A Security Transformation

Transforming the security function from guns, guards, and gates into a strategic business asset is not a new concept, and yet it can still be elusive. A trio of GSX+ sessions on Wednesday, 23 September, offer insights and experiences to help security leaders steer their departments towards the type of partnerships that will add value for the entire enterprise.

Security Data and Its Relationship with Other Departments

In “The Real Story of How Analytics Affect Physical Security” (10:15 a.m. to 11:05 a.m. EDT), Jonathan Moore, product director at AMAG Technology, and Louis Boulgarides, CPP, president and CEO at Ollivier Corporation, dive into the usefulness of physical security data to support other departments’ business goals. The pair offer specific examples:

Partnering with HR, Legal, and Compliance. These departments are particularly interested in ensuring that only the proper people are allowed in facilities. For example, perhaps an area should be restricted to people who have undergone a particular safety training protocol. A system somewhere is tracking who has completed the training. Combining the data from that system with the access control system can ensure compliance.

Another example would be integrating data with an HR system. If someone’s access pattern changes—for instance a person leaves the building after 8:00 p.m. several times one week when they never did previously—that might be a minor alert. Combining that with information that the person gave their two-week notice, and it may be worth a closer examination.

IT. The hardest network penetrations for a cybersecurity team to prevent are those that originate within the company’s facilities. This is why so many companies have built significant integrations between physical security data and IT analytics.

Facilities and Maintenance. This is another area that has traditionally built close ties with security. Physical security data has long been used to create building automation features, such as locking down certain areas or changing HVAC settings. An interesting, relatively new use of access control and video surveillance data is using it to determine real estate usage to decide if more or less space would be efficient. After many companies changed policies because of the COVID-19 pandemic, this data may be particularly useful for making business decisions.

Marketing. Video can be used to determine traffic flow for the positioning of anything important—whether that’s a product display in retail or safety information in a warehouse. Moore pointed to one retailer using parking system information and video surveillance to determine that while the number of people has been reduced during COVID-19, the company has much higher conversion rate per customer. Another company used video data to determine which storefronts of an open-air mall saw the most foot traffic, and adjusted rent accordingly.

Security as Silo-Buster

In “The Path to ESRM” (12:25 p.m. to 1:15 p.m. EDT) session led by Jeff Sieben, CPP, principal at Sieben and Associates Ltd; Brad Rooke, CPP, senior solutions consultant, customer success, at Igloo Software; and Thomas Berkery, enterprise security investigations and reporting, Discover Financial Services, two recurring metaphors were culture eats strategy’s lunch and building a wolfpack mentality.

The first description means that a risk management strategy is not enough; organizations must develop a risk management culture the pervades all its decisions and operations. The wolfpack idea depicts different groups performing different functions while all working together on a shared goal. The presenters propose that security, through enterprise security risk management (ESRM), can play a crucial role in building that culture.

The presentation looks at ASIS’s ESRM Guideline, and its emphasis on the idea that asset owners are responsible for the risks associated with their area. But as Berkery notes, it can’t end there.

“No one likes to receive bad news and then be told now you own it,” he says. Security can operate like a risk partner. Rather than being owned by a particular function, it can be shared.

Indeed, risks are not even isolated to a department. The risk of one area can, and probably usually does, affect the risk of another. Security’s role in ESRM is not only to help different departments enumerate and prioritize risk and develop mitigations, it is to help departments see their interdependencies.

Rooke told a story of how circumstances dictated a process change in one unit—shipping something early to another unit. But the new unit refused the shipment because accepting it would mean departing from its previously established security protocols. This is the kind of incident that doesn’t happen when there is shared culture of risk management.

A Different Conversation

In “The Business of Security Is the Strategy of the Business” (2:35 p.m. to 3:25 p.m.), Jeffrey Slotnick, CPP, PSP, president of Setracon Enterprise Security Risk Management Services, and J. Kelly Stewart, managing director and CEO of Newcastle Consulting, LLC, present the scenario where a security director goes to executive leadership with a request for a $300,000 video surveillance system to protect an asset.

“That’s one conversation,” Slotnick says. “But it’s a different conversation when you can identify an investment and identify how it promotes the strategy of the business.”

How does a security team get from the first conversation, in which the department is a cost center, to the second conversation, in which it is a strategic asset? The basic answer is combining the lessons from the previous two sessions: using security data and operations to enhance the capability of other business units and doing so through the lens of risk management. Slotnick and Stewart examined three areas of traditional physical security and applied them to this way of thinking.

Global security operations centers (GSOCs). As a security tool, a GSOC is a way to monitor and respond to incidents. Slotnick and Stewart note, however, that the data being fed into a GSOC could be a risk assessment dynamo. Reorienting the GSOC so it is designed to capture and disseminate information related to risk management may mean measuring and monitoring different things, and it assuredly means analyzing the data differently. It’s not what is threatening the physical security of the company, it’s what is impeding the organization from being as effective and efficient as possible. Traffic patterns, space utilization assessments, incident response times—all of these data collections can affect the risk posture of an organization.

Security force management. Right-sizing and efficient use are the keys in this area. Visitor management is often a key task for front-line security, and it’s a function where many companies have found centralization and use of technology can improve security and reduce the manpower needed to staff it. It’s important for organizations to examine the scope of work they developed for frontline security. It likely focused mostly, if not entirely, on the physical security needs of the organization. Taking a fresh look at those work orders using risk assessment needs as the driver—rather than physical security—could be revolutionary for how an organization develops and deploys security personnel.

Physical security technology. Just as with force management, much of the technology in place comes from traditional physical security ideas. Security professionals can frame that conversation by using risk assessments and risk managements as the controlling factor in determining functional requirements. In both cases—force management and security technology—when you shift your thinking from physical security to risk management, your basic, important physical security needs will still be covered, and you will be positioning security as a strategic partner that adds value to the business.