Security projects are typically not very sexy. They don’t necessarily improve the look of the building, increase sales, or provide an immediate return on investment. But security does bring long-term returns to the organization. The challenge for facility and security managers is finding ways to secure funding for security upgrades.
One important obstacle to obtaining security funding is that top executives don’t like to think about security, and it’s not because they don’t see the value in it. According to Maslow’s Hierarchy of Needs, basic and psychological needs must be met in order to focus on higher needs. The highest level is self-actualization and this is the level on which most executives operate. One of the basic needs is for security. When self-actualization is disrupted by security needs, it can be upsetting to executives. If there were a security breach that caused a serious disruption or loss, executives would need to focus on recovery, steps to prevent the breach from occurring again, and reassuring employees and stakeholders. Top executive, like most people, do not want to think about, plan for, or respond to security related issues. It’s human nature, and it works against those looking to fund security initiatives.
Juliette Kayyem from the Harvard Kennedy School of Government found that “the general public has an unrealistic expectation of pure security; however, they have little interest in the preparedness process. Interest in security peaks during a time of crisis and the public has little to no tolerance for breaches of security.” Kayyem’s research is another example of how the general public and executives don’t typically like to focus on security and thus funding security projects can be difficult.
Understanding that human nature can sometimes work against obtaining security funding, facility and security managers need tools and techniques to ensure that important security initiatives and objectives are achieved. When budgets are tight, multiple techniques may need to be deployed. Here are six steps that can help.
1. Use Research to Make the Case for Security Funding
When trying to fund any initiative, it is helpful to have research that validates the importance of the initiative. A study that may be helpful for obtaining security and risk management funding was conducted by Oxford Metrica and Ernst & Young. The “Risks That Matter” study found the following:
• There is a clear, empirical connection between risk management and shareholder value performance.
• High quality risk management is strongly correlated with low cash flow volatility.
• Risk management is a strategic issue and an essential aspect of corporate governance procedures.
• When asset protection fails, the value impact can be significant and is typically destiny-determining – meaning stock prices may never recover to previous levels.
Citing these findings and sharing the study may be helpful in obtaining long-term funding for security and risk management initiatives. The study clearly shows that funding risk management and security initiatives is prudent and can help prevent and manage incidents so that shareholder value is not adversely affected.
2. Conduct a Risk Assessment
A great tool for obtaining long-term funding for security projects is an all-hazards risk assessment. A good assessment can be prepared quickly and will quantify risk of natural hazards and human threats. The assessment should have practical and realistic recommendations on how to best mitigate risk. Recommendations should be accompanied by cost estimates and phased implementation plans. The assessment should include all departments: security, facilities, IT, operations, executives, human resources, legal, marketing, and others as appropriate. The assessment can be used as a method of obtaining funding over multiple years and can serve as a check list for security projects and initiatives.
3. Make the Link to Cybersecurity
Good risk assessments also examine physical security as it relates to cybersecurity. For most companies today, cybersecurity is a major concern: Breaches can have a major impact on customers, operations, reputation, cash flow, and share price. It’s critical to protect physical perimeters, pathways to IT assets, IDF closets, MDF closets, and data centers; these projects are typically well funded.
4. Crash the Capital-Projects Party
When capital projects are being planned, security should be included. This is a good opportunity to upgrade systems and implement new technologies. Security is typically inexpensive when compared to other items in the plan. For example, in a recent office renovation, security was less than 3 percent of the total budget, which included a major upgrade of the enterprise access control and video software. This upgrade was a benefit to the entire U.S. operation.
Some good allies in the budget process are the finance department and IT. The finance department can be helpful in including security in the funding process and can ensure that security is part of the capital planning process. IT can help offset some funds for electronic security equipment like servers, switches, and cabling. Additionally, IT departments are typically very good at getting projects funded so they are typically good friends to take the facility manager to the capital-projects party!
5. Perform Benchmark Studies
Executives like to “keep up with the Joneses.” Conducting benchmark studies is a good way to measure a security program against peer and aspirant institutions. Conducting these studies is simple and inexpensive. Free survey tools are abundant and the results can be very powerful. A recent study showed that almost all organizations that participated in the study had a disproportionately low amount of spending compared to the risk value involved: The most high-risk facilities across the participating organizations were not appropriately funded. This study helped organizations that participated in obtaining funding for their high-risk facilities.
6. Keep Your Systems Up-to-Date
It is critical to keep systems current with the latest patches, licenses, and upgrades. Servers, workstations, and network video recorders (like other computer and IT equipment) should also have planned lifecycles and be replaced every three to five years. And service and support agreements should be in place with the security systems integrator. Having these “maintenance” lines in a budget on an annual basis will keep the electronic security system up to date and functional. After initial installation of systems, 15 percent of all dollars spent should be carried for support and maintenance annually. Failing to account for this can lead to systems vulnerable to outside attack, poor system performance, and even system failure.
Daniel O'Neill (doneill@adrm-llc.com) has 20 years of security consulting experience. He is the founder and CEO of Advanced Data Risk Management (ADRM), a risk management and security engineering company. His firm conducted the benchmarking study of security investment in high-risk facilities.
