Communicating the value of security to the C-suite is a top priority when it comes to maintaining and increasing security budgets.
Many security professionals have tried to standardize effective methods to persuade senior management and, in some cases, justify the investment in security by providing organization-specific metrics to boards, supplementing data with regional crime rates, and using industry standards and benchmarking research to valuate security costs.
Monthly and quarterly reports continue to add support to security programs until a recession hits or a new chief financial officer (CFO) is hired and requests data and metrics to justify the security department’s budget. It’s a cycle that continues.
Thinking outside of the box and looking for opportunities to take corporate security beyond its traditional borders can help transform security programs from a cost center to cost neutral and beyond — yes, even a profit center. However, for this to occur, the chief security officer (CSO) will need a few items in their toolbox to make the successful move.
Leading with a business mindset
To take security from a cost center to a profit generator, CSOs should invest in expanding the scope of their department. Highly successful security organizations have orchestrated and successfully transitioned security from a cost center to cost neutral and beyond. During the Great Recession of 2008, security leaders realized that loss aversion, loss prevention, mitigated losses and the like were not enough to justify security’s budget, let alone defend any expansions. The security executive must have the talent on their team, vision of a great leader and ability to take strategic risks to make the shift into uncharted territory.
The CSO must first determine how their budget compares to the industry. Use a method that is generally accepted by the industry and that complies with the CFO’s standards. Additionally, use a reputable security survey of companies and industry data to determine how your current budget compares in the same industry. If the security budget percentage is the same as or lower than those of their peer companies, it is likely doing well in terms of value. However, if the budget is higher, look at why and what can be done to determine or explain the impact of the security program. A good CFO will ask for comparisons and ask for explanations about discrepancies. Too often, CSOs will spend more effort and time trying to justify their current budget rather than focusing on increasing security revenue.
So then, what can a CSO do to shift security from a cost center to cost neutral and beyond?
Security executives operating an effective program; following typical risk and security processes and standards; reporting out the typical metrics as mentioned previously; and operating in a company that is satisfied with the security function and its current cost structure can explore the tactics in the below case studies to move their departments from a cost center to profit generator.
Revisit security vendor contracts
Like an investigation, increasing the business value of security starts with a PLAN — Preparing, Learning, Analysis and Notifying. After several months on the job, one CSO at a telecommunications company leveraged the relationships developed to learn which departments had the potential for loss and discover where opportunities for revenue assurance and recovery existed.
The CSO started in his own department. Contract reviews of the integrator, security maintenance and guard vendors were evaluated. Common in all three vendors, the contracts had been renewed multiple times and the relationships existed for 18 years. In the analysis component of the PLAN, it was determined that Requests for Proposals be sent out to 3-5 vendors for each security vendor category, including the existing providers.
After comparing the proposals, the CSO found that in all three categories, the existing security vendors’ proposals averaged 64% higher than the other vendors. The $6,700,000 expenditures required by current vendors annually was $2,284,000 more than the market value for the same services. In this case, the CSO terminated all three current vendors’ contracts and selected the new providers. As part of the analysis, it was discovered that the previous CSO had developed personal relationships with the vendors and allowed the affiliations to cloud his good business judgment in contract renewals.
Investigate loss outside of security
With his own backyard addressed, the CSO started to look at other areas of opportunity. The first stop was the construction department, which investigated damages to its underground fiber lines that occurred regularly due to the high volume of the department’s work.
When a fiber line was cut due to excavation, the construction team conducted the investigations to determine fault. Ninety percent of the time, damage to the fiber lines was either the fault of the underground locating company, which marked the ground with spray paint to indicate where the buried line was, or the excavator, who may not have dug in the correct place or disregarded the paint markings.
Through the learning process, the security team found that the construction team was either not charging for the damages or was settling the cost of damages for pennies on the dollar. The annual damage to fiber and cable lines totaled over $6 million, while the collection rate was only 10% of that at best.
In this case, the CSO conducted a Strength, Weakness, Opportunity and Threat (SWOT) analysis and then lobbied to the CFO to take on this function. The investigation and collection function related to fiber and cable damages was added to the security department’s responsibility.
With strong investigators managing these cases, collections increased to 50% of all damages within six months and to 91% within 18 months. The translation equaled $5,460,000 in recoveries annually.
Detect fraudulent customer claims
Digging deeper, the CSO looked at another opportunity — damages to customers’ homes during technician visits, which led to $1 million in losses for the company each year.
It was discovered that a certain amount of fraud existed in some cases, while others were customer-inflated reports. The field service department was trying to connect with as many customers as possible and did not have the interest to manage or screen customer damage claims.
Having trained investigators who could also communicate effectively with customers, the security department started managing these claims. The security department was able to reduce the claim costs by $490,000 in the first year. The payout for these claims stays near $300,000 per year, saving the company $700,000 annually.
Investigate insurance claims
While visiting and learning the safety and risk insurance process at the company, the CSO was informed that all claims against the telecommunications organization were reported and managed by a third-party insurance company. It was also discovered that 100% of all claims were never investigated.
The security team determined that since worker’s compensation and company auto accidents involved employees, investigating those claims would neither need as much attention nor pay significant dividends. However, claims made against the company for slip and falls, damage to property, and other personal injury claims from outsiders were a better target, as they were more costly and often settled with little investigation by the third-party insurance company. Once again, the CSO conducted a SWOT analysis and then took on this responsibility.
The efforts of investigating these claims resulted in the denial of 30 claims per year, reduced payouts and negotiated settlements on many of the remaining claims, saving the company 70% of all chargeable accidents. In the first year, more than $1 million dollars was retained.
Mitigate the cost of property damage
In the facilities and maintenance arena, the security team learned by job shadowing and reviewing the company’s maintenance and repair expenses. It was discovered that, similar to other departments, the facilities team was not interested in pursuing recovery opportunities from contract maintenance workers who caused damage or stole property from the company. Additionally, accidents or intentional acts of vandalism or theft were never pursued for recovery of damages and were rarely reported.
A simple agreement between the facilities vice president and CSO led to the security team to take on this responsibility. The first year the CSO took on the function, a transformer was damaged by the electrical technician, resulting in a $75,000 loss. In another example, a vehicle drove through a company facility, causing $45,000 in damage. In both cases, all funds were collected via filing claims with the insurance companies of those who caused the damage. From that year forward, over $100,000 was recovered annually by the security team from damages and related incidents previously never pursued.
In all the above cases, the CSO used their business knowledge to leverage talent within their security department. Investigative power can be used to recover millions of dollars otherwise lost throughout an organization. By thinking outside of the box, security executives can transform their teams from yesterday’s cost centers of yesterday to tomorrow’s profit centers.
Editor’s Note: Security magazine will be bringing this important topic to readers in a two-part series. The second part of this series: Leveraging Security as a Business Enabler, will be published online and in our October digital edition.
For more articles on increasing the business value of security, click below: