Creative Ways to Show Security’s Proposition and Profitability:

A Business Case Study

Elliot A. Boxerbaum, CPP, CSC, Founder & CEO Security Risk Management Consultants, Inc.

Bonnie Michelman, CPP, Director of Police, Security, & Outside Services, Massachusetts General Hospital

ASIS International Past President

Security awareness and incidents increasing Technological demands and changes Increased responsibilities and span of control Budget reductions/bankruptcies/mergers/layoffs Speed and accuracy/technology explosion Managers are expected to lead, not just manage Intellectual property challenges

Anxiety about the future and the economy Substance abuse Family structure Less corporate paternalism An aging population Deinstitutionalization Fear of crime and terrorism

Dollars are becoming tighter Corporations and institutions are reshaping

themselves through mergers, acquisitions, and partnerships

The economy is creating significant challenges for security programs

Programs viewed as simply providing protection against potential loss are suffering more than those seen as adding value to business processes

Security efforts in many organizations are more visible

Corporate compliance requirements continue to escalate

Physical and IT security professionals are dealing with the opportunities (and challenges) of technology and process convergence

Many organizations are moving toward unified security programming

“Security Directors” are becoming (sometimes reluctantly) “Security Executives”

Security Executives are gaining more “C” suite access

“C”hief Security Officers (CSO) are expected to focus more on the “C” in their title than the “Security Officer” aspect

As a result . . . The skill sets of the “C” suite have become

essential to the growth – the very survival – of today’s security programs and security executives

Security executives – regardless of their title – are expected to understand essential financial and business concepts and speak the same language as their “C” suite peers

Do you understand the concepts of ...

Net Present Value (NPV) Internal Rate of Return (IRR) Return on Investment (ROI) Total Cost of Ownership (TCO)

Today we are going to discuss the environment and identify strategies you can use to be successful and hopefully thrive in these difficult times

Concepts

Challenges

Case Studies

Opportunities

allow subgroups to control the group dynamics

DON’T

Recessionary Impacts

Increase in violent crime, white collar crime, and

workplace violence

Litigation/Best Practices

Media Interests

Societal Trends

Sophistication of Crime Types

Risk management

Asset protection

Service orientation

Regulatory pressures

Investigative sophistication

Return on investment/profitability impact

Consumer/customer demands/public relations

Quantification of value

Deterrence and prevention

Hire and Support a Strong Team Encourage Benchmarking and Use Metrics

Create the Right “Culture”

Gather Intelligence

Zero Ignorance: Understanding Industry/Function Criticality

Identify and Address Liability Issues

Understand/Advocate for the current industry growth and professionalism

Decrease losses

Increase profits

Raise morale

Decrease turnover

Optimize recovery/resumption

Protect executives

Decrease liability

Protect and improve reputation

Self Industry - Activism in passing regulations is increasing

Litigation - Successful action as by plaintiffs against companies for negligent or inadequate security are rising (about 33%/yr)

Insurance - Insurance companies may force substantial management and operational changes on companies with inefficient security programs

Customer/contractual requirements

Legal, regulatory & compliance issues

Reduced loss/faster recovery?

Timely knowledge & action to mitigate risk = prevention?

Hazards proactively identified & mitigated?

Reduced security cost as a % of revenues?

Balance technology, procedures, staff, facilities & information, policies – Holistic Security Program Modeling (HSPM)

Cost effective, quality security designs

Program responsiveness /data

The security function adds value when it provides cost beneficial safeguards that can facilitate business or mission strategies that would otherwise not be prudent or possible

The security function adds value when it seamlessly integrates safeguards into day-to-day mission & operations

THE QUESTION -- ”If we did nothing in terms of asset protection, what would the impact be to the enterprise?” Value and cost are synonymous in the absence of defensible information to the contrary

DELIVERERS OF SECURITY -- Related goods and services must be able to demonstrate the cost/benefit of those goods & services if they are to retain control of their “market share”

