Is security just like any other organisational function, or is it distinct in some way? It’s vitally important to understand this issue because some practitioners – with a good many procurers among them – tend to view security in the same light as the cleaning function. Others – most notably some facilities managers – see security as a ‘bit part player’ in the management of a building.
Let’s not be surprised if these groups’ treatment of security reflects their own views. Is the security function really different? If so, in what ways? How might we articulate those differences such that we can attract more respectability to the security role in corporate organisations?
Interviewees who took part in Perpetuity Research and Consultancy International’s (PRCI) ‘Demonstrating the Value of Security’ survey were asked about the characteristics of the discipline. The answers suggest there are perhaps six characteristics – best described as distinct rather than unique – that help define the security function. They are well worth thinking about.
The first is that security affects all aspects of the business, every location and every process. Therefore, it has the potential to impact positively if managed well, and negatively if not managed at all. Either way, the impact can be considerable. Similarly, and on the second point, security always involves all staff and visitors, guests and contractors. All are potential victims of failures in security provision and management. Conversely, all are potential allies in the aim of creating good security. It’s probably the case that all are essential allies in generating the best security.
Third, if security as a function fails then the consequences could be dramatic. There are plenty of examples of occasions when security failures have resulted in the death of the organisation. Lesser cases can result in serious damage to reputation and profits.
Fourth, in worse case scenarios security failures may well result in loss of life. There are few redeeming strategies available in such instances, of course.
Fifth, security is a function that involves internal and external events and, sixth, security events are unpredictable. In the latter two cases, a fair degree of skill is needed to assess the environment and match responses to reduce and manage security risks.
Influential and yet marginalised
How is it possible that a function with such awesome and influential credentials is typically so marginalised within organisations?
The answer to this particular question affords us clues as to how we might seek to rectify the situation. As one security professional noted during our studies, the problem could well be one of perception. “In my company,” he said, “security is the second or third most important item on the agenda. In other organisations, it doesn’t make the Top Ten. Why don’t people like security or value it in any way? Most probably because they have stumbled upon the charlatans who talk the talk but don’t have the knowledge or skills to be able to deliver on their rhetoric.”
Indeed, there was a lot of discussion about the quality of the security function, and a widespread feeling that it lacks respectability [among those at the highest levels, too]. During interviews conducted with senior personnel in the industry – ie members of what might be described as ‘elite groups’ – I asked them how many of their immediate peer group did they feel have the necessary skills to manage security effectively. The most anyone said was 25%, but the majority felt the figure was much less. Not pretty reading.
For example, one security manager commented: “Without wishing to make a pariah of myself… most senior security personnel are just plain thick. Many cannot write down basic policy or process even if they do understand what needs to be achieved, and they cannot articulate a business case. More often than not, security sets itself apart from business and related functions as an entity in its own right. I think this contributes to senior managers’ frustrations when they do not receive the level of support they think is right for the company they are protecting. This manifests itself at all levels, from an inability to create a genuinely effective governance structure through to the inability to articulate why one solutions supplier should be chosen over another.”
One of the main criticisms was that security personnel – and, in particular, senior security staff – are simply not business ‘savvy’. They lack knowledge of business processes and are unable to speak the language of the commercial world. Another security manager stated: “If security has to talk about a business language, so the vocabulary has to change. Very few security professionals really understand profit and loss, let alone the balance sheet. This is the lifeblood of some departments. If you don’t have the right vocabulary in your armoury you are working at the operational rather than the strategic level. You will miss out strategically. You’ll not be able to talk to large parts of the company.”
Security skills or business acumen?
Of course this does raise a fundamental point concerning the skills of senior management. Which is the most important? Security skills or business acumen? The ideal answer is both, of course, but given that all-too-often senior appointments come with one or the other it is perfectly legitimate to push for an answer. Not surprisingly, the views elicited by our interviews varied markedly.
Some felt strongly that security skills have the edge. “Security skills and business skills you can learn,” opined one interviewee. “I have been in the police service and was successful in that environment. You experience a gut feeling for the role. CCTV operators will say the same. Security skills are often learned on the job. For directors, budgets, profit and loss issues are important every month, but you can learn them in a week. You cannot learn security skills in the same timescale. It is a longer, hands-on role.”
