In research terms we know relatively little about corporate security. True, there have been some very good studies in recent years, and work we’ve undertaken – and which we’re currently conducting under the umbrella of the Security Research Initiative (SRI) – has added some depth, but what’s the real story?
We know that the role of security functions vary, incorporating different activities and duties. We also know that the status of heads of security varies, as do their reporting lines, and that levels of expectation placed upon the security function can differ markedly from one organisation to the next.
We’ve summarised at least two ‘Schools of Thought’ on the role of the head of the security function. The traditionalists view security as a service function, one that inevitably incurs costs on the bottom line, and position themselves very much as advisors to the effective policing of the organisation.
Conversely, the ‘modern entrepreneur’ type defines security as a function that enhances the organisation’s value. Security is a contributor – rather than a cost – to the bottom line. This view espouses business acumen as being at least as important as security expertise.
Security and its evaluation
Last year, as part of the SRI we interviewed some Board directors. One of the key points to emerge was that they didn’t find it easy to evaluate how good their security was in the real world. If serious incidents occurred, if many incidents transpired or there were increases in security-related concerns, it became clear something was wrong. Often, good amelioration measures were found not to exist. The absence of these indicators might just mean these Board directors were lucky.
Research with suppliers over the years has also been instructive. What they’ve confirmed is that organisations for whom they provide security harbour different approaches to the discipline. Some know exactly where they are going, are informed by a strategy and committed to quality. Under such circumstances it’s then possible for a good supplier to shine.
In other cases, security functions have little understanding of their own risks, haven’t thought through how the various elements of security fit together and, as a consequence, it’s very difficult for a security supplier – even a good one – to be appreciated by the company.
Security Benchmarking Tool
So how can Board directors determine whether their security function is working to optimal performance? How might security directors work out how good their security function is compared to those of others? How may security suppliers (of all types) assist the security functions they work with to understand their strengths and weaknesses – and then help them to rectify any discernible deficiencies?
The Security Benchmarking Tool is based solely on those features of a security function – 139 in all – that are absolutely crucial to its success. Much of the research work conducted by way of identifying these essential features has emanated from contact with security managers and security companies as well as global reviews of standards and practices. The elements have then been revised by experts.
For example, it’s crucial that security functions be guided by a security strategy with approval from the Board, and that they conduct effective assessments of their security risks at regular intervals. Using the Benchmarking Tool will enable heads of security to determine how well their organisation measures up.
Put simply, the Security Benchmarking Tool enables security directors and managers to:
- generate a score for five different aspects of security that will help to identify areas of strength and weakness;
- benchmark their security function against defined Best Practice elsewhere;
- guide them towards areas which must be better understood;
- determine – and then really start to focus on – security priorities.
Focusing on key roles
The Security Benchmarking Tool invites security professionals to think about (and then provide responses to) five key aspects of security (known as the five Rs): the role of security within the organisation, a review of security threats, the mechanisms in place to manage security during a ‘response phase’, the recognition of security inside the company and what results it generates.
In an ideal world, all security functions should be the product of a series of processes and documentation.
For example, a security risk assessment and security audit ought to lead to a security strategy document outlining a range of Board-agreed objectives setting out how these ‘wants’ will be achieved. This section will determine how well your security operation is supported by members of the Board and senior management and, equally, how much of the necessary documentation is in place.
The risk assessment and security audit form the basis for identifying all the potential hazards faced by an organisation. They also provide the mechanism from which operational procedures – encompassing technical systems, documentation, training and manpower – should flow. Measurement of risk is a subjective process involving the identification of past incident history as a means of projecting future developments.
In essence, this section of the Security Benchmarking Tool will help you determine how complete and robust your operation’s audit and incident recording processes are, and assess their level of dynamism.
Dynamic measuring process
The management of security measures is a dynamic process requiring a constant review of incident trends, changing legislation, corporate assets, the corporate risk ‘appetite’ and the appropriateness of security processes and documentation.
This section will determine how well the organisation maintains sound liaison with other organisational departments and outside agencies, and how effective current measures are at maintaining a secure and safe environment appropriate to defined threats.
Perception and awareness of security measures within an organisation are essential to the successful functioning of security systems, manpower and procedures. A lack of awareness and understanding of the importance of security practices by staff including senior managers can often disable a well thought-out and appropriate strategy.
This section will determine to what degree members of staff are aware of – and how much they understand – the security programme, and to what extent they’re in direct alignment with its objectives.
Ultimately, security is only of use if it’s effective, and it’s notoriously difficult to determine whether the security function delivers results. Here we have identified some of the key issues that security managers have told us impact directly on the performance of their function.
End user feedback to date
Necessarily, we carried out much research among potential users of the Security Benchmarking Tool on the basis that it needs to be easy to use, while the results have to be of genuine value. 16 companies have already completed the Security Benchmarking Tool exercise. That’s a good start, and they’re now making effective use of the findings.
Two prominent security professionals have offered us some useful feedback. Joe Greenan – security and Health and Safety manager at Allen and Overy – comments: “The Security Benchmarking Tool will not only allow enterprises to benchmark their organisation against others in the industry, but the common thread is that it will identify weaknesses and provide a structure for determining cost- effective security priorities.”
In addition, John Hall (security manager for BMW) explains: “This is without doubt the most innovative security measurement software I’ve ever used. For a long time now I have wanted to independently understand how successful and effective our security systems, policies and procedures are in the real world. I’m very much looking forward to sharing my results with other practising security professionals across the private sector.”
Both free and anonymous
The Security Benchmarking Tool is a self-completion tool, and it’s both free and totally anonymous. Only the person completing the exercise will be provided with the results.
PRCI is committed to developing Best Practice and being associated with initiatives that help in this regard. Ultimately, we want to determine trends in findings from around the world, and across different market sectors.
- To access the Security Benchmarking Tool, log on to the Internet at: www.perpetuityconsultancy.com/benchmarking.html