In the quest to test and possibly even burst assumptions, one must put forward thoughts and ideas designed to test established paradigms. The aim of this short piece is not to provide definitive proof via academic research of a particular flaw in current thinking around security management, but rather, to highlight the possibility that some security managers have become entrenched in a particular way of viewing the world, and that this view may be at odds with that of their corporate masters. Further, it has been written with a view to promoting discussion around the concept that there is a middle ground between the traditional aims of security managers and the needs of the organisations they serve. And that by seeking this middle ground, security managers can not only more effectively achieve the goals of their department, but also add significant value to an organisation. For some, these ideas may seem obvious; to others they may seem ridiculous. Either way, as long as people discuss them, then they can start to burst assumptions.
Even today, there are people who still think that security is all about using guns, guards and gates to protect people, property and assets. Of course, 20 years ago this may have been true, but a great deal has changed in the world of security in the last two decades – especially in the world of corporate security. It is reasonable to assert that much of that change has been driven by the changing nature of threats affecting security over the last 20 years. However, to believe that this has been the only driver for evolution would be to ignore what is arguably one of the greatest driving factors in the evolution of modern security – the desire for security to be seen as a profession as opposed to a function.
In the quest to effect this change, savvy security managers have come to understand that the quickest path to corporate legitimacy and acceptance is paved with gold – literally. If they wish to gain a seat within the the C-Suite, alongside finance, marketing and human resources, then they need to be able to demonstrate the ability to achieve yearly revenue targets and generate income as opposed to simply being a red line at the bottom of the corporate ledger each financial year.
Of course, the journey from the traditional, reactive role of guns, guards and gates to a more modern proactive security position of protecting brand, reputation and information (in addition to the traditional protection of people, property and assets) has not only required a paradigm shift within security, but it has also given rise to the need for security professionals to break out of their silo and develop mutually beneficial relationships with other departments within an organisation. The days of secrecy and isolation have, by necessity, given way to openness and cooperation.
Today, the savvy security manager knows that the best way to achieve his or her goals is to find ways to tie those goals into the goals of other departments within the organisation. How can security help marketing achieve their revenue targets or protect the brand that marketing has spent millions to create? How can security help human resources (HR) minimise financial damage to the business by way of reducing the potential for hiring unsuitable candidates or minimising the number of expensive workplace lawsuits? How can security help finance and procurement reduce costs and increase profits? How can security help operations minimise downtime and ensure that the business is resilient enough to get back on its feet as quickly as possible in the aftermath of an incident? How can security help IT protect valuable intellectual property and data? These are the questions that drive many modern security departments.
This new focus, born of the need for security to have greater interoperability with other business units, has given rise to new and interesting possibilities with regard to budget acquisition for today’s security departments. Once upon a time, a security manager would be required to go before the board, cap in hand, in the hope of securing funding to upgrade systems or retain staff. Today, security managers are starting to realise that accessible sources of revenue can be found through other departments within the organisation, such as marketing and HR, if they can aptly demonstrate how security can use those funds to help those departments meet their key performance indicators (KPIs).
For example, where a security manager might have previously struggled to petition the board for funds to upgrade the current analogue CCTV system to a newer digital system, especially where the current analogue system is still working, the same request might achieve three times the funding if channelled through the marketing department. In order to achieve this, security need only demonstrate to marketing, and the board, how the new digital system can help to improve marketing returns by way of things like helping to identify which promotional campaigns are and are not working. Take the example of a busy casino, shopping centre or airport. Using heat mapping as a function of the new digital CCTV system, security can track which promotional displays attract the greatest attention as opposed to the displays which attract little or no attention. Further, CCTV cameras positioned within digital signage, while providing greater covert coverage of an area, could also be used in conjunction with video analytics to track eye movement to determine which parts of an advertising campaign are drawing the viewer’s attention. Alternatively, security might also be able to help marketing more accurately focus their efforts to increase returns by using CCTV to gather information about demographics. This might include information about how many men versus women are in the building at a given time of day, or whether certain age groups are more prevalent within the property at certain times of day and so on. Modern security systems can gather extraordinary amounts of data. What can be done with that data is limited only by one’s ability to come up with new and useful ways in which to mine and use the data.
During a recent interview, Microsoft Chief Security Officer Mike Howard disclosed how he secured funding to build three new Global Security Operations Centers (GSOC) by showing the sales department how these centres could be used as a sales tool. Howard now invites key clients from around the world to come and tour the Microsoft GSOC facilities with a view to demonstrating Microsoft’s point of difference, specifically, how secure the client’s sensitive data will be with Microsoft as opposed to its competitors. Since completion of the GSOCs, Howard has been able to show a demonstrable increase in yearly sales directly attributable to the activities and resources of the security department.
At the end of the day, the question must be asked – what does a corporate board really care about? Does the board really care that the company’s assets are now protected by a new state-of-the-art digital surveillance system? Or is it more interested in the fact that marketing has increased its return on investment by 20 percent in the last financial year? Is the board really impressed that its new facilities are protected by tier one access control systems? Or are they more interested in the fact that the revenue is up by 10 percent because they are seen as the safest airline in the world – in part because they are a much harder target than their competitors.
A board’s first and foremost concern is the financial performance of the company. Put very simply, the board answers to shareholders. Shareholders invest in shares with a view to making financial returns. When the board can dispense dividends, shareholders are happy and the board has done its job. Bottom line, the board cares about investor confidence and making a profit because that is what they have been appointed to do. This begs the question, in the quest to gain the acceptance of the board and the C-Suite, and be seen as not only a profession, but also a business unit on equal standing with finance, sales, marketing and HR, is security really about security in the traditional sense, or is security merely a by-product of what happens in the quest to increase profits?
It is arguable that security managers who still believe that their role is solely to protect people, property and assets while identifying, mitigating and managing risk are not only at odds with the thinking of the board and C-Suite, but are doing themselves and their profession a disservice in the process. Where those goals were once the metrics by which a security department was measured, perhaps today they are simply functions which form the basis upon which security managers should be building more profit-centric programs run in partnership with other departments?
This paper was originally presented at the Australian Security Research Centre’s event Challenge Security Paradigms: Bursting The Assumptions Bubble, held in Canberra in march of this year. For more information on the ASRC and its future events please visit www.asrc.com.au