​

SECURITY DEPARTMENTS are in a difficult position when it comes to internal “customer” relations. Since it is the department’s responsibility to enforce sometimes-unpopular policies and to conduct investigations into wrongdoing, security staff may find that they are viewed with distrust or hostility by the organization’s work force. But security departments should not give up on the idea of being viewed positively by other units within the corporation.

By fostering positive feelings, the department can also foster security awareness throughout the organization, as I have seen firsthand.

The first step toward good customer relations is to conduct a survey on what employees like or dislike about the security department’s services and why. After a corporate merger, the security department that I headed at Xcel Energy decided to conduct a survey to establish a customer service baseline for all of the internal service providers in the newly formed company. The results led to more efficient programs, increased savings, and increased credibility with senior executives. That experience offers lessons for other security departments, whether faced with a merger or simply looking for ways to improve the status quo.

Survey

Our first step was to hire an outside firm to conduct the survey and collect the data. Because this company also provided benchmarks for internal customer service for hundreds of companies, its data and benchmarks were statistically significant and fair.

The initial survey was sent out in the fall of 2000 to all workers at a supervisor level or higher. Later, once we started to put specific processes in place for continuous improvement, we started conducting monthly transactional surveys that were sent to all employees who had received the service that month.

Annual. We first used this type of survey to gain general information about how satisfied employees were with security’s performance. In deciding what to ask, we followed the advice of the survey company and also looked to a general template used by many organizations.

The survey first asked whether the employee was satisfied with security services overall. This question was followed with queries about specific security traits such as access, reliability, response time, expertise, problem solving, friendliness, and value. On each of these traits, the respondent was prompted to give a rating. There were five optional answers: very satisfied, satisfied, neutral, dissatisfied, and very dissatisfied.

The survey was sent via Zoomerang—an online service provided by the survey company. While it only went to supervisors and management, supervisors were urged to seek the opinions of their employees. The response rate was approximately 30 percent.

Findings. The next step was to analyze the data. Customer comments were sorted into ten general categories such as response time, efficiency, or friendliness.

We focused on the percentage of respondents who marked the top two boxes of very satisfied and satisfied. We received only 53 percent who were either very satisfied or satisfied with security’s services.

The benchmark was 68 percent, and we had hoped to be much closer to that number.

There was an unusual consensus on one complaint—background screening—with around 20 percent of comments touching on it. While we did not specifically ask about any of our processes, there were so many negative comments on the length of time required for a background check that a problem was clearly indicated.

Transactional. The second type of survey is transactional. We didn’t start sending out transactional surveys on a monthly basis until we had significantly improved the background screening process time. In 2003, we started sending out the monthly surveys. Currently, transactional surveys rarely have more than four questions, and they only ask how satisfied an employee is with a certain function. Transactional surveys consistently receive a 30 percent response rate.

The surveys have broached such topics as security awareness trainings and risk assessments as well as services such as badge, key, and access requests. Some of these surveys, such as those on training programs, are given in person at the end of the class; others on perennial topics are sent out via Zoomerang.

Security’s target for transactional surveys in 2006 is 90 percent either very satisfied or satisfied. We have been fairly successful at meeting this objective since our first survey in 2001. In 2003, we averaged

88 percent satisfaction on transactional surveys; in 2004 we averaged 89 percent; and in 2005 92.5 percent.

But this success rate on individual services does not always translate to a high rating on the annual general satisfaction survey. In 2003, for example, despite the high transactional rating, the annual survey was registering only 69 percent approval. We have improved since then, however, each year, and in 2005 our approval rating jumped to 79 percent, which exceeded our industry benchmark for internal service providers of 71 percent for the year.

Background Checks

As noted, the first annual survey showed that employees were unhappy with security’s background screening process. While it wasn’t the only issue that customers expressed dissatisfaction with, it was the one most often commented on.

The problem stemmed from the merger the previous summer with New Century Energy and Northern States Power. Under the new company, the screening process was a lighter version of the process required for the company’s two nuclear power plants. It had never been scrutinized for ease of use or speed of completion.

All workers were required to pass this screening before they would be allowed to have any access to the company. The average time to complete a background check in 2001 was 14 days. Many managers resented that screening could delay them from bringing in a new worker.

Using a management system model for continuous improvement, the security department reduced the background screening from 14 to 5 days over the next three years. We accomplished this by reducing the types of screenings the company conducted from eight to one and simplifying the background screening request form. The prior process had eight different levels with combinations of checks depending on job classifications, slowing down the vetting process significantly.

Security also went through a request-for-proposal (RFP) process and selected a new vendor. The vendor selection process focused first on accuracy, then speed, and lastly cost. (Previously the criteria were accuracy and cost; speed was not addressed.) Security made it clear to prospective vendors that turnaround time was critical.

After the new program was established, the screening team adopted the practice of continuous improvement. The team came up with several small simplifications that saved a few minutes per transaction at no additional cost, all of which led to a current average of 4.2 days per screening as of January 2006.

The clock starts the moment a questionnaire is received by secure fax and it stops when a record is completed in the company’s tracking software as either approved or denied. The security team processes approximately 4,000 screenings per year with an average denial rate of 4 percent.

The security department made sure to advertise this significant improvement; a description of the faster program was included in a security awareness letter that was sent out a week before the 2004 survey. Security’s overall score for 2004 was 77 percent.

Results

In addition to improving specific programs, the surveys have helped security make the case for additional resources. For example, by laying out the data from the surveys, I successfully lobbied to increase the department’s budget and staff levels, hiring eight new workers in 2004.

I also used the survey data, along with verbatim comments from individual respondents, in making a request to require that all security field staff have a security certification. The survey showed that the existing staff needed to be more skilled. The ASIS Physical Security Professional certification is now required of all field workers who conduct risk assessments, design systems, or handle related projects.

Most of the services provided by Xcel Energy’s security department are mandatory, but this doesn’t mean that customers must suffer with poor performance. By focusing on what customers cared about and giving them a voice, Xcel’s security improved its performance while also gaining partners in its mission.

R. Scott McCoy, CPP, CISSP (Certified Information Systems Security Professional), CBCP (Certified Business Continuity Professional), is director of security for Xcel Energy in Minneapolis, Minnesota. He is a member of ASIS International.