Security Metrics Management: How to Manage the Costs of an Assets Protection Program

SECURITY METRICS MANAGEMENT

How to Measure the Costs and Benefits of Security

Elsevier Science

Excerpt

CHAPTER 1

The Security Profession and Its Role in Supporting Business and Government Agency Assets Protection Needs

This chapter will introduce and discuss the role of security in support of the needs of corporations and government agencies in today's global environment. It is provided to set the stage for a basic foundation for security, and assets protection managed through a security metrics management program.

INTRODUCTION

The world of the security professional has changed, as have so many professions, due to the technological changes and advances that have led to the phenomena of instant and mass global communications. Today's corporations can no longer afford to think locally or even nationally. Now, they must not only think globally but also compete in the global marketplace. Sure, some can survive in their small world of local or nation-based business (within a specific niche)—for now—but even they will be positively and negatively impacted by what is referred to as the "global economy."

Security professionals have been slow to recognize or admit that this change has impacted their profession. One just has to look at the ever-expanding threat agents and their sophisticated techniques for attacking corporate assets to see that the environment in which they work has changed and will continue to change, probably faster than ever before. However, that is only one of the many issues facing the security professional.

The role of security is often viewed in a much-maligned way—even by some security professionals. Employees (and that includes management) often consider security professionals as an extension of law enforcement. They imagine the security staff operating in an enforcement role, watching them and "making" them behave in a certain way—a way not necessarily conducive to good business practices, inconvenient and not in-line with their preferences. After all, today's employees are like most people. They are not receptive to constraints, particularly when they don't understand the reasons for them or the value the constraints bring to the business.

All too often, security professionals believe it is the "job" of employees to understand them and to be automatically supportive of them and security's role to protect business assets. The security specialists may grow impatient when they don't get the support they believe they need, require or deserve. After all, don't corporate employees understand how important the security job is? The answer is, "No, they probably don't and really don't think about it very often, if at all!"

When such an attitude is present, it is up to the security professionals to win over the employees with the help and support of management. This may not be what the security professional wants to do or hear, but in order to be a successful security professional and manage a successful assets protection program for the business, that is what must be done.

Yes, justifying one's job is not as enjoyable as performing it, but one way to look at it is to consider each new supporter as one more victory in the game of gaining assets protection program support. A security metrics management program (SMMP) can help the security professional explain security decisions, policies and practices in a way that employees and management can understand and appreciate—using the business language of costs and benefits instead of security lingo.

On the brighter side, the security profession has come a long way as a profession and is no longer using (in most cases anyway) what was often termed "the guard force mentality." The perception was, and is sometimes still true, that the security staff was made up of retired law enforcement or military personnel looking for a retirement job. Most of these individuals had little concept of the business world and of dealing with executive management whose priority is profits and not "following the rules" or "patriotism" at all costs.

Even today, retired law enforcement, intelligence or security professionals are often given the opportunity to lead security organizations in business over those business security professionals who "grew up" within the business. In many cases, executive management does not understand or appreciate the talents and the job done by the security professionals within their own companies. Furthermore, the security professionals have done a rather poor job of educating corporate management as to what it takes to be a 21st century security professional—and being an ex-spy or investigator is not the same as establishing and managing a corporate assets protection program. Again, using an SMMP can help the security professional, regardless of the prior background of the individual who is responsible for assets protection.

Another problem with some security specialists is that they may even consider that the business assets are "theirs" and they are responsible for their protection, like parents worry about their children. They may fail to realize that it is not their property. It is the property of the owner(s) who have delegated protection of those assets to the corporate management team.

Management and other business employees are slow to realize the change to a more educated, intelligent and technical security profession. However, this change has been gradually taking place over the last several decades. The security profession has become more complex and requires far more skilled security professionals, not only in security-related functions, but also in various other disciplines of the business world.

So, who are these security professionals in the 21st century and what is their role in the world of business? To understand that, let's look at the reasons for the increased need for security professionals in today's business world.

