Interviews

Success in security

by Mark Rowe

‘Successful security management in any organisational context must be driven by an agenda to enhance the financial viability of the organisation.’ Adrian Prior, pictured, discusses this with reference to new models for delivering security. He has had some 28 years experience in the military and is a member of the Security Institute; and is taking a masters degree in security management through the University of Portsmouth.

A critical evaluation of the assertion that “successful security management in any organisational context, must be driven by an agenda to enhance the financial viability of the organisation”, should reflect on four important factors. The first is the nature and context of the organisation – where it sits on the continua of “commercial pressures” and “level of security” required; as described by Button (2008 p.127). Secondly, the type of security model being applied – modern financially based or more traditional. Thirdly, the philosophy of security adopted – is it reactive, working in a narrow range of responsibilities, or a proactive and more holistic risk based approach? Lastly, the environment in which the organisation is operating, which will generate the threats and opportunities? “This is the most serious financial crisis we’ve seen, at least since the 1930s, if not ever.” (Kirkup, 2011, November 7). This recent assessment of the global economy, by the Chairman of the Bank of England, illustrates a convincing imperative for the perennial focus on ‘cost cutting’ and the desire to go further to achieve a new “competitive advantage” (Briggs & Edwards, 2006, p. 18). This essay will focus on the example of retail security management but will also make a comparison with examples from other sectors (nuclear and the public sector), to ascertain how the assertion is influenced by changes to the organisational context. First, how might “successful security” be defined and measured?

There are a number of variables that may influence a definition of “successful security”. These include: the style of security management; the “traditionalist” or “new entrepreneur” (Gill, Burns-Howell, Keats, Taylor, 2007, p. 10-12); whether the focus is on the strategic and/or operational levels (Briggs & Edwards, 2006, p. 14); the breadth of the security portfolio; and how that success is measured. The “traditionalists”, can be viewed as operating in narrow “silos” of responsibility (PwC, 2009); where security work has been viewed by others “…as a cost, an overhead, as an unfortunate expenditure necessitated by the jeopardy presented by doing business” (Gill et al., 2007, p. 10-12). Briggs & Edwards (2006, p. 78) see that corporate security has been dominated by a ‘defensive’ approach, focused on protection and loss prevention. Success in this context is likely to be expressed in mainly crude quantitative terms, such as the number of arrests made and the apparent absence of crime (Gill et al., 2007, p. 10-12). There is a wealth of evidence to indicate the potential to contribute more to the business in both quantitative and qualitative terms – which leads us to a more entrepreneurial definition of “successful security management”. Kovacich & Halibozek (2006, p. 12) describes how the “traditionalist” role has evolved: the “security professional…must understand business…and the global environment in which the business operates.” But he still regards security as “usually a cost centre” and not “a revenue producing entity” (Kovacich & Halibozek, 2006 p. 45). Gill et al., (2007), describes a new breed of security manager – a “new entrepreneur”, working in a “holistic framework” where the focus is on the “…contribution to the bottom line and as profit generating”. In this model the security portfolio has widened to include, for example, reputation, corporate governance, regulation and information assurance (Briggs & Edwards, 2006, p. 14). The key for the security function in essence is to ensure that “everything relates to the company’s bottom line and mission” Gill et al. (2007 p. 15), citing Goodboe (2003). Success here is far more likely to be expressed in terms of a return on investment (ROI) – although there are several ways to present this. Gill et al., 2007 described “value” added by the “new entrepreneur” in terms of “generating profit”, “adding financial value”, “reducing loss” and “reducing cost”. One might also include a number of less tangible effects, including business reputation. Other factors that may determine how success is defined, include whether one is focused at the strategic or operational levels (Briggs & Edwards, 2006, p. 14): the former might be judged more on the performance of the business and making the right business decisions, looking at security’s contribution to it; and the latter by more specific security orientated metrics.

For the purposes of this essay, “successful security management” is: strategically aligned with the ‘business,’ driven by the needs of that organisation, utilising a “holistic approach”, to execute a proactive, risk management based security system at the operational level; providing effective ‘traditional’ asset protection; demonstrating a positive ROI [return on investment] and delivering a “competitive advantage”. How can this success, or otherwise, be measured?

