Executive Summary

To consider “security” one identifiable market is no longer possible. Some sectors have grown and others have significantly declined. Some of 2008’s elite security programs are missing from this year’s rankings, left disassembled and leaderless. Bank of America, the leading finance sector program under Chris Swecker in 2008, is gone. With the CEO being shown the door and legal charges related to the Merrill Lynch acquisition forthcoming, who needs security?
     
For many CSOs, this has been a very difficult and trying year. Perhaps the greatest indication that the security leader is truly a “C-level” executive is confirmed by the number fired, dismissed or pushed to early retirement in a “C-like” fashion. As a byproduct, many new security think tanks and consulting practices have emerged. While less terminal, security organizations and leaders that lacked credibility and/or were unable to successfully communicate up/down and across their organizations about their contribution to organizational goals, faced death by a thousand budget cuts.
     
Yet, other security leaders had their best year ever increasing their responsibility, adding innovative programs and being recognized as an even greater value driver across their enterprises. Some security leaders used the economic crisis and the added challenges thrown their way as an opportunity to demonstrate their bottom line value and executive leadership skills.
     
While some programs grew and others faltered, the security profession became more professional, more enterprise-centric, more IP driven and more about leadership and strategic business management than tactical security measures. Those that “get it” and demonstrated either quantitative and/or qualitative results were heavily rewarded by their organizations.


1. Risk is Up, Budgets Are Down…Now What?

2009 has been the year to justify and re-justify spending across all departments in all sectors, only to then cut the budget anyway. While that was not the case in all 16 sectors surveyed, it is very representative of the challenges put before most security leaders. Do more with less is not an easy task when the organizations you protect face:
  • Greater regulatory compliance programs
  • Higher crime rates in a down economy
  • Reduced public security support (police/fire budget cutbacks)
  • More global expansion to find growth
In many cases, reduced operations have allowed for reduced activity and spending. For example, delayed mall or hotel construction enabled planned capital spending and security officer hiring and training to be delayed or canceled. Not so for hospitals, government and universities sectors, where new construction and upgrades continue to drive security spending.
     
Enterprise security leaders have used budget reductions to reevaluate national account contracts with installing and service companies. In some instances, contracts were put up for rebid, reducing costs as much as 30 percent. Patience was also very short among CSOs who replaced their status quo security technology procurement to ensure that successful and economically justifiable solutions were implemented.
     
On the value side, security design is being pushed to deliver on broader goals such as access cards tied to building automation controls, shifting departing employees’ offices to an environmentally and cost friendly “unoccupied” setting.


2. Workplace Murders, Suicides and Violence are Soaring

The Bureau of Labor Statistics has partial data for 2008 and no data yet for 2009. But the anecdotal evidence suggests workplace violence in 2009 is at a record pace as a result of the economic crisis and continuing recession.
     
Suicides at the workplace soared 28 percent from 196 in 2007 to 251 in 2008. Murders at the workplace have averaged 500 per year since 2003, but are expected to be higher in 2009. Workplace murder is the leading killer of working females, (35 percent of their fatal work injuries) and the second leading killer of males. And 95 percent of those committing suicide at work are males.
     
Non-fatal workplace violence continues to increase. But unlike the old weather adage, “everyone talks about it but no one does anything about it,” workplace violence is the opposite. No one is willing to publicly talk about it, but most organizations are moving quickly and aggressively to do something about it.
     
It is not safe outside, either. Companies with field employees such as utilities or construction workers are facing greater incidents of theft and/or violence toward their employees (among the most innovative solutions comes from DTE Energy).
     
Online training, helpline resources, escort services and security responses to any threat for investigation and mitigation are enabling organizations to reduce events. Greater use of identity management and access control systems, combined with surveillance and educating employees on where and how to get immediate help if they feel threatened or uncomfortable, are being implemented. False alarms are welcome.


3. Nice Plan. Will it Work?

Every once in a while the Emergency Broadcast System will blast my TV with noise and announce that I had just participated in a test. Unfortunately, that is the beginning and end of the testing process. TV viewers may get instructions on what to do in a “real” emergency, but would those instructions work if followed? No one knows because they only tested the horn.
     
