creative ways to show security’saz9194.vo.msecnd.net/pdfs/110902/2115.pdfcreative ways to show...
TRANSCRIPT
Creative Ways to Show Security’s Proposition and Profitability:
A Business Case Study
Elliot A. Boxerbaum, CPP, CSC, Founder & CEO Security Risk Management Consultants, Inc.
Bonnie Michelman, CPP, Director of Police, Security, & Outside Services, Massachusetts General Hospital
ASIS International Past President
Security awareness and incidents increasing Technological demands and changes Increased responsibilities and span of control Budget reductions/bankruptcies/mergers/layoffs Speed and accuracy/technology explosion Managers are expected to lead, not just manage Intellectual property challenges
Anxiety about the future and the economy Substance abuse Family structure Less corporate paternalism An aging population Deinstitutionalization Fear of crime and terrorism
Dollars are becoming tighter Corporations and institutions are reshaping
themselves through mergers, acquisitions, and partnerships
The economy is creating significant challenges for security programs
Programs viewed as simply providing protection against potential loss are suffering more than those seen as adding value to business processes
Security efforts in many organizations are more visible
Corporate compliance requirements continue to escalate
Physical and IT security professionals are dealing with the opportunities (and challenges) of technology and process convergence
Many organizations are moving toward unified security programming
“Security Directors” are becoming (sometimes reluctantly) “Security Executives”
Security Executives are gaining more “C” suite access
“C”hief Security Officers (CSO) are expected to focus more on the “C” in their title than the “Security Officer” aspect
As a result . . . The skill sets of the “C” suite have become
essential to the growth – the very survival – of today’s security programs and security executives
Security executives – regardless of their title – are expected to understand essential financial and business concepts and speak the same language as their “C” suite peers
Do you understand the concepts of ...
Net Present Value (NPV) Internal Rate of Return (IRR) Return on Investment (ROI) Total Cost of Ownership (TCO)
Today we are going to discuss the environment and identify strategies you can use to be successful and hopefully thrive in these difficult times
Concepts
Challenges
Case Studies
Opportunities
allow subgroups to control the group dynamics
DON’T
Recessionary Impacts
Increase in violent crime, white collar crime, and
workplace violence
Litigation/Best Practices
Media Interests
Societal Trends
Sophistication of Crime Types
Risk management
Asset protection
Service orientation
Regulatory pressures
Investigative sophistication
Return on investment/profitability impact
Consumer/customer demands/public relations
Quantification of value
Deterrence and prevention
Hire and Support a Strong Team Encourage Benchmarking and Use Metrics
Create the Right “Culture”
Gather Intelligence
Zero Ignorance: Understanding Industry/Function Criticality
Identify and Address Liability Issues
Understand/Advocate for the current industry growth and professionalism
Decrease losses
Increase profits
Raise morale
Decrease turnover
Optimize recovery/resumption
Protect executives
Decrease liability
Protect and improve reputation
Self Industry - Activism in passing regulations is increasing
Litigation - Successful action as by plaintiffs against companies for negligent or inadequate security are rising (about 33%/yr)
Insurance - Insurance companies may force substantial management and operational changes on companies with inefficient security programs
Customer/contractual requirements
Legal, regulatory & compliance issues
Reduced loss/faster recovery?
Timely knowledge & action to mitigate risk = prevention?
Hazards proactively identified & mitigated?
Reduced security cost as a % of revenues?
