The 2009 Security 500: Building Security’s Future
For many CSOs, this has been a very difficult and trying year. Perhaps the greatest indication that the security leader is truly a “C-level” executive is confirmed by the number fired, dismissed or pushed to early retirement in a “C-like” fashion. As a byproduct, many new security think tanks and consulting practices have emerged. While less terminal, security organizations and leaders that lacked credibility and/or were unable to successfully communicate up/down and across their organizations about their contribution to organizational goals, faced death by a thousand budget cuts.
Yet, other security leaders had their best year ever increasing their responsibility, adding innovative programs and being recognized as an even greater value driver across their enterprises. Some security leaders used the economic crisis and the added challenges thrown their way as an opportunity to demonstrate their bottom line value and executive leadership skills.
While some programs grew and others faltered, the security profession became more professional, more enterprise-centric, more IP driven and more about leadership and strategic business management than tactical security measures. Those that “get it” and demonstrated either quantitative and/or qualitative results were heavily rewarded by their organizations.
1. Risk is Up, Budgets Are Down…Now What?
- Greater regulatory compliance programs
- Higher crime rates in a down economy
- Reduced public security support (police/fire budget cutbacks)
- More global expansion to find growth
Enterprise security leaders have used budget reductions to reevaluate national account contracts with installing and service companies. In some instances, contracts were put up for rebid, reducing costs as much as 30 percent. Patience was also very short among CSOs who replaced their status quo security technology procurement to ensure that successful and economically justifiable solutions were implemented.
2. Workplace Murders, Suicides and Violence are Soaring
Suicides at the workplace soared 28 percent from 196 in 2007 to 251 in 2008. Murders at the workplace have averaged 500 per year since 2003, but are expected to be higher in 2009. Workplace murder is the leading killer of working females, (35 percent of their fatal work injuries) and the second leading killer of males. And 95 percent of those committing suicide at work are males.
Non-fatal workplace violence continues to increase. But unlike the old weather adage, “everyone talks about it but no one does anything about it,” workplace violence is the opposite. No one is willing to publicly talk about it, but most organizations are moving quickly and aggressively to do something about it.
It is not safe outside, either. Companies with field employees such as utilities or construction workers are facing greater incidents of theft and/or violence toward their employees (among the most innovative solutions comes from DTE Energy).
Online training, helpline resources, escort services and security responses to any threat for investigation and mitigation are enabling organizations to reduce events. Greater use of identity management and access control systems, combined with surveillance and educating employees on where and how to get immediate help if they feel threatened or uncomfortable, are being implemented. False alarms are welcome.
3. Nice Plan. Will it Work?
In the age of Pandemic threats and realities, planning is just not good enough. Last year, business resilience, disaster recovery and emergency management were restructured into the security department in many organizations. Now that these plans are set and ready to go, the question is: Will the plan work?
For example, planning for hospital patients to be evacuated in a certain way is a key task. But the devil is in the details. How much staff is needed? How much time will it take? And what if the first exit is blocked? Where is the alternative exit?
The leading organizations are not using “please not here” as a strategy and know that “hope” is not a plan. Drills, tests and measurements are being utilized to ensure that everyone knows their role and that emergency plans will be truly effective. Or they will be redrawn. We have seen some good examples, including the Big ShakeOut and The Joint Council’s focus on proving that healthcare evacuation and continuity plans will succeed.
4. Hackers, Terrorists and Spies
It is smart to be paranoid. In recent months hackers attacked two credit card processing companies, including Heartland Payment Systems and RBS WorldPay. Overall, thieves escaped with unencrypted data for more than 250,000 business locations and more than 1,500,000 customers. Heartland has stated that they do not know how long hackers were stealing data or how much data was stolen.
Intellectual property theft also takes place in the form of fraud and counterfeiting.
Nothing is more vital for an organization than protecting its brand and reputation. And it is a life and death matter. Fake Viagra (which topped 5 million pills per year before Pfizer employed RFID tags to verify its product) is now being out marketed by fake Tamiflu as a result of the H1N1 virus.
This is a business, not a security problem, by any measure. Data breaches are now everyone’s problem. And security leaders are working at the board level to address this business-critical risk.
5. 1-2-3 Converge!
Leading organizations are marketing security’s existence in numerous ways. Using the news media to show how energy theft is dangerous and that energy thieves are caught and prosecuted has been an innovative and effective program for DTE Energy. Working with marketing communications, security is creating security awareness so technology and resources are proactively utilized. Universities are incorporating security presentations into orientation programs with a “please touch” theme.
The goal is to change behavior among individuals so they think and stay aware of their circumstances by actively participating in the security process. Convergence is about getting the right information to the right person to make the right decision that prevents an event from happening or stops an event from becoming a catastrophe. That means converging security strategy, technology, officers/first responders and stakeholders.
6. Regulatory Compliance = Uncompensated Overhead
This began in the chemical and petro chemical sectors in 2007 with CFATs legislation, including fines of $25,000 for violating security regulations. The legislate/inspect/fine approach continues to spread to other sectors. For example, a Missouri poultry processing plant was fined $450,000 for hiring 137 illegal alien workers. At debate is the value of this approach versus being on the same team to identify and mitigate those risks most likely to threaten national security – especially at a time when the DHS Director, in a recent New York Times interview, says she doesn’t understand the threat level system.
On the positive side, the development of rules and regulations provides a base to work from and allows supply chains to remain fluid. Among the greatest benefits cited during the development of DHS regulations is the interaction among players within each sector to network and “know whom they will be working with before a crisis happens.”
Compliance places a heavy burden on security programs to prove bottom line value too. It is easy for a CEO or Board to decide to be compliant at the lowest cost possible versus to be secure. Smart CSOs are aware of and compliant with regulations, but don’t base their economic value to the organization on regulatory compliance.
7. Enterprise Value Wins; Security Solutions… Not as Much
Yet, these were discovered after the security project was completed. With tight dollars and increased budget scrutiny, winning security proposals identify value beyond the security function. Retail surveillance that gives shoplifters second thoughts is valuable. But that same monitor turned into an advertising vehicle with messaging about specials or an analytics tool identifying a potential buyer unable to find what they want and saving a sale adds immediacy to the solution’s purchase approval.
As a result, enterprise solutions are winning in a tight economy. This is an area where security, IT, facilities and other operational departments can benefit from the ability to share security information with non-security departments such as marketing. Or, by integrating with HVAC or lighting to drive the business case. Similar to IT strategies 20 years ago, the possibility of a proprietary system leading to a dysfunctional end are real. The ability to work with IT and facilities leaders on a multi-year strategy continues the trend toward enterprise-wide, open IP systems that provide cost-effective or value-creating business applications.
8. What Will They Outsource Next?
Economically, public police authorities cannot afford a “one size fits all” officer corps where highly trained and compensated officers are assigned tasks below their skill level. And the guard service firms, like Allied Barton, have done a good job of helping customers measure the business case that they can fill a need for public police forces by providing appropriately trained and compensated officers a specific job and pay grade.
The police force gains on both sides. They are not over compensating a highly trained officer to perform tasks well below their skill set. And they avoid the risk of job dissatisfaction if an officer has expertise and receives less than compelling assignments.
Stratifying the officer corps has been utilized within private security forces for some time through job enhancement and enrichment programs. It is common in healthcare, for example, where nurse’s aides perform tasks not requiring a nursing degree at a lower pay scale. This trend will continue to be tested and should be expected to grow even as the economy recovers.