In the age of Pandemic threats and realities, planning is just not good enough. Last year, business resilience, disaster recovery and emergency management were restructured into the security department in many organizations. Now that these plans are set and ready to go, the question is: Will the plan work?
     
For example, planning for hospital patients to be evacuated in a certain way is a key task. But the devil is in the details. How much staff is needed? How much time will it take? And what if the first exit is blocked? Where is the alternative exit?
     
The leading organizations are not using “please not here” as a strategy and know that “hope” is not a plan. Drills, tests and measurements are being utilized to ensure that everyone knows their role and that emergency plans will be truly effective. Or they will be redrawn. We have seen some good examples, including the Big ShakeOut and The Joint Council’s focus on proving that healthcare evacuation and continuity plans will succeed.


4. Hackers, Terrorists and Spies

The FBI estimates that more than $600 billion in intellectual property is stolen annually from U.S. businesses. After terrorism, it is the FBI’s next largest focus area. Unfortunately, corporate boards and their CEOs have not understood the risk and cost to their organizations. In many cases, insiders including employees, business partners or consultancies commit crimes and the theft often goes undiscovered. In other instances, best practice or regulatory policies are not enforced.
     
It is smart to be paranoid. In recent months hackers attacked two credit card processing companies, including Heartland Payment Systems and RBS WorldPay. Overall, thieves escaped with unencrypted data for more than 250,000 business locations and more than 1,500,000 customers. Heartland has stated that they do not know how long hackers were stealing data or how much data was stolen.
     
Intellectual property theft also takes place in the form of fraud and counterfeiting.
Nothing is more vital for an organization than protecting its brand and reputation. And it is a life and death matter. Fake Viagra (which topped 5 million pills per year before Pfizer employed RFID tags to verify its product) is now being out marketed by fake Tamiflu as a result of the H1N1 virus.
     
This is a business, not a security problem, by any measure. Data breaches are now everyone’s problem. And security leaders are working at the board level to address this business-critical risk.


5. 1-2-3 Converge!

Convergence has come to mean many things in the security market. Typically affiliated with technology, it also has a strong play with organizational structure as physical and logical security functions come together to secure the business versus assets. But the better example of convergence is the trend to bring public resources, enterprise resources and technology together to maximize awareness, provide effective communication and gain the necessary behavior and participation for one’s own security.
     
Leading organizations are marketing security’s existence in numerous ways. Using the news media to show how energy theft is dangerous and that energy thieves are caught and prosecuted has been an innovative and effective program for DTE Energy. Working with marketing communications, security is creating security awareness so technology and resources are proactively utilized. Universities are incorporating security presentations into orientation programs with a “please touch” theme.
     
The goal is to change behavior among individuals so they think and stay aware of their circumstances by actively participating in the security process. Convergence is about getting the right information to the right person to make the right decision that prevents an event from happening or stops an event from becoming a catastrophe. That means converging security strategy, technology, officers/first responders and stakeholders.


6. Regulatory Compliance = Uncompensated Overhead

The Security Executive Council predicted that DHS would ultimately become an inspect and fine regulatory body that created and enforced compliance programs that may or may not improve security’s effectiveness.
     
This began in the chemical and petro chemical sectors in 2007 with CFATs legislation, including fines of $25,000 for violating security regulations. The legislate/inspect/fine approach continues to spread to other sectors. For example, a Missouri poultry processing plant was fined $450,000 for hiring 137 illegal alien workers. At debate is the value of this approach versus being on the same team to identify and mitigate those risks most likely to threaten national security – especially at a time when the DHS Director, in a recent New York Times interview, says she doesn’t understand the threat level system.
     
On the positive side, the development of rules and regulations provides a base to work from and allows supply chains to remain fluid. Among the greatest benefits cited during the development of DHS regulations is the interaction among players within each sector to network and “know whom they will be working with before a crisis happens.”
     
Compliance places a heavy burden on security programs to prove bottom line value too. It is easy for a CEO or Board to decide to be compliant at the lowest cost possible versus to be secure. Smart CSOs are aware of and compliant with regulations, but don’t base their economic value to the organization on regulatory compliance.


7. Enterprise Value Wins; Security Solutions… Not as Much

Among the biggest and best security minded enterprises, security solutions are not just about security anymore. The leading organizations ask, “What else can this investment do for our company?” In many cases, security investments are transcending the security function. Examples include monitoring production lines at a Navistar plant in Brazil from Illinois, renting retail mall space via the Web and studying coffee buying behavior at convenience stores.
     
Yet, these were discovered after the security project was completed. With tight dollars and increased budget scrutiny, winning security proposals identify value beyond the security function. Retail surveillance that gives shoplifters second thoughts is valuable. But that same monitor turned into an advertising vehicle with messaging about specials or an analytics tool identifying a potential buyer unable to find what they want and saving a sale adds immediacy to the solution’s purchase approval.
     
As a result, enterprise solutions are winning in a tight economy. This is an area where security, IT, facilities and other operational departments can benefit from the ability to share security information with non-security departments such as marketing. Or, by integrating with HVAC or lighting to drive the business case. Similar to IT strategies 20 years ago, the possibility of a proprietary system leading to a dysfunctional end are real. The ability to work with IT and facilities leaders on a multi-year strategy continues the trend toward enterprise-wide, open IP systems that provide cost-effective or value-creating business applications.


8. What Will They Outsource Next?

Many state and local police organizations are facing budget cuts with an eye toward stratifying their work forces and outsourcing some of their duties. While it may feel like the “new normal” to consider private, security officers taking on some tasks from traditional a full time police officers; the concept is gaining ground for both economic and business reasons.
     
Economically, public police authorities cannot afford a “one size fits all” officer corps where highly trained and compensated officers are assigned tasks below their skill level. And the guard service firms, like Allied Barton, have done a good job of helping customers measure the business case that they can fill a need for public police forces by providing appropriately trained and compensated officers a specific job and pay grade.
     
The police force gains on both sides. They are not over compensating a highly trained officer to perform tasks well below their skill set. And they avoid the risk of job dissatisfaction if an officer has expertise and receives less than compelling assignments.
     
Stratifying the officer corps has been utilized within private security forces for some time through job enhancement and enrichment programs. It is common in healthcare, for example, where nurse’s aides perform tasks not requiring a nursing degree at a lower pay scale. This trend will continue to be tested and should be expected to grow even as the economy recovers.


9. Let’s Share Risk!

Security metrics have taken a new foothold as organizations work to measure risks associated with employees working outside their facilities. The larger organization is likely to have employees on airplanes, at client locations, working home or sleeping in a hotel halfway around the world.
     
When one business sends employees to customer locations each day to work with clients, these two organizations have entered into a shared risk relationship. Most of the time, the exchange is uneventful from a risk and security view. It is understood that you are accepting risk that your client will be protected while at their location. And your client is accepting the risk that your employee may have an “issue” while at their location. But can you measure it?
     
In practical terms, companies recognize that they are responsible to track and provide emergency services to employees traveling on their behalf. When a terror attack, natural disaster or hotel fire occurs in an international location, executive tracking systems tell you where your people are immediately and provide support to help them. Organizations rely upon the local authorities or the other organization with which they are sharing risk for assistance to a lesser degree.
     
Sharing risk is now an understood concept and a fascinating one. However, most organizations are only sharing risk until an event happens, then they are depending upon their own programs for mitigation. This is among the most interesting trends for economists and accountants in the coming year.


10. Not In Our House!

Just a few years ago it was the security leader against the (internal organization) world. Aligned with his trusted advisors from system integration, security dealer and consulting firms; conventional wisdom was to dig in and fight for the turf earned and deserved. IT was on the other team. Facilities were soft. None were trusted.
     
My, the difference an economic depression and a few team-building drills makes in the largest enterprises. Somewhere, business minded and leadership skilled CSOs figured out that a business career meant focusing on the business. Security careers are easier to maintain as long as the focus stays on one’s security relationships. And this year, you figured it out en masse. This is no longer the bastion of the privileged few.
     
The best security leaders are “best friends with the CIO” and work closely with the leaders of the other operational departments. The result is that those trusted advisors have been reduced to vendors. Now the enterprise team includes IT, Facilities, Legal, HR and others aligned to achieve organizational goals, including security. And the channel companies no longer get to drive the discussion; they get to bid on the project.
     
This is the trend that will most dramatically shift solutions from best of brand to best of breed, shake up the vendor landscape and enable enterprises to identify and measure value. 


Links