From Back Burner to Business Imperative
Finding a way to prove that the security department is a critical business unit within an organization is a challenge that ASIS International has been tackling since the Society’s inception. “Security offers such absolutely essential, vital services to the organization. Yet, when it comes to budgetary decisions, virtually every other aspect of the organization gets considered first—security is always on the back burner,” says J. T. Kostman, director of People Equity Solutions. The solution is to teach security professionals how to make a better business case, says Kostman, who will elaborate on how this can be done at the 51st ASIS Annual Seminar and Exhibits in Orlando, Florida.
BUSINESS STRATEGY is but one of the many topics to be addressed in the 136 sessions that will be offered at the seminar and exhibits. Among the educational offerings will be classes on detecting deception, dealing with problem personnel, protecting chemical facilities, and addressing vulnerabilities. The following preview highlights a few of the sessions to be found next month.
Business case. The first step in making a business case for security is to quantify security’s value, says Kostman. However, “security’s success is measured by the absence of loss, and that is very difficult to quantify” because it is often intangible, he says.
Despite the difficulties, it is possible to identify some specific costs that arise from security failures. Kostman suggests that security directors begin by looking at the three primary effects from a breach in security.
The first is the tangible cost, such as the cost of replacing stolen merchandise or damaged property; this is the surface expense.
The second effect is the reputational cost, such as bad press or lost customer confidence, which can be significant and difficult to fix, but it is also hard to quantify. Third are the indirect costs, such as increased insurance premiums and increased security patrols, which should be easier to calculate but are rarely included in the loss assessment after a security breach.
Kostman’s session will focus on giving security professionals the language to describe these losses to upper management, thereby helping them show the return on investment for money spent on preventive security.
Another important point that Kostman will address is that the security director must communicate with executive decision makers. “Security should be sitting at the elbow of senior management when they make decisions,” Kostman says. Showing top executives how security contributes to the objectives of the organization is the way to make this happen, he says.
To show how this can be done, Kostman will present a fictional organization and ask the audience to explain how the security department supports the organization’s objectives. He will then give the attendees the opportunity to work through issues in their own organizations using a scorecard that helps them understand the value associated with each security function.
Kostman believes that a fundamental shift in mind-set must occur if security is to become an accepted business unit. This shift in perspective must occur first at the security management level and then at the C-suite level. Any management-level security personnel from shift supervisors to CSOs can benefit from learning to make the business case for security.
(This session will be held Wednesday, September 14 at 4:30 p.m.)
Selling security. As director of security for Genuity (now L3 Communications), Craig McQuate saw the company grow from 900 employees to more than 6,000 in less than two years. The unprecedented growth forced McQuate to learn to sell his department to the various business units within the organization. This helped ensure his department’s piece of the budgetary pie. In his session, he will share the lessons he learned through that experience.
One key to McQuate’s success was to brand his department as a benefit center—an equal contributor to the objectives of the organization. “There’s the traditional thought of security as being a cost center, an overhead,” he says. But security doesn’t have to accept that image. The department can sell itself and its value to each business unit and to the company as a whole.
For example, McQuate approached the company’s consulting department, which specializes in IT services for large corporations, and persuaded the sales staff that physical security is an integral component of IT security. As a result, the sales department began including information on physical security in their presentations to clients. The clients were receptive, and the services offered by McQuate’s department played a role in their decision to hire Genuity.
Another objective is creating a brand for the security department. At Genuity, McQuate began this process by working with the Boston University School of Business, which created a survey that was sent to everyone in the company. The survey listed several services offered by the security department, such as emergency response and escorts. Employees were asked whether or not they thought the company provided those services and if they thought the services were valuable.
The survey was a vital tool for helping McQuate identify the needs of the company. It also helped him understand which security services needed publicity and which services were of most value. Once the needs were identified, McQuate began marketing the department’s offerings to the business units throughout the organization.
McQuate will also present his top ten suggestions for success in the 21st century. One of the top ten is anticipating change. McQuate says that it is extremely important for the security department to meet regularly with research and development to understand where the company is moving and how security can play a role.
A portion of the presentation will be reserved for questions and suggestions from the audience. McQuate hopes that through this interaction, security leaders will learn how to make their department a legitimate and vital function of the organization.
(This session will be held Monday, September 12 at 11:00 a.m.)
Detecting deception. Knowing when someone is lying in written and verbal communication is one key to a successful investigation. John Dietz, CPP, and David Lewis will present a session on detecting the clues that help distinguish truth from fiction.
According to Dietz, liars have certain speech and grammar patterns in common. By analyzing grammar, phrases, use of pronouns, and other expressions, Dietz says it is possible to eliminate suspects and narrow an investigation.
For example, if a person says, “I don’t steal,” Dietz says that means “I do not currently steal,” not “I have never stolen.” Dietz would expect a truthful person to say, “I did not steal from the company,” because that statement directly addresses the theft, while the other is only an assertion in the present tense.
The presentation will focus on two types of statements that investigators ask subjects for: a directed-question interview and an open statement.
