It’s an accountant’s world, and we’re the reason they’re running out of red ink. Or at least that’s the story we’ve been told since Allan Pinkerton was breaking into the industry. This is the rub of a unique and necessary “evil” known as security. And we’ve been forced to measure security all the time.
I’ll break it down for you with a quick business 101. The purpose of a for-profit business is to, well, make a profit. Maximizing profit while minimizing cost, that’s the ultimate goal. Security doesn’t do either of those things, we don’t make a company money, and we certainly aren’t lowering costs. At least not as far as the income statements typically read.
I know what you’re thinking: reduction of liability this and business continuity that. The answer is yes, but let’s start being realistic about what security is measuring and how we justify our cost to a company.
The Bear Repellent as a Tool to Measure Security
Too often are we toeing the line of “security theater,” creating unnecessary reports and analyzing potential threats that just don’t happen. Of course, we are able to mitigate those threats with unwavering efficiency because they just don’t happen.
CFO: “What’s this expense for USD5,000 for bear repellent?”
Security manager: “I was able to save the company USD200 million dollars by spraying the perimeter with bear repellent.”
CFO: “Can you elaborate on that?”
Security manager: “Well, we have 200 employees, and the average accidental death is about a million dollars per person, and not one person has been killed or even attacked by a bear.”
CFO: “Once again, you’ve proved yourself a master of your craft. Our New York City Time Square office is safe once again from bear attacks.”
Of course, the above is a hyperbole of the state business, and security may often find themselves. Security looking for answers to questions no one asked, and businesses afraid to ask questions no one really understands or knows to ask.
So what are we measuring if not the number of bear attacks filled last January compared to this January?
How about we start to measure what matters, as we cannot really measure security as such. As a group of intelligent individuals, we recognize that the qualitative work that is security is largely an intangible cost and won’t fit neatly into an accountant’s P&L statement.
Why Does a Security Professional Exist?
But back to what matters. What does matter, and how do we measure it? How do we measure security? That is a great question; have you asked it? It’s a radical idea, but what is the point of your existence as a security professional? Not to get too philosophical or mystical, but honestly, can you answer that question? More importantly, is that well defined by the entity that writes your check? I’ll go out on a limb and say no, not really.
So here is what we’re doing wrong. We are preventing bear attacks and feeling good about it. The company tolerates us and gives security credit where credit is due: not a single bear attack.
Here is where we, as an industry, can actually start to carry our own weight. What if we did what mattered to the company we provided security for? It sounds like a tough question until you realize all public companies spoon-feed you the very information you need to be relevant in their 10-k/10-Q reports.
If you’re not a publicly-traded company (or even if you are), what if you just built the relationships needed and the rapport within the executive level to ensure your role is well defined and meeting the needs of the business.
If you’re half worth your weight in salt as the CSO, head of security or some other fancy equivalent title, you better have the ear or ears of several executives. Not by selling the scary but by solving their problems and alleviating their concerns. Security is a service industry. Never forget that.
The Unbridled Quest for the Holy Grail
I assure you that you don’t have to sell me on security. I know its value, I’ve seen it in action at its best, and I’ve seen it fall flat on its face when it was most critical.
We have an essential role, and for what it’s worth, I think most of us are doing our best to ensure the safety and security of people, property, and reputation of what we’re charged with protecting. The argument is we’re a victim of our unbridled quest for the Holy Grail of business, proving our worth with data. So, that very question has created an amalgamation of pointless data points we waste our time creating and selling.
Unfortunately, this article won’t be able to provide the answer we are all looking for because it doesn’t exist the same way every other department can speak to. The marketing team can see data that will prove or disprove a marketing campaign was successful, ROI. That extra salesperson improved widget sales by 15% percent, thus justifying the expense of that position.
The Security ROI
What’s the return on investment on preventing something that never occurred? Those trade secrets were safe with one security guard, and now they are triple safe with three security guards? The principal wasn’t attacked today; great. Was that because of his diamond formation around him as he walked to the office breakroom, was it just his lucky day, or maybe you’re protecting him from a bear attack… How are we selling our services and justifying our very existence as an industry?
That is something each business, in conjunction with security, needs to ask itself. What we must do is be real and true to ourselves. Security is not marketing or sales. We cannot measure ourselves to the same standards. We cannot measure security per se. Trying to do so is a disservice to our employers and our profession. Statistics can prove anything you want them to, but just because you can doesn’t mean you should.
So what am I really trying to say? Stop preventing bear attacks and look at the unique industry, principal, or area you’re protecting.
First, have an honest conversation with yourself. Are you serving your client, or are you performing “security theater”? Find the work, solve the problems and be the solution. Secondly, have that conversation with the signee of your paycheck. Shame on you if you’ve not built those bridges or relationships. Become the lynchpin of your organization. Weave yourself into each and every facet of your company because what you do matters.
People deserve to work in a safe environment and go home to their families each and every day. Become what we are, a customer-facing service business solving the problems that no one else does.
Here lays the foundation of an incredible opportunity. You’re the expert they hired to perform the function of security. You can drive the discussion and allow them to understand the WHY of your existence. Explain to them the incredible work we do day in and out without muddying the waters with information that doesn’t matter.
Don’t dilute the vital work and the overall function of security with white noise and reports that don’t really mean anything to anyone.
Do what’s right and measure what matters. Don’t measure security as such.