Balance technology, procedures, staff, facilities & information, policies – Holistic Security Program Modeling (HSPM)
Cost effective, quality security designs
Program responsiveness /data
The security function adds value when it provides cost beneficial safeguards that can facilitate business or mission strategies that would otherwise not be prudent or possible
The security function adds value when it seamlessly integrates safeguards into day-to-day mission & operations
THE QUESTION -- ”If we did nothing in terms of asset protection, what would the impact be to the enterprise?” Value and cost are synonymous in the absence of defensible information to the contrary
DELIVERERS OF SECURITY -- Related goods and services must be able to demonstrate the cost/benefit of those goods & services if they are to retain control of their “market share”
We have to be better analysts & marketers of our value-added benefit to the organization
Zero-Based Security Programming
Healthcare campus with aging access control system, high maintenance costs, and failures resulting in documented lost time, end user complaints, and disruption of patient care
Facility identifies costs associated with the existing system over a 12 month period
Historical data including operating costs and numerous other factors is rolled into maintenance/upgrade/replace scenarios
Budgetary estimates are obtained for several remediation strategies
A business case is developed for system replacement
A Business Case Study
A Business Case Study
Consider least expensive and least disruptive controls: 80/20, 90/50, 95/70, 99/100
Procedures must be integrated with physical systems for synergistic and cost effective results
Security is not a hard science
Security must be organizationally and environmentally specific
Compromise is critical – Consider alternative approaches to achieve acceptable results
Salespeople
Management
Employees
Community
Know management’s level of commitment Know company’s objectives Advance selling Public relations Allocate 4 operating cost profit center vs. cost center
approach Return of investment studies - Maximization of security
investment) Establish norms/show deviation Empirical data is critical Benchmarking – learn from the “BEST”
Overreaction Blame Change stereotypes Educate others Breadth, depth, complexity, and expertise Don’t ignore increasing stereotypes and hate Expand efforts, expertise, and energy Remember…. people are now listening and . . .
expecting more Complacency
Difficult to quantify, value in financial terms
How do we measure the number of incidents that decreased or were deterred?
Security’s success is measured by the absence of loss
Three basic approaches:
Historical and external
benchmarking
Linkage analysis
Statistical analysis
Direct Costs Money /product
Records / information
Property
Stock / dividends
Insurance premiums
Manpower expenses
Lost business
Overreaction expenses
Hidden Costs Operations down
Repair /replacement
Productivity
Insurance
Investigation /prosecution
Market position
Job /sales loss
Indirect Costs Reputation
Good will
Morale
Negative press
Long-term negative consumer perception
Additional public relations costs/poor image
Higher wages - attract in unsafe environment
Shareholder derivative suits/mismanagement
Substance abuse
Theft
Insurance
Investigative costs
Avoidance of lawsuits
Security surveys / risk assessment
Cybercrime prevention
Calculating the Impact of Prevention Activities
Summary of losses & security investigations • # of investigations 63 • Total loss impact $8,300,000 • Net recoveries $1,000,000 • Value of future losses prevented $5,500,000 • Investigation costs $250,000 • ROI* 400%
* This percent is calculated by dividing net recoveries by investigative costs
Paper shredder
Limo service
Consulting
Alarm monitoring
Movie on computer security
Video on H/C security
Ameritrust loss prevention service
Community seminars
Workers comp: Maine lifters
Security surveys
Executive protection
Hazardous waste handling
Trivial pursuit
Direct Revenue Producing Ventures
The value of relationships and reputation are immeasurable
Understand your business risks and the impact of incidents
Speak to your audience
Know the numbers and be able to support them
Plan must align with the business
External influences – neighborhood crime rate, desirability of assets
Formal loss history –all documented cases
Informal loss history – interviews, etc.