Directed-question interviews are typically given out in the form of a written questionnaire and are used for multi-suspect investigations.
An example question from a directed-question interview is, “If we discovered that you stole the money, would you be willing to repay it and how much would you be willing to repay?” Dietz says that he would expect a truthful person to answer the question by saying, “No, I will not repay the money because I did not steal it.”
Open statements are used for smaller groups, such as in sexual harassment allegations. When these statements are administered, the investigator asks the suspect to describe the incident in detail. Some indications that the person is lying are that the statement begins long before the incident occurred and describes irrelevant facts.
Dietz says this session will teach attendees how to administer directed-question interviews and open statements. They will also learn simple techniques that will enhance their ability to communicate and to analyze what others say in communications with them.
(This session will be held Tuesday, September 13 at 1:30 p.m.)
Chemical facilities. Conducting a thorough vulnerability assessment is a critical first step in ensuring that key assets are adequately protected. This is particularly important for businesses such as chemical facilities that deal with hazardous materials, because a breach in security could have dire consequences for the surrounding community.
In his presentation, Paul Timm, PSP, will discuss methodologies that chemical facilities must use to conduct vulnerability assessments. Timm’s theories are adapted from the techniques taught at Sandia Laboratories.
The first step in the assessment is to evaluate current protection policies and determine whether they are adequate. The next step is to determine the key assets for protection.
According to Timm, vulnerability assessments for chemical companies differ from those conducted at other organizations because a chemical facility’s key assets are dangerous chemicals such as chlorine.
Once the key assets are defined, the assessment moves on to defining severity levels. “We want to take inventory of what kind of chemical materials we have and then we want to understand the impact should there be a sabotage or theft,” Timm says.
This step involves analyzing the facility, the surroundings, and the worst-case scenario. In a heavily populated area, for instance, a worst-case scenario could be a chlorine leak that kills or injures several thousand people.
The worst-case scenario is not an analysis of probable threats, but simply represents a baseline against which all other threats can be measured. Timm stresses that companies should, even in the context of a worst-case scenario, be realistic when they are determining what circumstances are likely. “If you’re out in the middle of Kansas…it may not be the number one target on the terrorist list, but it may be susceptible to people from the community” who want to protest against or sabotage the plant for some reason.
The next step is the threat assessment, which analyzes the likely threats to the facility. After the threats have been determined, Timm says, vulnerabilities must be prioritized. In this portion of the assessment, the vulnerabilities are put through triage, with those that are related to lower probability threats receiving less attention than those related to higher probability or higher-consequence threats. For example, a vulnerable road near the chlorine storage facility would be a high priority to address. This stage requires balancing probable threats with available resources, which requires a keen understanding of the vulnerabilities and the likelihood of them being exploited for terrorism or other reasons.
Timm’s presentation will also touch on grants and other funding available from the Department of Homeland Security and other organizations, which companies can use to help mitigate the costs of plugging the holes identified in the vulnerability assessment.
(This session will be held Tuesday, September 13 at 1:30 p.m.)
Difficult people. It takes skill to know how to calm an enraged person and prevent violence. Attendees of Marc McElhaney’s session will learn specific techniques for defusing potentially violent situations either in person or over the phone.
The first step involves de-escalation. This is accomplished by understanding the root causes of the person’s anger. McElhaney advocates active listening, in which the angry person is given the opportunity to elaborate on his or her grievance. He says this step is vitally important because angry persons’ “primary need is to have their concerns acknowledged…. You will not be able to go forward until you reach that goal.”
According to McElhaney, listening often involves ignoring your natural reaction to conflict. Most people react to conflict either by fighting back, giving in, or walking away. “You’ve got to restrain your natural impulses, because you have certain natural survival-based instincts that you engage in a conflict that are designed to protect yourself but are not helpful or effective when you’re trying to work with someone.” When a person reacts with this natural instinct, he or she is no longer actively listening or attempting to discover the root causes of the anger.
Once the underlying issues are aired, the person resolving the conflict can begin to reframe the person’s anger. This step works in conjunction with active listening. It entails asking the angry person to repeat his or her demands. The person resolving the conflict then repeats the angry person’s words back.
The process allows the angry person to reflect on the statement and edit it. According to McElhaney, it forces the angry person to rationalize his or her wants and desires, which automatically deescalates the violent reaction.
“The best negotiators are not people who talk a lot, they’re people who listen a lot,” he says.
The last stage is problem solving, which naturally occurs as a result of the reframing process. The angry person is given the opportunity to find a logical conclusion to the anger, rather than violence.
This session is perfect for anyone who deals with people. These effective communication strategies are skills every security professional can use.
(This session will be held Tuesday, September 13 at 4:30 p.m.)
This sampling offers a taste of the educational opportunities available at this year’s ASIS International 51st Annual Seminar and Exhibits, which will be held in Orlando, Florida, September 12-15. Other sessions will focus on the full range of business and government security topics. For more information or to register, go towww.asisonline.org.
Marta Roberts is staff editor for Security Management.