You’ll not be surprised to read that the recurring theme in this blog – focused around seven potential money-saving opportunities for security professionals – is, to a varying degree, the engagement of an independent security consultant.
One of the questions I’m regularly asked by potential new clients is: “Why should I use an independent security consultant?”. There are many benefits that can be attained by engaging ‘external’ support and expertise and, as well as identifying potential money-saving opportunities in this blog, I’ll go on to highlight how an independent security consultant can help you and your organisation develop and achieve your pivotal security objectives.
Before I go any further, though, I suppose I should explain what I mean when I use the word ‘independent’. Dictionary definitions usually include words such as ‘autonomous’ and ‘free’ as well as the following explanation: ‘not dependent; not depending or contingent upon something else for existence, operation, etc.’
When working with a security consultant it’s essential that they’re able to offer you completely impartial advice and information that’s not influenced by some factor other than the needs of the client. Extensive knowledge of the market is a fundamental expectation, but the ability to offer truly ‘independent’ advice or information is imperative if the value of engaging a security consultant is to be fully realised.
Value propositions: deciding on strategic development
Every corporation looks for the ‘value proposition’ when deciding upon strategic and operational developments.
To professionally carry out our duties we all want to understand how a proposed change is going to impact our business and deliver a Return on Investment (RoI). Even if an operation has been functioning successfully, it’s fair to say there are always areas that could benefit from independent and objective review.
It has long been argued that RoI models focus too prominently on short term objectives at the expense of understanding true life costs and longer term strategy. RoI models also tend to take a ‘perfect world’ perspective and don’t always factor-in the sort of performance/technical problems that we all face from time to time.
An independent security consultant should have awareness of these issues. Applying their market, operational and technical knowledge enables them to work well with clients and provide long-term support that contributes to the overall consultancy ‘value proposition’ and manages delivery of the RoI.
The following seven ways in which to save money on your security budget share one overriding factor: they’re all part of the ‘value proposition’ that any independent security consultant should deliver.
Some factors are possibly more obvious than others while some deliver bigger savings, but one thing is for certain: without the involvement of a suitably experienced independent security consultant, exposure to the associated risks – both commercial and operational – could be far greater for the host organisation.
If implemented correctly, the following suggestions will have the potential to save your organisation money and reduce the overall security risk profile.
While it’s obviously true that an independent security consultant will charge for their service, the potential savings in terms of finance, time, business interruption and risk will generally outweigh any fees levied.
(1) Design of security systems
The design of a security system can be provided via a number of routes. It may be carried out by a system installer, a product manufacturer or even the client. While all three routes may eventually provide a working system, the question that should really be asked is whether they’re proposing the ‘best’ solution.
Installers normally work with a limited number of equipment manufacturers. They do this to make the management of programming, commissioning, service and maintenance more viable. Imagine an installation business with 40 engineers… Even if the company chose to work with only five core product manufacturers, just consider how many days’ training would be needed to ensure that adequate levels of competency were instilled within the engineering team?
Good installation companies will always offer a programme of continual learning to their employees but how many businesses can commit to hundreds of training hours each year? On the other hand, do you really want to trust your security system to a company that provides insufficient training for its staff?
Commercially there’s also a conflict. Installers who ‘over-engineer’ a system could be doing so to inflate the price of that solution. Even if an installer’s original design was used to acquire comparative quotations from some of its competitors, the process is flawed as it’s unlikely one of these other companies will comprehensively review the design at that point. They are more likely to offer a check price, encouraging the eventual decision to be made based on inaccurate or incorrect information.
Another option is that a manufacturer could offer a design service. The reality here is that they will only design a system around the use of their own equipment. This may provide a suitable solution, but the likelihood of that solution being right for every customer is highly unlikely (as, indeed, is the chance of it being the most cost-effective answer in every scenario).
A technically competent client could also undertake their own systems design. The main drawback in this instance is that the client also has a business to contribute to and the time needed to undertake research, talk to manufacturers, carry out the necessary reviews and surveys and write the system performance requirements, etc is unlikely to leave many hours in the day to fulfil his or her normal duties.
The hidden cost to the business increases still further when it comes to the project management of the installation and commissioning (and that’s without factoring-in the potential costs associated with vendor management and contract fulfilment).
The independent security consultant will consider many factors when designing a system. The most important issue, however, is that the consultant has the opportunity to define solutions to the clients’ security challenges with no other agenda in mind.
The consultant only seeks to find the right technical, practical and most cost-effective solution to meet the challenge.
(2) System service and maintenance
When considering the cost of a security system it’s imperative that life-cycle costs associated with maintaining the system are factored-in. It would be a false economy to select a system or item of equipment without understanding just how much it will cost to operate, service or maintain throughout its expected installed life.
The ability to maintain the system or system components should also be thoroughly understood. Unfortunately, it’s still the case today that, subsequent to the original procurement process, the equipment or system purchased ceases to be maintained adequately and, eventually, performance is impaired or the product/system stops working altogether.
The effort expended at the start of this cycle – to choose the right product or to buy it for the best available price – could be completely wasted, costing not only a great deal more money than originally planned but also significantly more time and effort in terms of addressing the original security issue.
The independent security consultant can assist throughout the life of a product or system. Regular system performance audits may be built-in to the annual maintenance budget. This way, not only can the client be assured that the system offers optimum protection against any related security threats but also that the system continues to meet the objectives defined in the original operational requirement.
In truth this saving could be quite substantial but, at the very least, knowing your security system is fully operational offers peace of mind.