We have to be better analysts & marketers of our value-added benefit to the organization

Zero-Based Security Programming

Healthcare campus with aging access control system, high maintenance costs, and failures resulting in documented lost time, end user complaints, and disruption of patient care

Facility identifies costs associated with the existing system over a 12 month period

Historical data including operating costs and numerous other factors is rolled into maintenance/upgrade/replace scenarios

Budgetary estimates are obtained for several remediation strategies

A business case is developed for system replacement

A Business Case Study

A Business Case Study

Consider least expensive and least disruptive controls: 80/20, 90/50, 95/70, 99/100

Procedures must be integrated with physical systems for synergistic and cost effective results

Security is not a hard science

Security must be organizationally and environmentally specific

Compromise is critical – Consider alternative approaches to achieve acceptable results

Salespeople

Management

Employees

Community

Know management’s level of commitment Know company’s objectives Advance selling Public relations Allocate 4 operating cost profit center vs. cost center

approach Return of investment studies - Maximization of security

investment) Establish norms/show deviation Empirical data is critical Benchmarking – learn from the “BEST”

Overreaction Blame Change stereotypes Educate others Breadth, depth, complexity, and expertise Don’t ignore increasing stereotypes and hate Expand efforts, expertise, and energy Remember…. people are now listening and . . .

expecting more Complacency

Difficult to quantify, value in financial terms

How do we measure the number of incidents that decreased or were deterred?

Security’s success is measured by the absence of loss

Three basic approaches:

Historical and external

benchmarking

Linkage analysis

Statistical analysis

Direct Costs Money /product

Records / information

Property

Stock / dividends

Insurance premiums

Manpower expenses

Lost business

Overreaction expenses

Hidden Costs Operations down

Repair /replacement

Productivity

Insurance

Investigation /prosecution

Market position

Job /sales loss

Indirect Costs Reputation

Good will

Morale

Negative press

Long-term negative consumer perception

Additional public relations costs/poor image

Higher wages - attract in unsafe environment

Shareholder derivative suits/mismanagement

Substance abuse

Theft

Insurance

Investigative costs

Avoidance of lawsuits

Security surveys / risk assessment

Cybercrime prevention

Calculating the Impact of Prevention Activities

Summary of losses & security investigations • # of investigations 63 • Total loss impact $8,300,000 • Net recoveries $1,000,000 • Value of future losses prevented $5,500,000 • Investigation costs $250,000 • ROI* 400%

* This percent is calculated by dividing net recoveries by investigative costs

Paper shredder

Limo service

Consulting

Alarm monitoring

Movie on computer security

Video on H/C security

Ameritrust loss prevention service

Community seminars

Workers comp: Maine lifters

Security surveys

Executive protection

Hazardous waste handling

Trivial pursuit

Direct Revenue Producing Ventures

The value of relationships and reputation are immeasurable

Understand your business risks and the impact of incidents

Speak to your audience

Know the numbers and be able to support them

Plan must align with the business

External influences – neighborhood crime rate, desirability of assets

Formal loss history –all documented cases

Informal loss history – interviews, etc.

Employee morale – losses increase as morale deteriorates

Security budgets are typically a feeding frenzy

Approvals are cumbersome

Getting senior management attention is (absent a significant incident) difficult

Incident or regulatory requirement of the day changes the whole climate

Tail frequently wags the “security dog”

Implementation can be disorganized and fragmented

Ability to meet corporate objectives

Ability to meet regulatory requirements

Streamlining

Convenience

Reasonableness

Cost effectiveness

Customer service

Practicality

Promote credibility

Planning tool

Management tool

Rating scale

Team building

Promote discussion, identify critical issues

Long term approvals

› Budgets, programs, strategies

Obtain input from all levels

› Users, management, clients

Strategic in nature

Security infrastructure study

› In-depth review of all:

