Previous research work conducted under the auspices of the Security Research Initiative (SRI) suggested that there is now a genuine need for security functions to show how they add value to the host organisation. If not, there’s a real risk they’ll be marginalised in what is now an increasingly competitive and cost-conscious business environment.
On that basis, the final project in Phase One of the SRI sought to question clients on their views of the security service/function. We decided to target a representative sample of 500 members belonging to the Institute of Directors (IoD), supplemented by nine in-depth interviews with Board members responsible for security across their organisation.
To be frank, the findings are quite striking. On average, the security function is considered by almost two-thirds of respondents to make an exceptional contribution to the success of an organisation, while only a quarter believed its contribution to be minimal.
Although security was ranked fifth out of seven – lagging behind sales, finance, Human Resources (HR) and marketing – the ranking scores were close. Security was rated higher than facilities and very near to HR and finance. Clearly, in many concerns it’s not seen as the poor relation. That’s welcome news indeed.
Internet and computer security
The interviews were used to explore what was understood by the word ‘security’ a little further, with questions addressed as to whether Internet and computer security (firewalls, anti-virus software, etc), physical (guarding, intruder alarms, CCTV) and personnel security (follow-up references, police checks, etc) help organisations to meet their targets. Internet and computer security were viewed most positively. They pervade our working life, of course, and there are legal requirements around issues such as the confidentiality of customer information.
While personnel and physical security are perceived as adding less value, the mean scores calculated suggest they are viewed as being very important.
Interestingly, when asked whether these same three areas offer value for money, a similar result emerged. With a score of 83%, Internet and computer security is seen as adding value. While the same trend is also apparent in terms of personnel and physical security, these aspects were not rated to the same degree.
Respondents were also asked whether various elements of security – electronic security precautions, defined security policy communicated to staff, personnel checks (following-up on references, etc), physical security (fences, gates, locks), alarms and CCTV monitoring and on-site security personnel – are seen as a cost or the generator of a competitive advantage.
In terms of generating a competitive advantage, electronic security precautions were awarded the highest average score. Again, synergy emerges between this finding and earlier ones which suggests that Internet and computer security are both cost-effective and adding value to client organisations.
Explanation and dissemination
Four security measures – physical security, alarm contractors, CCTV monitoring and on-site security officers – were awarded average scores pushing them towards the lower echelon of the seven-point scale used. There is a very real need, it seems, for the security industry to explain and disseminate the value these physical security measures can generate for organisations.
Moreover, having a “defined security policy communicated to all staff” – viewed as being so important by so many security experts – was rated only fractionally above a neutral response. 30% of respondents awarded low scores to this measure, confirming that it’s more of a cost without sufficient benefit than a source of competitive advantage. This also highlights that many respondents don’t see how different types of physical security measure make them competitive (particularly so in the case of security officers).
A more detailed exploration of the IoD sample reveals that those companies with a low number of employees (ie under 100) and a low annual turnover – of below GB pound 10 million – tend to rate on-site personnel and CCTV as more of a cost than a benefit. This supports the finding that emerged across responses in the survey suggesting smaller organisations are less likely to report security adding value.
Respondents were also asked to rate a list of factors – again on a scale of one to seven – in establishing which factors contribute towards security being viewed as effective. A rating of seven denotes that the factor has a positive impact on security effectiveness, whereas a score of one denotes a negative influence.
Here are the factors complete with their mean score and number of responses:
- attitude of the head of the company (6.1, 487);
- culture within the organisation (5.5, 477);
- security technology (4.8, 479);
- rules and regulations (4.5, 482);
- measuring the number and type of security incidents (4.2, 465);
- security officers (2.6, 409).
Attitude and culture ‘crucial’
The results illustrate that attitudes and culture are seen as critical to the success of security within those organisations questioned. The attitude of the head of the company towards security was rated as the most influential factor. 87% of respondents awarded this factor a score of five, six or seven. The message is clear – the security sector must influence the heads of companies.
It’s very significant that security officers received an average score of 2.6, and are perceived to have a negative influence on the security of organisations. It’s worth noting, though, that those companies with a higher annual turnover assessed the impact of security officers in a far more positive light than those with a lower turnover.
In terms of the interviews conducted with senior members of organisations who have some sort of Board level responsibility for security, one point that emerged is that Board members aren’t generally set specific objectives about security. Some suggested their security function operates without a strategy, and it wasn’t evident they were able to articulate the ways in which the security function contributes to business objectives.
While those Board members questioned are supportive of their head of security, they generally feel it unlikely that security specialists would join the Board as they “lack the all-round business experience and the requisite skills sets”.
One of the questions they were asked is what would need to change in order for security to be accorded a higher status within the organisation. The main observations made were as follows:
- the recruitment of high quality people to improve the perception of security;
- obtaining senior level support for the security function and what it’s ultimately trying to achieve;
- Security Departments need to raise awareness of the tasks they perform and how these impact positively on the core business.
Security: the poor relation?
One of the most important findings to emerge is that security isn’t regarded as the poor relation of other business functions. It has its doubters, but then so do other functions (like HR and procurement). Security need not consider itself less important.
Nonethless, some aspects of security are rated more highly than others. There is scope, then, to do better. Indeed, there is much more security can – and should – do to raise its profile and outline how it might contribute to an organisation’s competitive advantage or overall success.
In considering the overall findings, what needs to be done? First, we must place business studies subjects into the core curriculum of security management training at all levels. Also, we need to develop tools and templates, providing examples of how security can add value and act as business enabler. These need to be made available such that security practitioners can use them.
Security can add value, but this needs to be explained to business leaders and the heads of all organisational functions. How can we do this? By addressing other sectors’ conferences – or organising joint events – and writing in industry-specific journals. Security personnel must then adopt the principles in practice.
On organisational culture
Security needs to be seen to influence organisational culture, but what are the best ways of doing so? What have been the experiences of security managers in this area and what can be learned? What are the best ways of building security practices into the working lives of employees who commonly have other priorities?
Security contractors aren’t always afforded the chance to maximise their impact. We need to understand how organisations can best manage service providers. In short, what does Best Practice look like?
We also need to develop a way of making it easier for organisations to benchmark their security performance. Where they know they’re operating below optimal performance, it’s likely to provide a catalyst for change.