Cost, culture or consequence?
Over the past number of months, I’ve conducted numerous security reviews on sites across a broad range of industries and business types. These reviews are usually requested in response to something having happened. For example, it might have been a security incident, near miss or a penetration test. So usually I’ll arrive on site and do my walk through and meet with the stakeholders and talk about security and what they want to achieve. I’ll meet with the staff and look at the policies and the end result are a security report with my findings and most importantly my recommendations for physical and other security improvements. The quality or content of my report is not what I wish to talk about here, however. What I wish to discuss is the diversity of reasons why clients choose to adopt or ignore my recommendations. From my observations this year businesses make decisions on physical security measures based on 3 criteria. Culture, cost and consequence. All valid considerations and all worth looking at in more detail.
Importance of the 3C’s.
I believe that understanding these 3 criteria is a very important concept for everybody in the security industry. From frontline staff who may be wondering why their employer won’t invest, to vendors trying to sell a product and consultants recommending a solution, these criterion impact us all. I’ve seen clients make decisions that don’t necessarily make them more secure but are cheaper or fit better with their culture. I’ve also seen clients make decisions that don’t fit with their culture and cost a lot of money because they fear the consequence of not doing so. The point I make is this. When I compile a report, I assess each risk I see and score it on a matrix. I then give a number of options to the client to address that risk and score the residual risk left over if the client adopts each option. Invariably the client doesn’t go with the options that reduces risk the most they go with the options that best suits whichever of the 3 criterion they are most worried about.
Security culture is important to clients and their employees whether they know it or not. That’s not necessarily a good thing either. A security culture can be good or bad but nevertheless important. A business can have a very relaxed security culture with regard to physical security such as access controls, CCTV and manned security but that relaxed culture may be important to employees as it fits with the overall business culture. Introducing physical security measures which increase safety and security but decrease convenience and freedom of access may not be received positively even if it is for the best. The ‘it’s not the way we do things around here’ rationale is alive and well with many businesses. I recently gave a client a recommendation of installing access control turnstiles in their building lobby. This would have greatly reduced the risk they wanted addressed, it had a cost (not nearly as high as some alternatives or as the consequence) but they didn’t go with the idea because it didn’t fit the culture of the building or the business.
Fear of consequence is a big thing in business. It doesn’t have to be a real fear either. Perception is reality in most cases. I’ve seen countless knee jerk reactions where huge money has been spent on physical security measures after an incident or near miss. The investment sometimes isn’t necessary or even effective but the value of being seen to do something and the consequence of not doing so creates a fear of doing nothing. Fear can be a big driver in business especially when it comes to security. Both a realistic fear that something really bad may happen, but also a perceived fear of inaction. If I don’t do something and something does happen (however unrealistic) then there is consequence for me. Also, if I’m not seen to do something then I’m seen as weak or not security conscious. Of course, consequence should be considered when risk assessing and designing control measures, but it can’t be the only factor.
Of course, the old reliable cost factor will always be there. To be fair sometimes it’s a viable reason not to do something. If the potential cost is weighed against the risk, then perhaps not doing something and accepting the risk or providing alternate mitigation is correct. The issue occurs where there is a significant risk and the only viable mitigation has a high cost. Now the debate becomes about which is more important to the business. A risk left uncontrolled because of cost alone is a dangerous route to go down especially if something goes wrong. Cost is more than just money though. Cost could be in terms of time, quality of service and reputation or brand. For example, I know a security company who withdrew call out services from a particular area because they risk assessed it as unsafe to attend alone. The client was paying a set fee per call out and didn’t want to increase. The company didn’t want the additional cost of double staffing the fallout and accepted that it required a drop in quality of service to do it single crewed, so they withdrew physical security response from that client. Being realistic however financial cost is the main driver of cost decisions. Physical security measures will always be seen as a profit taker not a profit maker and this is a key driver when it comes to business decisions. If it was your money where would you spend it if you didn’t understand security?
Why this is important?
I think it’s important for all security operatives and particularly supervisors and managers to understand these concepts when it comes to physical security measures. As a security operative on the front line we see only immediate security needs. I need this camera, access control, wall, fence or turnstile to be effective at my role. I need it, therefore I should have it, and if it’s not given then management don’t care about security. It’s an easy mindset to slip into. Understanding why this is the case is often not seen as important nor is looking at alternatives to mitigate the risk
I said earlier that it’s especially important for security supervisors and managers. I say this because these are usually the people to have to tell the front-line staff why they can’t have a particular physical security measure. If they don’t understand the why behind it then they can’t explain it to staff. It comes back to the old discussion for security managers. Do you want a security manager from a security background and teach them management or from a management background and teach them security? My experience is that for making and understanding physical security decisions a security background is preferable, for understanding the reasons why this isn’t done a business background is better, and to be an effective security manager both are important.
Understanding the risks and decision-making processes of physical security measures is important. Walls, cameras and access controls don’t make you safe. They add to the overall effectiveness of your security system. The lack of walls and cameras may make you less safe but understanding why can make it a whole lot easier to mitigate or accept.
Tony is a highly respected specialist in the field of security, safety and the management of conflict and risk in organisations. As a top industry consultant, on a daily basis, he is helping organisations develop solutions to their risk management and conflict management processes through designing training, policy and risk assessments to meet real world challenges. He’s also qualified as an expert witness in the use of force, and most security related fields. Also a QQI subject matter expert for the security and safety sectors and Winner of the 2016 IITD Rising Star Award.