(3) Developing an operational requirement
It’s a sad fact that, even today, very few clients have developed an operational requirement that acts as the ‘blueprint’ to guide the counter-measures that can be taken in response to any identified threats or risks.
Without an operational requirement in place it might be difficult to deliver long term, strategic measures in the most cost-effective manner. Organisations become more prone to ‘knee-jerk’ reactions over security incidents and find it more difficult to direct investment to the most appropriate area.
The operational requirement provides a way of reminding the business why certain decisions have been taken, along with mapping out the path required to address particular threats and risks and counter known vulnerabilities.
The operational requirement is generally at two levels. Level 1 provides the higher level, strategic direction and Level 2 the more detailed and specific measures. An organisation might publish the Level 1 operational requirement to define an overriding corporate approach to its security provision and then develop Level 2 operational requirements for each individual type of facility (differentiating, for example, between a manufacturing plant, a distribution warehouse and the corporate headquarters).
The independent security consultant will assist in the production of the Level 1 and Level 2 operational requirement after detailed consideration of many factors including the threats and risks that the business faces along with specific areas of vulnerability.
This process will allow the identification of ‘gaps’ in the current security measures and articulate the particular security needs of the business. It will allow a structured and considered process to be undertaken and help avoid panic purchases in response to particular incidents.
(4) Threat and risk analyses and vulnerability studies
One of the starting points when defining any security strategy has to be the threat and risks that a corporation faces along with areas of vulnerability that might be relevant. It’s only by fully appreciating both the generic and specific threats counter-measures can be defined that address the particular area of concern.
It’s quite common for organisations to have in place a substantial security infrastructure, but for the threats and risks along with any vulnerability not to have been properly identified. The process should be the subject of continual review to ensure the appropriateness of information contained and, once established, should form part of the strategic level documentation retained by the security management team.
Suitable ‘intelligence’ will be required to fully prepare a detailed study and careful consideration should be given to the source of that information.
The independent security consultant will be able to gather the pertinent information applicable to each client. It’s essential that the consultant has communication channels into a range of ‘intelligence’ sources along with the experience to interpret the information effectively.
By basing the budget and security provision requirements around the threats and risks that a business will face. By countering any found vulnerabilities, it will then be possible to target finance and resource to where it will be most effective. This will not only ensure the most appropriate use of resources at play but also minimise expenditure in non-effective areas.
(5) Policy and strategy development
This is not an area generally considered to save a company money and, as a consequence, can be overlooked in terms of delivering RoI. It has to be said that without a well written and auditable security policy in place, defining the actions necessary to deal with a security-related incident will only ever be an ad hoc process, in turn creating repetition of effort and replicated errors.
Publishing a clear security policy that provides a fully ‘joined-up’ strategic approach not only ensures a consistent and measured response to business security issues but also guards against spending money unnecessarily and using resources wastefully.
Once in place, policies and procedures can be audited against a schedule of pre-determined Key Performance Indicators and the quality of service refined and improved on a continual basis.
The independent security consultant will work in partnership with department heads and operational management ensuring the integration of all parts of the security policy so that they augment and protect the business wherever possible. This process often leads to a closer relationship with other business functions, such as the FM team and HR.
Such an extended level of communication can help to develop a greater appreciation of the security operation which, in turn, assists in realising the security agenda in years to come.
(6) Cost management
Probably one of the most obvious ways to save money on your security budget will be to closely control all associated costs. This can include anything from headcount to corporate security uniforms, and from system maintenance to stationery.
An independent security consultant will be able to assist in identifying areas of expenditure that could be reduced or where greater value might be derived. By using detailed analytical tools it will be possible to identify certain target areas that may include capital expenditure as well as maintenance/operational budgets.
Revised procedures may offer efficiency savings while the use of new or amended security strategies could improve auditable performance while returning value to the bottom line.
(7) Security training
As with many other areas of business, the security function can be broad ranging and complex. It’s essential that individuals develop core competency skills to deal with the breadth of subject manner and that specialist knowledge is imparted in an effective way.
The training needs of a security team should be assessed to fully understand the core competency levels and help identify shortcomings or particular areas of expertise.
Learning and training programmes can then be developed to target particular needs. Budgets may be developed to address specific requirements and savings can be made by focusing training resource where it will have the most beneficial effect.
A well developed learning and training programme can also have an advantageous effect on staff retention by helping to protect the investment made when an individual is employed. This alone can offer a significant saving as well as enabling a better quality service to be delivered to the business through better trained and more knowledgeable staff.
Jon Roadnight MSyI is a director of independent security consultant CornerStone
- Jon Roadnight has been working in the security sector for over 20 years. Having completed a Management Development course at Thorn Security during the mid-1990s, in 1998 he founded – along with business partner Narinder Dio – the Pearl Security Group which was established as a systems integrator. After six successful years, Roadnight and Dio sold the business to Novar plc.
- Following a short spell as the director, head of systems at OCS, Roadnight once again joined forces with Dio in 2006 and CornerStone was formed as a specialist security consultancy practice (www.CornerStonegrg.co.uk)
- The business has developed well and, for the last four years, has been a finalist in the Security Consultant of the Year category at the Security Excellence Awards. In 2011, the company won both the Security Consultant of the Year Award as well as the International Achievement Award.
- CornerStone provides a broad range of services from threat and risk assessments, physical security design and performance management through to project management functions as well as focusing on a number of specialist areas (among them PSIM design and implementation, hostile vehicle mitigation and policy and strategy development to name but a few).