Employee morale – losses increase as morale deteriorates
Security budgets are typically a feeding frenzy
Approvals are cumbersome
Getting senior management attention is (absent a significant incident) difficult
Incident or regulatory requirement of the day changes the whole climate
Tail frequently wags the “security dog”
Implementation can be disorganized and fragmented
Ability to meet corporate objectives
Ability to meet regulatory requirements
Streamlining
Convenience
Reasonableness
Cost effectiveness
Customer service
Practicality
Promote credibility
Planning tool
Management tool
Rating scale
Team building
Promote discussion, identify critical issues
Long term approvals
› Budgets, programs, strategies
Obtain input from all levels
› Users, management, clients
Strategic in nature
Security infrastructure study
› In-depth review of all:
Related procedures
Communications systems
Security strategies
Security systems
Security hardware
And all complementary components
• Security projects
• Diagrams
• Quarterly budgets
• Project charts
• Security procedures
• Project management
• Projects summary & budget charts
• Executive summary - introduction
Magic of: › Organization › Management approvals › Team building › Budget approvals › Program quality › Planning, direction,
measurement › Protects your goals and
strategies › Negotiation tool
Specific systems & programs:
› Strategies
› Milestones
› Requirements
Implementations strategy
Multi-year plan
Timeliness
Complete budget
Budget forecasts
Justification
Specific requirements
Business case
Technical requirements
Background
Complete evaluation of security infrastructure
Security systems and hardware
Some policies and procedures
Management summary
Implementation timeliness
1. Stack the table
2. Schmoozing
3. The 3rd party
4. Playful presentations
5. Never me vs. you
6. “Did you hear what happened?”
7. No surprises
Stack the Table
Create the best team by identifying stakeholders
Clients, staff, IT, HR, management, users, maintenance, etc.
Participants – all levels
Internal and external project teams
C-suite, HR, IT, Engineering
Vendors, consultants, similar facilities (benchmarking) colleagues, internet, ASIS
Schmoozing To converse casually, especially in order to gain an
advantage or make a social connection
The 3rd Party People blame “others” especially when they are not
there Do not allow people to speak for others Invite the third party, to speak for themselves Work the person in advance
Playful Presentations Conceptual ratings chart Documents Target yourself Homework Detailed/interactive, offsite, time consideration Level playing field Never Me vs. You Never meet one-on-one with adversaries looking for
approvals Only discuss issues, obtain opinions, show stoppers What's in it for them?
“Did You Hear What Happened?” Take advantage of incident, media or events
Good morning, did you…
Elevator, washroom, water cooler
No Surprises! Discuss major issues in private ahead of time
Ascertain how much damage control will be necessary
Contingency and continuity planning is critical
As many as needed
Draft master plan or project plan
Draft infrastructure
› No budgets, timelines, project management
› Include procedures
› All stakeholders
Things must be clear; may mean different things to different people
If necessary to convince or create one single focused direction, use project team visits
The warm climate technique
Talk strategies NOT technical jargon
Professional graphics
Management style
Company format
Start with summaries, then drill down with detail
Practice presentation
* The critical key is how you get there and what you do along the way
Key questions for functional excellence:
› What is our value proposition? What is strategy aligned performance
management? How do we create alignment with the business
strategy? What is our ROI?
› What are the drivers for functional excellence?
› How do we measure success?
Brokerage Operations $7,800,000
Energy $2,817,846
Credit Card Sales Authorizations $2,600,000
Telecommunications $2,066,245
Manufacturing $1,610,654
Financial Institutions $1,495,134
Information Technology $1,344,461
Insurance $1,202,444
Retail $1,107,274
Pharmaceuticals $1,082,252
Banking $ 996,802
Food/Beverage Processing $ 804,192
Consumer Products $ 785,719
Chemicals $ 704,101
Transportation $ 668,586
Utilities $643,250
Healthcare $636,030
Metals/Natural Resources $580,588
Professional Services $532,510
Electronics $477,366
Construction and Engineering $389,601
Media $340,432
Hospitality and Travel $330,654
Pay-Per-View TV $150,000
Home Shopping TV $113,000
Catalog Sales $ 90,000
Airlines Reservations $ 90,000
Tele-Ticket Sales $ 69,000
Package Shipping $ 28,000
ATM Fees $ 14,500
People
Technology
Protocols
Training/awareness
Consistency/integrity/transparency
Creative Ways to Show Security’s Proposition and Profitability:
A Business Case Study
Elliot A. Boxerbaum, CPP, CSC, Founder & CEO Security Risk Management Consultants, Inc.
Bonnie Michelman, CPP, Director of Police, Security, & Outside Services, Massachusetts General Hospital
ASIS International Past President [email protected]