Security management metrics are viewed as important for determining the level of success but also as a management tool to help achieve the success. There are caveats to their effective application. Kovacich & Halibozek (2006, p. 18) considered a bespoke security metrics programme important in a corporate security context because it shows “…how the [corporate assets protection programme] CAPP is being managed, as well as its related costs, benefits, successes and failures.” They present a comprehensive approach to a “security management metrics programme” but they acknowledged that not all benefits of a security programme are “easily measurable.” Metrics can be classified into “hard” and “soft” (Gill et al., 2007, p. 7). Hard metrics are generally quantitative: for example, profit; ROI calculations, crime statistics, cost/benefit analysis, (Briggs and Edwards (2006, p. 63). Gill et al., (2007, p. 35-37) describes other methods including “cost effectiveness analysis” and “activity based costing”. Both Gill et al., (2007) and Briggs & Edwards (2006, p. 63) explore the concept of “soft” metrics and the latter highlights that it is “…less easy to measure the intangibles, such as reputation management.” Other examples might include customer confidence and employee feelings of safety, which could be captured by survey. Button (2008, p.125) provides us with a contemporary model for the development of a holistic security system, advocating a “risks based approach”, which includes the use of metrics, ROI and active learning. Gill et al (2007) found that “…without metrics it is not possible to show the value in a form that business leaders will most clearly understand.” Metrics have been used to inform key tools used in a more “holistic” approach, including “Enterprise Security Risk Management” (Piazza, 2010, April) and a “balance scorecard” system described by Bamfield (2006, p.492). These tools sit well in the bag of the “new entrepreneur” and are important to be “successful”.

However, there are several potential limitations to the use of metrics: they are only as accurate as the information inputted and can be variously interpreted and they are generally retrospective in nature. Metrics seem to be focused at the operational level and do not generally address the strategic level issues. Finally, the data can be difficult to interpret (Gill et al., 2007). An additional important factor that may be considered when trying to measure “successful security management” would be an appreciation of the cost of failure, which may go well beyond the loss or damage to an asset; for example, staff morale following a robbery. In the context of retail security, let us examine to what degree successful security management is driven by an agenda to “enhance the financial viability” of the organisation.

In retail there is a tension between the strong commercial pressures and the level of security required. To “enhance financial viability” implies going beyond the “traditionalist” “defensive approach, focused on protection and loss prevention” (Briggs & Edwards, 2006, p. 78), to one that is “generating profit” (Gill et al., 2007, p. 12). There is a Rubicon here that the “new entrepreneurs” have crossed – accepting that “reducing loss” can be perceived as the same thing as “making a profit” (Gill et al., 2007, p. 13). Retail crime cost UK retailers £1.4 billion in 2010/2011, a 31 per cent increase on the previous year; and expenditure on crime prevention rose by 1.4 per cent but shrinkage increased to 1.55 per cent (British Retail Consortium, 2011). So, shrinkage remains a substantial problem for most retailers and a source of potential “profit”. But could more innovative, and research driven expenditure, on combatting losses deliver better results? Promising areas include a partnership between British Retail Consortium and supermarkets to reduce crime. One example is an attempt to influence the “malefactors’ behaviour” (Button, 2007, p. 147) through supporting the police to tackle local crime; Asda pay for a police community support officer on their site – a relatively low cost deterrent tactic.
Bamfield (2006, p. 493) reinforces the point that security departments operate within “budget constrained environments” and they need to ensure resources are used cost effectively. There is evidence to indicate latent opportunities to utilise novel and more cost effective security techniques, through well researched and targeted schemes, to add value. Looking at banking fraud, a study by Hoffmann & Birnbrich (2012, p. 403) argues that “…creating customer awareness, understanding, and knowledge about fraud…carries a substantial potential to enhance…customers’ value to the bank by triggering re-buying and cross-buying.” Another example is the use of CCTV (examined by Gill, 2006, p. 438-461), which may appear to be a natural choice to help combat shrinkage but a study by Lindblom & Kajalo (2001, p.125) indicates that “informal surveillance [by staff] does have a high capacity for crime prevention”. So, training staff to be vigilant could be a good ROI.

Other opportunities to enhance the bottom line may be described as appreciating second order effects of security; these often impact reputation or brand image. Briggs & Edwards (2006, p.35) highlights “…genuine conflicts of interest between fraud prevention and other business priorities…because controls tend to inconvenience customers.” Gill et al., (2007 p. 20) is clear that “…good security can prevent the loss or damage to reputation; this can have a serious impact on profitability”. Another example is the value of supply chain security which can also deliver “…improved product safety, improved inventory management, higher customer satisfaction…” (Gill et al., 2007, p. 16, cites Peleg-Gillai & Bhat, 2006).

