEBAR: Security 500 Methodology

Security Magazine and Quandt Analytics used available public and private resources and interviews to identify the most intense industries and organizations facing significant risk and requiring aggressive risk mitigation strategies. The results are based on survey data and research. The Security 500 Research project and report are based on survey data and are not the result of receiving confidential or private information.

The largest organizations within the most intense industries were identified and then based on a calculation including 1) what is being secured and 2) an intensity or risk factor. Assets, people, reputation and regulation are the four core elements being secured at any organization. The risk factor is evaluated on value, environment, compliance/regulatory issues, geographic size, appeal and other intrinsic measures, which elevate risk. Significant effort was made to accurately identify the executive leading security at the enterprise level for each organization.

This is a first ever ranking of top corporate, commercial, institutional and government security operations. Security Magazine regrets any omissions and unintentional errors and the editors encourage input concerning changes to this list as well as suggestions for annual updates. Email Security Magazine Editor Bill Zalud atzaludb@bnpmedia.com.

Links