Capital Investments within today’s business world influence how successful organizations are in the future. Funding utilized during any procurement process must tactfully be allocated and produce some form of return on investment. The capital that organizations invest on security functions is no different. These functions must have some purpose (reduce risk) and be able to be justified through cost benefit analysis. With this, the security industry has shifted from a labor intensive market to a capital intensive market; meaning that Physical Protection Systems are built and run on funding. You would think that the capital invested in security is managed effectively. After all, isn’t the capital that is being invested used to protect against loss, prevent shrinkage and prevent pilferage?
Since 9/11 the security industry has witnessed a spike in demand. With this demand has come the requirement for security professionals to effectively manage the capital spent during the system life cycle and during retrofit projects. Through the acquisitions process organizations request and procure different services that have lasting effects on the security posture. These services consist of guidance on security management practices, technical security evaluations and guidance on forensic security (expert witnesses) issues.
Statistical data within the security industry outline that the various markets have undergone extreme growth. On the national level the United States has spent $451 billion (as of August 2014) on national defense and has spent over $767 billion on Homeland Security since 9/11 threat analysis expert witness. Consumer reports have also outlined that Americans collectively spend $20 Billion each year on home security. Technical trends have outlined that organizations spend $46 Billion (combined) annually on Cyber Security. The asset protection market outlines that the contract guard force industry has witnessed substantial growth to the tune of $18 Billion a year. In an effort to prevent shrinkage retailers also invest $720.3 Million annually on loss prevention methods.
You would also think that with the amount of capital being spent within the security industry that more industry benchmarks (to include lessons learned) would exist to help guide stakeholders toward sound security investments. This is often not the case. Most security project end products are the results of different security management mentalities. These security mentality pitfalls are as a result of the: Cookie Cutter Mentality – if a security measure works well somewhere it will reduce the risk at multiple facilities; Pieced Mentality – as capital is available some risk(s) are mitigated; Maximum Security Mentality – there is never too much security; and the Sheep Herd Mentality – everyone is doing it so we better follow suit. Each of these pitfalls has the same effect on the organizations bottom line. They each potentially divert capital away from addressing true risk(s) and very often require organizations to invest more capital into the security program in an effort to correct newly created security vulnerabilities.
Two main issues contribute to these pitfalls: The stakeholder does not know what security measures are needed and relies on a vendor for guidance; or the potential vendor does not have the stakeholders’ best interest in mind and recommends that the stakeholder implements measures that are out of scope from the client’s needs. Now don’t get this author wrong, there are some vendors in today’s security markets whom meet or surpass stakeholder requirements. From a security management stand point the question has to be asked “Does the vendor understand the stakeholder’s security needs and/or does the vendor really care?”
Stakeholders very often have not identified their specific security requirements (industry or local). Many stakeholders identify different symptoms that they think are root problems within their security posture; never realizing that these symptoms often hide the root problems. One of the biggest contributions to this misunderstanding is lack of security industry training. Sure there are security staff personnel that are located in the organization that bring many years of experience to the table. The question that has to be asked “is the organization providing training opportunities to its staff in an effort to identify industry best practices and expose them to new ideas?” In most cases this author has seen that organizations rely on the experience that has been listed on a resume to negate the need for an investment made on security training. When in house personnel do not evolve with a changing security industry the organization normally pays for this by outsourcing research work and can be taken advantage of by bad vendors during the acquisitions process.
Another pitfall related to not clearly identifying security requirements is the development of an unclear Statement of Work during the invitation for bid or request for proposal process. When the planning aspect of a project is neglected little changes in scope can cost the organization additional resources. In many cases the vendor does not understand the Statement of Work that has been created by the stakeholder. When this lack of understanding occurs, there is no true definition of what the end product should be and the vendor may rely on gut instincts to get a security system in place to meet some requirements. Not having an understanding can lead to scope creep, weather deliberately or by oversight, which will require an organization to make even more investments in a system which does not address all of the organizational needs.
This author has also witnessed many issues related to the installation aspect of security components. You would wonder why the functional aspect of a system is overlooked and often the acceptance tests are rushed. This issue can be linked to the need for security personnel to be properly trained. If security personnel have not been trained to benchmark security practices and identify manufacturer requirements, how can they effectively accept the functionality of a system and with good faith tell top level management that an effective Physical Protection System is in place?