The dangers of ill- informed security initiatives is amply shown by Briggs & Edwards (2006, p. 30), citing Viscusi (1997) about “zero risk mentality”, which led one company to spend over a million dollars on a toxic alarm system and vaccinations in response to a perceived asymmetric threat. Gill et al. (2007, p. 67) proposes that “the role of the security function will vary with the culture of the organisation and there are differences between sectors”. So, how does the retail sector compare to other organisational context?

The nuclear generation industry in France is now competing in the open market but, arguably sits at the opposite end of the security “continuum” to the retail sector and, so, makes an interesting comparison. Vice President of Electricité de France (EDF), has written of the conflicts between nuclear safety and cost reduction. A “cost-killing” approach can be used to achieve short term profits but competitiveness in the open market and safety are both required (Sticker, 2003, p. 23-26). Roux-Dufort & Mettais (1999, p. 126) argues that EDF has developed a “competitive advantage” through their crisis management isomorphic learning process. These examples highlight that even with an extreme security and safety requirement, in a heavily regulated industry, enhancing financial viability is a key driver.
Gill et al. (2007, p. 7) says that “adding value is not just a concern for private sector companies, it is also a priority for the public sector”. A cost of violence to National Health Service (NHS) staff is estimated by the NAO at £69 million. Clearly there is scope for security to “add value”. The NHS Business process and the “security management model”, is a strategic initiative to drive up standards of security management to deliver a “properly secure environment” for their employees. The policy makes no reference to cost effectiveness or adding value to the organisation – the lack of commercial pressures is telling. (Great Britain, NHSCFSMS, 2003, p. 1-22). However, the NHS is having ‘cost savings’. “In my hospital department, for instance, our budget will drop by 4% every year for at least the next five years” (Kellett, 2012, March 22).
In conclusion: the balance of evidence examined would suggest that to deliver “successful security management” in organisations with strong commercial pressures, including those with a requirement for high levels of security, there is an expectation (by some, but not all,) that security management must go beyond asset protection, reducing losses and costs, to deliver a “competitive advantage”; thereby enhancing “financial viability”. There is clearly scope to exploit this approach in the retail sector. The evidence for this view in the public sector is not as clear but it appears that a successful security manager in this context could pursue a holistic model of security, with efficient use of resources, cutting costs where possible; however, the lack of overt commercial pressure seems to temper expectations short of enhancing “financial viability”. Any effort to determine the level of success must compensate for the ‘refraction’ that occurs through the prism of metrics; and, in particular, the challenge of measuring ‘soft’ benefits for the organisation.