Related procedures

Communications systems

Security strategies

Security systems

Security hardware

And all complementary components

• Security projects

• Diagrams

• Quarterly budgets

• Project charts

• Security procedures

• Project management

• Projects summary & budget charts

• Executive summary - introduction

Magic of: › Organization › Management approvals › Team building › Budget approvals › Program quality › Planning, direction,

measurement › Protects your goals and

strategies › Negotiation tool

Specific systems & programs:

› Strategies

› Milestones

› Requirements

Implementations strategy

Multi-year plan

Timeliness

Complete budget

Budget forecasts

Justification

Specific requirements

Business case

Technical requirements

Background

Complete evaluation of security infrastructure

Security systems and hardware

Some policies and procedures

Management summary

Implementation timeliness

1. Stack the table

2. Schmoozing

3. The 3rd party

4. Playful presentations

5. Never me vs. you

6. “Did you hear what happened?”

7. No surprises

Stack the Table

Create the best team by identifying stakeholders

Clients, staff, IT, HR, management, users, maintenance, etc.

Participants – all levels

Internal and external project teams

C-suite, HR, IT, Engineering

Vendors, consultants, similar facilities (benchmarking) colleagues, internet, ASIS

Schmoozing To converse casually, especially in order to gain an

advantage or make a social connection

The 3rd Party People blame “others” especially when they are not

there Do not allow people to speak for others Invite the third party, to speak for themselves Work the person in advance

Playful Presentations Conceptual ratings chart Documents Target yourself Homework Detailed/interactive, offsite, time consideration Level playing field Never Me vs. You Never meet one-on-one with adversaries looking for

approvals Only discuss issues, obtain opinions, show stoppers What's in it for them?

“Did You Hear What Happened?” Take advantage of incident, media or events

Good morning, did you…

Elevator, washroom, water cooler

No Surprises! Discuss major issues in private ahead of time

Ascertain how much damage control will be necessary

Contingency and continuity planning is critical

As many as needed

Draft master plan or project plan

Draft infrastructure

› No budgets, timelines, project management

› Include procedures

› All stakeholders

Things must be clear; may mean different things to different people

If necessary to convince or create one single focused direction, use project team visits

The warm climate technique

Talk strategies NOT technical jargon

Professional graphics

Management style

Company format

Start with summaries, then drill down with detail

Practice presentation

* The critical key is how you get there and what you do along the way

Key questions for functional excellence:

› What is our value proposition? What is strategy aligned performance

management? How do we create alignment with the business

strategy? What is our ROI?

› What are the drivers for functional excellence?

› How do we measure success?

Brokerage Operations $7,800,000

Energy $2,817,846

Credit Card Sales Authorizations $2,600,000

Telecommunications $2,066,245

Manufacturing $1,610,654

Financial Institutions $1,495,134

Information Technology $1,344,461

Insurance $1,202,444

Retail $1,107,274

Pharmaceuticals $1,082,252

Banking $ 996,802

Food/Beverage Processing $ 804,192

Consumer Products $ 785,719

Chemicals $ 704,101

Transportation $ 668,586

Utilities $643,250

Healthcare $636,030

Metals/Natural Resources $580,588

Professional Services $532,510

Electronics $477,366

Construction and Engineering $389,601

Media $340,432

Hospitality and Travel $330,654

Pay-Per-View TV $150,000

Home Shopping TV $113,000

Catalog Sales $ 90,000

Airlines Reservations $ 90,000

Tele-Ticket Sales $ 69,000

Package Shipping $ 28,000

ATM Fees $ 14,500

People

Technology

Protocols

Training/awareness

Consistency/integrity/transparency

Creative Ways to Show Security’s Proposition and Profitability:

A Business Case Study

Elliot A. Boxerbaum, CPP, CSC, Founder & CEO Security Risk Management Consultants, Inc.

ElliotB@srmcinc.com

Bonnie Michelman, CPP, Director of Police, Security, & Outside Services, Massachusetts General Hospital

ASIS International Past President bmichelman@partners.org