THE NEED FOR SECURITY PROFESSIONALS IN BUSINESS

Is there a need for business security professionals today? The answer may be obvious if you are in the security profession. However, you may be surprised to know that there are many in the corporations of the world that might not agree with you. You may wonder how anyone in a corporate management or leadership position could think that way. Although you may be able to rationalize employees feeling that way, since many of the assets protection requirements can cause them to operate in a way that they do not agree with.

You should remember that most people prefer to operate without, or with minimal, constraints. That includes management. People are basically the same throughout the world, and this is basic human nature. Ask yourself if you like being constrained. The answer is: of course not. A business security professional must keep that in mind. After all, you must try to get people to understand the need for and value of complying with security requirements or "constraints" which are needed to protect business assets. An SMMP helps you make the case for those security requirements. If you can't make the case with or without an SMMP, then perhaps you are the one who is wrong in that situation. That is possible you know, and something you as a security professional should always think about when making assets protection decisions—is it possible that this decision is the wrong one?

However, the security professional should not take attitudes of other employees personally. After all, security specialists not only provide guidance and direction as they establish operating constraints, but security is also an overhead cost. Therefore, as you often will be reminded throughout this book, if not done effectively and efficiently, security can be a "parasite on the profits." Management, as well as the corporate owners, feel the same way about any other function within the business that is a "profit parasite." They want those functions to be as effective and efficient, and the least intrusive as possible on their core business activities.

All that said, then why have corporate security? If it is a publicly held company, a lack of security may at a minimum violate some government laws or regulations. In other words, the responsibilities of executive management include protection of assets and much of this is accomplished under the direction and control of security. Another reason assets protection is needed is the lack of trustworthiness of a small number of employees. Most employees are very conscientious and are honest enough to do the right thing regardless of any security staff or business policies. However, as is often the case, resources are allocated for security to protect the business and the honest employees. The goal is to protect them from the few who, for some reason, have it in their nature to take what does not belong to them or to do harm. Actually, if you are a security professional, you should thank those miscreants from around the world for being dishonest, even for only a moment. Why? Because you owe your job and the growth of the security profession to the miscreants of the world; without them, security professionals would not be needed.

So, yes, security is necessary. Without it, as without a law enforcement presence in societies, there would be uncontrolled losses of business assets and maybe even human lives. With that being said, as the leader of the security department and therefore the one responsible for the protection of corporate assets, you must still justify your decisions that impact productivity and other costs. As you can guess by now, we believe that the SMMP can help justify assets protection decisions.

One thing that is seldom talked about but helps rationalize security personnel and assets protection that is integrated into our daily lives and that is it is often a form of psychological security. (It makes us feel protected, although we may not be protected as well as we think. Some of it may be an illusion.) Think about it. How often do you hear about items getting through the airport checks, the fact that cargo is not checked, and other such security processes, and yet old ladies and children are included in random physical searches at airports and other locations. Let's face it; unless we want to live in a total police state—maybe even then—no one can protect people, information or facilities with 100% certainty that no one can get through the "security net" and steal, damage, or destroy some valuable asset. It is all a matter of deciding on what are acceptable levels of risks based on costs and benefits. As can be seen by the 9/11 attack, some management risk-related decisions can have a terrible impact on corporations and people.

Remember also that security costs money. Protection of people, physical assets and information costs an organization in terms of convenience, productivity and dollars. Executive management and security professionals make risk assessments based upon threats and vulnerabilities every day. If there is no specific threat, fewer resources are allocated for protection, regardless of the vulnerability. If the threat is high and controls in place leave the system vulnerable, then more resources may be allocated for protection.

In the case of airport and airline security controls, since the threat to the system pre-9/11 was presumed to be low, management at that time could get away with few or minimal security controls and less capable, poorly trained security personnel. They could afford to accept the risks associated with minimal security controls. In hindsight, now that the threat is better understood, it was a hard and costly lesson to learn.
(Continues...)

---

Excerpted from SECURITY METRICS MANAGEMENT by Gerald L. Kovacich. Copyright © 2006 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---