Starting from the End: Creating a Master Security Plan
My grandfather once told me, "If you build a levee six feet high but the water rises to seven, you've wasted 100 percent of your investment. But if you build that levee to eight feet, and the water rises to seven, no one will care about the over-investment."
A good master security plan helps you spec and budget for that seven-foot flood with an eight-foot levee. And ultimately, a good plan leads to a good security system.
That's what one of our clients, a large private university in the Puget Sound region of Washington State, discovered when we went through the planning process for its access control and video surveillance system. In developing the master security plan, we realized that just expanding the existing systems would not meet the school's future needs, and updating the systems as an interim step would ultimately be more expensive than putting in new systems.
So how should a security manager develop an effective plan? Here are my suggestions for best practices in creating a master security plan, based on 30 years' experience in the facility vulnerability sector.
Start at the End
Where do you want to be in five, 10, or 15 years? Once that is established, work backwards from there. If you have a vision for your security plan, you can build in enough flexibility to get there without having to rip and replace every few years, and you can identify long-term cost savings and operational efficiencies along the way.
For example, what if, someday, your access control system could interact with the IT system to enhance network logins? Or if the video surveillance system could automatically release the car gate when the correct license plate is read?
Looking at the ultimate goals of our university client, we discovered that what managers really wanted was an integrated video and access control system, with higher-resolution security cameras. While that decision meant delaying implementation of some access points and cameras, choosing flexibility was a better long-term decision to meet the organization's security goals.
Keep Going Broader
Once you have your video surveillance and access control needs handled, look for additional opportunities and vulnerabilities. For example, look at how you can leverage existing video data for business goals, such as reducing inventory waste or worker productivity. Look for ways to integrate systems to reduce security headcount. Integrate physical security with cybersecurity systems to reduce human-created security vulnerabilities. Think big so you can do more than protect; you also help your business thrive.
In our example, the college wanted to ultimately create a single card that would act as a student ID, a food service card, a library card, and an access control card. While this integration would save money down the line, we needed to bring several different departments together to make sure that their interests would align. We ended up selecting a slightly more expensive card than it had been using—but the selected card had a proximity chip, a chip for financial information, and a bar code for library information. Everyone got what they wanted, and the cost was lower than purchasing four separate cards.
Ask the Hard Questions
These are the questions that are hard to consider because the answers may be embarrassing, or they require negotiations between groups, or they require more resources. Some examples follow. Are there hidden security flaws in our facility? How do we find them? What are the known issues and what capacity for the unknowns should we build in?What have we learned from past crises? Where do we think emerging threats will come from?How do we navigate between competing agendas?
College administrators had to consider choices such as spending on beautiful landscaping versus creating a safe environment. Other hard questions arose. For example, one department wanted a single-use card, but others preferred a multi-use card.
Focus on the Future
Make sure your plan will help you grow. That means searching for products that can be integrated, that are scalable, and that can segment data and reports. It may also mean installing a larger conduit than you currently need or choosing the vendor that has a scalable architecture. And it requires investing more today to save on ongoing maintenance and configuration costs tomorrow.
In the college's case, its existing video surveillance system was entirely centralized and was not capable of communicating with the access control system. It couldn't record high enough quality images to meet the ultimate surveillance goals. The access control system also had issues. It was at the end of its lifecycle and would not be supported within a few years, and its software was antiquated and incapable of integration with other systems.
For the college, the least expensive decision today would have meant a lot more investment in the future. Thus, we oversized the new server to handle additional video surveillance needs in the future. In addition, as the college added new buildings, we made sure they were integrating a higher wire volume than current needs, as well as building in access control during construction. This last element can reduce access control costs dramatically.
When you apply these best practices in developing master security plans, you make better decisions.
Erick Slabaugh has more than 30 years of experience in the specialty contracting industry and is a serial entrepreneur. He is CEO and majority stockholder of Absco Solutions and founder and CEO of FCP Insight, a SaaS business solution for specialty contractors.