Security Becoming Less of a Luxury
Print Issue: August 2014
There’s a well-known Monty Python sketch in which four successful Yorkshiremen compete to prove that they suffered the most humble upbringing. When one of the four boasts of growing up in a tiny tumbledown house with holes in the roof, another counters that his whole family lived packed in a single room. The four men keep one-upping each other by claiming to live in increasingly improbable locations: a corridor, an old water tank, a hole in the ground, a lake, a shoebox, and a paper bag in a septic tank. Even upon hearing the ludicrous extreme of living in a septic tank, one of the men shouts “Luxury!”
Sometimes it seems that security directors are in the same situation, competing to see who can craft the best program given meager resources. After a brief post–9-11 surge, security budgets suffered, taking a big hit during the Great Recession from 2007 to 2009. In those years, corporate boards, CEOs, and CFOs, looking to cut costs and create efficiencies, often viewed security as a drag on the bottom line. One can almost imagine a CSO telling a fellow CSO how he shrank the security budget, only to hear in response, “You have security beyond compliance? Luxury!”
To be sure, security budgets still face serious pressure, but since 2011, security spending is again on the increase. Healthy growth is projected in both operational and IT security through 2017. (Operational security includes physical security, intelligence, antifraud, investigations, and other elements that don’t fall under IT or cyber.)
This forecast comes from an upcoming 2014 survey and report prepared by ASIS International and the Institute of Finance and Management (IOFM) called The United States Security Industry: Size and Scope, Insights, Trends, and Data, 2014-2017. The document updates the original 2012 ASIS/IOFM survey, which projected spending only to 2013.
The most recent data shows a surge of spending on security goods and services from 2013 to 2014: private-sector spending jumped from $282 million in 2012 to $319 billion in 2013 to a projected $341 billion in 2014, a 20 percent increase over two years. Including federal homeland security budget items, total spending on security goods and services in 2014 tops $400 billion. By way of contrast, in 2013 the Bureau of Economic Analysis estimated that U.S. educational services generated $324 billion, utilities accounted for $401 billion, and arts, entertainment, and recreation—including gaming—generated $277 billion in revenue. That puts the security industry in powerful company.
And there’s reason for optimism looking forward. The data, which derives from surveys completed by 479 security end users, manufacturers, and service providers, augurs $377 billion in private sector security spending in 2015, another 10 percent year-over-year increase.
So where is this growth coming from? Not from very large, publicly traded companies, whose operational security budgets will edge up only 2.5 percent from 2013 to 2015, and whose IT security budgets will grow by 6.7 percent in the same period. Nor from large or mid-sized companies. Rather, the spending engine will be small companies, with revenues in the $1 million to $10 million range, which are devouring security services and goods as never before. Operational security budgets for these organizations will increase 17 percent from 2013 to 2015, with IT security almost matching that figure—15 percent—during the same period.
Goods and Services
The budgetary largesse will extend to various products and services, with video surveillance, access control/identity management, IT security software, consulting services, employee screening, training, and systems maintenance leading the way.
Aaron Olaoghaire-Sannes, director of safety and security at Legacy Health in Portland, Oregon, says he is witnessing an “explosion” of spending on access control, CCTV, and supporting systems, such as CCTV management software. He says security spending at the large nonprofit hospital system was tight during the Great Recession, but now dollars are becoming available again. “There does seem to be a recognition of a need to invest right now,” says Olaoghaire-Sannes. Legacy Health is “trying to catch up on spending…after some lean years. I’ve seen great growth as far as my budget, both operational and capital.”
Employee screening. But budget dollars committed to security vary by industry and company size. As one example, almost one-third of companies plan to bolster spending on employee screening in 2015, by a median increase of 12.7 percent. These numbers are driven by retailers, professional and technical services firms, and small companies.
Alarm monitoring. In the alarm monitoring and response sector, healthcare and professional services firms, as well as mid-sized companies in general, are projected to be the big spenders. Legacy Health is a case in point. Alarming remote sites, such as clinics, and outsourcing the monitoring, “is a huge area of growth,” says Olaoghaire-Sannes.
Video. Video surveillance, which by 2015 will see an increase in spending by one-third of respondents, by a median increase of 20 percent, owes its strongest growth to information companies, transportation firms, and educational institutions. By contrast, below-average growth in CCTV spending will be seen in very large companies.