Others articulated the case for business acumen being of greater importance. “What are we there for?” questioned one security director. “A person with well-rounded business skills can manage any situation. As for the security expert, I don’t think they stand a chance unless they have sound management and behavioural skills. In the corporate world, business skills come first every time these days.”
The more senior the interviewee, the more likely he or she was to argue that business acumen was a dominant – if not the major – skills set needed. Some contested that the security director in particular needed business skills because security skills can exist further down the hierarchy. Of course, much depends on what the role of the security function actually is. In some cases, security may be an advisory role operating on the fringes of the organisation. In others it is at the heart of every business process. In the former there is a real danger security can be marginalised, whereas in the latter it’s an essential element.
Then there’s the process of adding value. Some managers said it was easy to add value (for example, in situations where they had taken on a department formerly in disarray). However, even in such cases there is still the problem of collecting relevant metrics to prove a case. Some practitioners admitted that these were not collected at all, or only badly. This, they suggested, is a further problem for the security sector.
As one security expert noted: “The problem is that there’s not many formal processes for implementing projects within the loss prevention world. People will place security officers on site without justifying the expenditure. There’s not a formal process required by their company as to what is the need and what is the outcome. If you ask them they’ll say they know why they want security guarding in place, but press them to define it in the way other businessmen are asked to do and they will struggle. They have no objective benchmark against which they can measure.”
Demanding a business-like approach
Others noted that their unit did not collect metrics, but that they were able to use information collected by other departments (or from clients, or perhaps used sector statistics).
Some were more progressive, and showed how they collected a range of information enabling them to highlight in which way(s) they had been successful.
In some sectors – retail being a case in point – different types of value calculation were in evidence, but all-too-often they were no more than rudimentary. Some noted that the organisations for whom they work did not demand such from security, and so they didn’t feel duty bound to provide it.
Indeed, this issue is at the heart of the problem. Many organisations – even the well-respected and established companies – don’t demand a truly business-like approach from their security function, and all-too-often security has not demanded this of itself. The importance of the Best Value for Business Campaign is that it seeks to encourage security to demand more from itself. It has a crucial role to play in every organisation, but current practice would suggest that it’s far too short of the realistic potential needed to really influence everyday business life.
It’s important to stress that some interviewees followed a security strategy attuned to commercial reality. There are security functions that place a lot of emphasis on collecting metrics and using these to show how security impacts on the bottom line and contributes to organisational life. In these cases, the security function adopted a very business-like approach. Others, perhaps less accustomed to collecting metrics – although generally accepting that this would be a necessary route for the future – still saw security as endemic to every business process.
Then there are those who do not see – and indeed have never seen – security as anything other than a necessary cost on the bottom line. Many admitted that they – or at the very least the security function within which they operate – had been inadequate in promoting or advertising what they did (or could do) to assist and/or benefit colleagues across the organisation. Many security people underestimate the potential contribution of the security function.
As one security practitioner noted, if security does not speak the language of business it cannot be treated as an equal, and if it speaks a ‘foreign language’ it must expect to be treated with a blank expression.
If there’s no security strategy to link security provision – or if there is one but it’s not linked to organisational objectives and justified by a business case that’s aligned with business processes – then it’s little wonder the security function is marginalised. If there’s no systematic attempt to collect metrics then how can security establish its case, let alone prove it? Security functions need business acumen alongside security expertise, yet the former doesn’t always exist.
Serious implications lie in wait
There are serious implications. Unless security realises its potential, there’s a very real danger that more progressive functions – among them facilities management – will encroach still further on the territory once seen as the preserve of those with security expertise.
One of the main losers in that scenario will be the suppliers of security services and solutions. Unless they are able to tap into a meaningful, co-ordinated and competent organisational security strategy they are forever likely to be viewed as bit-part players.
At one point in ‘Demonstrating the Value of Security’, the commentary notes: “We need to move away from CEOs doing things because they have to, to one where they do something because they understand why.”
Security is one of the few remaining areas of business where there is still an enormous potential to increase value. There is now a pressing need to begin explaining just that. The Best Value for Business Campaign is designed to focus everyone’s thoughts on this issue, and to spark ideas to frame the best way forward. Join in the debate. Today. n
