Measuring Security Value

One of the biggest challenges facing any organization with a security department is: How to Explain (read: Justify) Utility of Security Operations? What Value do these operations bring to the overall bottom line? 

While senior managers, board members and general public accept the notional need for having security procedures and personnel in place since 9/11, most of those who run these operations have difficulty with providing answers beyond the mere "That's just it, we need it!" The situation is prevalent in many countries, but in Canada it is compounded by a simple fact that we have not (thankfully) experienced serious security incidents. Bad things just do not happen here.

As a result, there is a notion in many organizations that Security is a necessary evil that must be accepted, while relegated to a dark corner where security officers tend to aggregate for coffee breaks anyway. The only serious act of terrorism in this country occurred in 1985 when Air India flight 185 originating from Montreal exploded over the Atlantic Ocean killing all on board. The tragic event, however, did not generate a more serious consideration of how security operations should be engineered, conducted and measured to ensure proactive and efficient delivery of this necessary service. 

In our experience, one can spot immediately whether an organization takes security seriously. If a security manager can close the conversational loop by referring to TRAs, key performance indicators and measurable outcomes, you know you're dealing with a professional. Security value goes beyond devising metrics of how much personnel and hardware cost, or how many bad guys interviewed/arrested or prohibited items intercepted. If the evaluation is conducted in earnest and includes all aspects of organizational preparedness, resilience and service delivery, the benefits (i.e. value) will be far reaching:

• critical assessment of existing solutions leading to potential improvement in services (security, but also customer service)
• better selected and more professional security force (higher morale; better performance metrics)
• elevated security & safety awareness among employees, customers and stakeholders
• tighter budget expenditures, with more accountability and controls
• improved organizational standing vs competition and in the public domain

The process of measuring security value should be seen as a continuous effort on the part of security managers and senior executives, and become an integral part of regular reviews. It is not an easy one to conduct in an existing organization with established procedures and expectations. If introduced without adequate preparation and communications it may become acrimonious – who knows what performance measurements will bring about? Also, some aspects of security operations, such as deterrence, cannot always be adequately measured. However, this should be weighed against the benefits listed above which will undoubtedly bring about a significant improvement in overall organizational performance and service delivery. We can bet on it.