At Switch Communications, which operates expansive, highly secure data centers, CCTV is being increasingly used for compliance purposes, says CSO Joe McDonald, CPP, PSP, who sits on the ASIS International Board of Directors. “There is a requirement to know who is touching your equipment right now,” McDonald says, so anyone with access to a server can be identified. To satisfy requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, and other laws and standards, McDonald says that information companies such as his are using physical and system access controls, as well as CCTV, to identify who has contact with servers. These compliance requirements might explain some of the strong growth currently being seen in information companies’ investment in surveillance.
In small to medium companies, conversion from analog to digital is still gradual, as dollars become available. At Masonic Homes of Kentucky, an enclosed community for seniors that provides services ranging from independent living to full-time care, the newly formed security department is planning to replace old analog CCTV cameras with new IP cameras. Chief of Security Thomas Candler says that oversight of the updated system will be vested in the IT department, a trend noted in the report.
Perimeter protection. In addition, smaller companies, like Masonic Homes, are projected to drive the numbers in the perimeter protection and access control markets. Candler says that his company is looking to add an access control system as well as a guard house and fencing to the perimeter of the property.
Perimeter protection is also a priority at Desert Highlands, an 840-acre upscale private residential golf community in North Scottsdale, Arizona. Director of Security Nick Ciliento, CPP, is looking to enhance security by placing infrared detection on the four-foot-high wall that encircles the property. Though he says that the community’s board has always been generous with security allocations—security and peace of mind are major selling points for homeowners—he doesn’t get a blank check. “It has to be justified,” he says.
Switch’s McDonald says that today’s strong growth in access control (and, to an extent, CCTV) might be a function of Microsoft’s withdrawal of support for Windows XP. Many companies use access control systems and DVRs that run on XP, he says, and upgrades will require buying compatible equipment. For example, a new access control operating system will likely require the replacement or overhaul of dozens or even hundreds of access control panels.
Consulting. Perhaps nobody faces the justification barrier as much as security executives at the largest companies. But as very large companies cut down on some spending, budgets for consulting services are increasing. Consulting firms should watch for the strongest interest from transportation, warehousing, and utilities firms.
For decades, when asked about the number of security staff in the United States, researchers have been estimating three private security employees for every public law enforcement officer. These numbers derive from Private Security Trends, 1970-2000: Hallcrest II, which estimated 1.8 million security employees and 600,000 sworn law enforcement personnel in 1990. Almost 25 years later, the three-to-one ratio has held (though the Hallcrest II and ASIS/IOFM estimation methodologies differ). The number of federal, state, and local sworn law enforcement officers in 2008—the latest date for which information is available—totaled about 900,000. The ASIS/IOFM study estimates almost 2.7 million full-time private security employees. Nearly one million of these are IT security specialists, a category that barely existed in 1990. The private security numbers exclude personnel who work in the security industry but not in the capacity of providing security, such as sales or marketing staff.
Propelling this growth in personnel, as mentioned, is an explosion in information security jobs. Employment of information security analysts alone, for instance, “is projected to grow 37 percent [between now and] 2022, amounting to more than 100,000 new positions.” According to the U.S. Department of Labor, this rate of growth is three times faster than the growth for all occupations and double the rate for all computer-related occupations. And the money is good—an average base salary of $80,000 for analysts and $92,000 for senior analysts, according to the INFOSEC Institute.
By contrast, operational security hiring is slow. At Legacy Health, for example, Olaoghaire-Sannes reports a growing budget for goods and services, but not for personnel. “I’m not getting anything in personnel, but I have been getting support for people,” he says, including, training on management of aggressive behavior by MOAB Training International, Inc.
The numbers of both IT and operational security may constitute an underrepresentation, however. Many organizations without security departments task security functions to staff departments such as facilities, finance, human resources, safety, and IT. In IT, especially, “there is often no clear line…between security employees and other IT personnel,” according to the report.
The report also breaks down operational security staff by function and compares proprietary to outsourced personnel. Sixty-five percent of the 1.7 million operational security workers consist of contract staff. More than half (57 percent) of operational security staff serve as security officers, another 17 percent work as functional staff, 11 percent consist of executives and senior management, 9 percent perform administrative duties, and 5 percent operate as functional managers.
Given these generally auspicious numbers for security budgets through 2017, Monty Python’s four Yorkshiremen would doubtless talk about the old days when no organization would fund security. The gentleman who could muster an old analog CCTV camera to cover a 100-acre campus would have had it easy compared to his friend, who used twigs around his campus as motion detection devices, or his other friend, who had to protect a nuclear facility with a toothless hamster.
While security hasn’t yet reached the holy grail of budgets, fewer security budget requests are undergoing the Spanish Inquisition.
Michael Gips is vice president, publishing at ASIS International. He was previously vice president, strategic operations at ASIS and senior editor at Security Management.