Bibliography

Bamfield, J. (2006). Management. In M. Gill (Ed.), The handbook of security (pp. 586 to 609). Basingstoke: Palgrave Macmillan
Bjornard, T., Bari, R., Hebditch, D., Peterson, P., Schanfein , M. (2009). Improving the Safeguard ability of Nuclear Facilities Institute of Nuclear Materials. Management 50th Annual Meeting. US: Idaho National Laboratory.
Booz Allen Hamilton (2005). Convergence of enterprise security organisations. US: The Alliance of Enterprise and Security Risk Management.
Borodzicz, E.P. (2005). Risk, crisis & security management. Chichester: John Wiley& Sons, Ltd.
Briggs, R., Edwards C. (2006). The business of resilience. London: Demos.
British Retail Consortium (2011). Retail and crime survey 2011. Retrieved from British Retail Consortium website: http://www.brc.org.uk/brc_policy_content.asp?iCat=48&iSubCat=646&sPolicy=Retail+Crime
British Retail Consortium (2012). Case studies partnership working. Retrieved from the British Retail Consortium website: http://www.brc.org.uk/trct/default.asp?main_id=3&sub_id=3
Button, M. (2008). Doing security critical reflections and an agenda for change. Basingstoke: Palgrave Macmillan.
Caralli, A., (2004). The Critical Success Factor Method: Establishing a Foundation for Enterprise. Pittsburgh. Carnegie Mellon Software Engineering Institute. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA443742
Carmel-Gilfilen, C., Arch, M. (2011). Advancing retail security design: uncovering shoplifter perceptions of the physical environment. Journal of Interior Design, 36(2), 21–38.
Challinger, D. (2006). Corporate security: a cost or contributor to the bottom line. In M. Gill (Ed.), The handbook of security (pp. 586-609). Basingstoke: Palgrave Macmillan.
Charlton, K.,Taylor, N. (2005). The trouble with business watch: why business watch programs fail. Security Journal 18, 7–18; doi:10.1057/palgrave.sj.8340194
Dalton, D.R. (2003). Rethinking corporate security in the post 9/11 era. New York: Butterworth-Heinemann.
Gill, M., (2006). CCTV: is it effective? In M. Gill (Ed.), The handbook of security (pp. 438-461). Basingstoke: Palgrave Macmillan.
Gill, M., Burns-Howell, A., Keats, G., Taylor, E. (2007). Demonstrating the value of security. Leicester: Perpetuity Research & Consultancy International.
George, B., Button, M. (2000). Private security volume 1. Basingstoke: Palgrave Macmillan.
Great Britain. NHSCFSMS. (2003). A professional approach to managing security in the NHS. NHS
Hayes, R. (2003). Loss prevention: senior management views on current trends and issues. Security Journal, 16(2), 7-20.
Heaven, D. (2012, October 20). The CCTV will be right with you. New Scientist, 18.
Hoffmann, A & Birnbrich, C. (2012). The impact of fraud prevention on bank-customer relationships an empirical investigation in retail banking. International Journal of Bank Marketing, 30(5) 390-407.
Kellett, B. (22 March, 2012). NHS cuts and staff reductions: is it any wonder nurses are so unhappy? Guardian. Retrieved from http://www.guardian.co.uk/commentisfree/2012/mar/22/nurses-unhappy-nhs-staff-budget-cuts
Kirkup, J. (2011, November 7). World facing worst financial crisis in history, governor bank of England says. The Telegraph. Retrieved from http://www.telegraph.co.uk/finance/financialcrisis/8812260/World-facing-worst-financial-crisis-in-history-Bank-of-England-Governor-says.html
Kovacich, G, Halibozek, E. (2006). Security Metrics Management. Oxford: Butterworth-Heinemann.
Lindblom A., Kajalo, S. (2011). The use and effectiveness of formal and informal surveillance in reducing shoplifting: a survey in Sweden, Norway and Finland. The International Review of Retail, Distribution and Consumer Research 21(2), 111–128.
Mano, j S., Holscher, L. (2000). Accessibility vs security: the challenge to airport security systems. Security Journal, 13, 7-19. doi:10.1057/palgrave.sj.8340046
Oliphant, B.J., Oliphant G.C. (2001). Using behaviour based method to identify and reduce employee theft. International journal of retail and distribution management, 29 (10), 49-56.
Piazza, P., (2010, April). Enterprise security risk management: how great risks lead to great deeds. ESRM benchmarking survey and white paper. Retrieved from ASIS International CSO Roundtable website: https://www.csoroundtable.org/knowledge/when-great-risks-lead-great-deeds-esrm-benchmarking-survey-and-white-paper
PricewaterhouseCoopers (PwC). (2009). Effective security: from risk management to real business advantage. Retrieved from: http://www.pwc.com/us/en/it-risk-security/publications/effective-security.jhtml
Rahman, S., Donahue, S. (2010). Convergence of Corporate and Information Security. International Journal of Computer Science and Information Security, 7(1) 63-68.
Roux-Dufort, C., Metais, E. (1999). Building Core Competencies in Crisis Management Through Organizational Learning The Case of the French Nuclear Power Producer. Technological Forecasting and Social Change, 113–127 Elsevier Science Inc.
Sticker L., (2003). Electricité de France (EDF), France. Safety and competitiveness. Nuclear Plant Journal. Retrieved from http://web.ebscohost.com/ehost/pdfviewer/pdfviewer?sid=7f29f218-a4e3-44da-8484-374cab967650%40sessionmgr4&vid=7&hid=9
Thomas, G, (1999). Business watch as an effective business security management strategy for industrial estates: reality or mythology. Security Journal 12, 53-62 doi:10.1057/palgrave.sj.8340011
Tonglet, M., Bamfield, J. (1997) Emerald article: controlling shop crime in Britain: costs and trends. International Journal of Retail & Distribution Management, 25 (9) 293–300.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing