Key Points

• A group of leading security executives urges expanding return-on-security-investment metrics beyond cost-cutting to include risk protection and business efficiency gains, illustrated by real-world savings in cleaning contracts, production-line integration, and cross-departmental incident management.
• Security leaders should ground their initiatives in organizational priorities by considering their company’s goals and financial disclosures, then aligning programs with documented business risks.
• Practical tactics—such as pooling smaller projects to qualify for capital budgets, leveraging board-presentation gatekeepers for polished pitches, and adopting phased implementations to manage expectations—can unlock resources, drive culture change, and secure executive buy-in.

In association with the groundbreaking Global Security Barometer, the International Security Ligue coalesced advice from a focus group of Chief Security Officers and other leading industry voices for combatting common management obstacles. The panel offered ideas for getting company management to recognize the positive return on security investments and offered tips for approaching 9 other fierce management challenges.

How can I demonstrate security’s worth?

There is no easy way to calculate and demonstrate return on security investment (ROSI)—too many benefits are hard to pin down, impossible to prove, and easy to overlook. Still, it’s important to try.

The focus group noted that there is no single best strategy because ROSI ties directly to the type of business an organization conducts. (For a hotel, for example, lawsuit avoidance may be security’s most valuable aspect; for financial firms, it might be regulatory compliance; for retail stores, loss reduction; and so on.) However, changing the core criteria on which security is judged is something many security directors may find helpful.

“Effective security” is a traditional measure of security and sometimes the only one an organization uses. This old school calculation is usually pretty simple: it takes the cost of security and incidents/losses as a starting point, and if a security department reduces security expense without increasing losses, it is judged to be “effective.” Ultimately, however, this is a losing formula, noted one industry leader. “Eventually you run out of ways to cut costs. There is only so much you can strip out of security.”

The advice: To the traditional pillar of “security effectiveness” add “risk protection” and “business efficiencies” as aspects of security upon which you measure and communicate ROSI. All companies recognize that risk costs them money; for example, in the form of insurance premiums. “So, shouldn’t the opposite be true? If risk costs a company money, reducing risk must save it money. It’s a security director’s job to identify for leaders how the organization will benefit financially by securing against risks.”

A second additional pillar of a ROSI calculation should be security’s impact on business efficiency. Security technology is making this increasingly possible, but many security departments have yet to capture business efficiency gains within ROSI calculations. It’s worth doing, because the business benefits to security can be substantial, as cited in real-world examples:

• An organization had a service contract with a cleaning company calling for 100% of buildings to be cleaned each time. But since some buildings were not fully occupied, areas were routinely cleaned that had not been entered since being cleaned just a few days earlier. By analyzing electronic access control system records, the firm tailored the cleaning contract to building usage and re-negotiation saved $35,000 annually.

• A manufacturing firm integrated its access control system with its production line so that the shop manager can verify that when the line starts, all the correct people are in place, which has reduced instances of needing to stop the production line and created demonstrable, significant savings.

• A major retailer realized its security incident management system, which addressed the need to send information about store incidents upstream, investigate them, share information about them, and identify opportunities for improvement, was similar to needs of many departments—and it now helps sales staff to manage incidents in which deposits contain an overage or shortage, and helps inventory control to manage logistics problems that arise as products move from warehouses to stores.  

More Tough Tasks Simplified

How can I be sure of aligning the security function with the business? Tip: “Start by being able to recite your organizational goals. It provides the best starting point,” one panel member advised. Another suggested that security leaders at public companies should read their company’s annual securities reports, which most countries require to disclose risks. “It’s the first thing you should do. Grab it. Read it. Now you know what your company’s risks are,” offered a leading security consultant. “Then, when you try to sell management on a security program or a service, see if you can align it with any of the risks in your company’s financial disclosures.”  

How do I keep up with technology? Tip: “Start by not trying so hard to keep up with technology,” offered the CSO for a billion-dollar company. “We used to look at security technology as different widgets and then went under a paradigm shift. Now we think about strategy first, then technology, which concentrates and simplifies the search for technology solutions.”

Start by not trying so hard to keep up with technology. — CSO for a billion-dollar Technology Company

How can I free up money for security projects? It seems odd, but it can be more difficult to get small projects approved than large ones because of how an organization chooses to pay for a project. Tip: Consider going bigger with a security project by including multiple sites within its scope, so it can be funded from capital budget funds. “For example, a project under $1 million might have to come out of the operating budget, which is always tight, instead of capital expenditures, for projects $1 million or more. In this case, pool with several facility locations so that a $250,000 per-site project adds up to more than the budget threshold and it can come out of available capital budget funds.”

How can I get the Board to recognize a security project’s worthiness? Tip: Find out who is the gatekeeper for presentations for the Board (who arranges or schedules Board presentations), as they are often well-positioned to know what appeals to the Board. One person recalled a time when he consulted one of these gatekeepers and she went to a drawer and pulled out a set of the Board’s favorite all-time PowerPoint presentations. “She was very helpful. She pointed to us the departments that made the best presentations and someone in marketing who was an expert at making them look good. And a polished looking presentation went a long way in our getting the project approved.” Another tip for security Board presentations: “Don’t use up your entire allotted time. If you’re given 15 minutes to make your pitch, take 10 and leave some time for questions. And if you can do it in eight minutes, do it eight. Don’t just fill the time,” advised a focus group member.

How do I manage a ‘do more with less’ mandate? Tip: Start by focusing the security program on areas that provide maximum support to the organization, which demands an examination of the organization’s primary motivation for security. Why does it really want security? “The answer generally fits into one of four categories: Liability, compliance, personality, or experience.” By keeping the chief motivation for protection in mind, he said security directors are better positioned to make the tough choices that today’s security budgets are forcing us to make. “Also, always be mindful of what it is that your company is most concerned with protecting: people, property, data, or reputation.”

How can I calculate security officer resource requirements? Tip: “If you take your average number of calls, and your average call times, and do the math calculations, you will have 80 to 90 percent of the data you need from which to calculate how many officers you need.”

How can I affect culture change? Tip: When trying to affect change with a vague goal, such as an effort to improve the security culture, it is particularly important to track the steps that you outline for getting there, said several experts. Create milestones and do Progress reporting at the 3-month, 6-month, and 1-year mark, “which typically provides a good way to keep an effort on track.” Another Tip: Strategize to use company changes to change perspectives about security.

If you have the opportunity to move into a new building, that is not just a great time to change security technology, but it can change the security culture if you make a plan for it. — Head of security for a large Medical Center.

How can I avoid disappointment in security technology projects? Tip: Use a phased approach whenever possible. “This will al low you to carry lessons learned into each subsequent phase of the project,” said one CSO. Also, be realistic about what people will experience, according to a Chief of Public Safety for a major convention facility. “Managing expectations is something I do every day. When I built a video framework, I found that continuously managing expectations is vital.”

How can I rate the vulnerabilities of different buildings or locations? Tip: Don’t let the perfect be enemy of the good. Several leaders said it is important to use risk assessments as a foundation for strategic security decision making, but suggested some directors refrain because they’re not sure how to precisely rate the vulnerabilities of different buildings or locations. “Don’t let that that hold you back—just jump in. Make a scale up. It can be 1 to 5, or 1 to 100, there are lots of examples out there. The important thing is to score your vulnerability. It may seem a bit arbitrary, but that’s okay so long as it’s consistently applied.”