Dan Nielsen 2017-07-13 23:04:03
Facility management professionals own the performance of a building. How performance is measured and managed is the key to the risk, resilience and security of stakeholders and assets. Security management reporting varies by market and by revenue. In the Fortune 100, the role reports directly to the chief executive officer or through the chief financial officer or chief legal officer. However, for many companies under US$100 million in revenue, which according to the Census Bureau represent a third of businesses in the United States, the facility executive is responsible for the protection of assets and employees. The security industry started with guns, gates, guards and door-locking systems. The facility’s chain of command became a common reporting structure for security departments and frequently still is. An emerging theme within the security industry, but less familiar in the facilities industry, is the value stream of security. Securing assets and protecting the people and processes of an organization is a critical business function that’s come to be called enterprise security risk management (ESRM). The most important word in the definition is likely “risk.” Security and facility managers are expected to manage security risks that threaten organizations. Yet the security designed to address those risks is not often strategic. There is no shortage of bright and shiny security devices that vendors are more than happy to sell. But questions like “Why do you want that device?” and “Does it meet your security needs?” should trigger an evaluation of a facility’s risk profile. THE PATH TO RISK MITIGATION Security and facility professionals cannot prevent certain events from impacting viability, brand and value, though they will nevertheless be tasked with minimizing that risk. Therefore, a risk profile assessment should be a first step in meeting that demand. From the risk profile, a security strategy emerges that fully recognizes and describes the risk. From there, outline cases for technology or personnel that meet security needs. A technology evaluation cycle follows, and all of this finally leads to a plan that describes how people and technology can best address risks, and ultimately what security plan and technology should be deployed. In short, risks will be described and evaluated, risk mitigation strategies thoughtfully considered and a risk mitigation program implemented. Facility executives will recognize the next step, which is management and measurement of the performance of technology. Without a performance management budget and plan, security systems will have problems similar to facilities and building management systems when they are not maintained. One challenge is that security and facility executives share similar issues: • They are being asked to own risk, but they should be advisors to the risk owners. • They are asked to protect assets and people with a flat or declining budget that does not keep pace with an expanded all-hazards risk environment, but they should be innovating approaches to the executive value proposition of security. • They have neither the time nor budget to stay current on risk conditions, best practices and technology, so they rely on technology vendors and resellers. Instead, they should be creating an integrated team of knowledge experts that share and communicate through a formal methodology. Another challenge is that the security vendor value stream has silos of excellence with conflicting priorities, plus relationship and communication issues. Here’s the journey many organizations go through while attempting to engage the vendor community: 1) Hire a consultant to provide a risk, threat or vulnerability assessment. But are they covering organizational risk, cultural risk, security program risk and/or security technology risk? 2) Consultant issues a report and provides a recommended prioritization of gaps to be addressed. But do they address the optimization at the people, process and technology levels? 3) Consultant is asked to help draft a request for proposal for technology resellers to address the risk. But does the reseller gain insight into the risk profile and gap strategy to drive a technology solution that best optimizes the program, mitigates risk and drives value into the organization? 4) Risk assessments are not persistent, although the risks are ever changing. There is no plan for a continuous quality improvement driver to the heart of the program: risk. 5) A reseller wins a bid, but because of the competitive nature of the bid, does not push for a comprehensive performance management plan. They know that the lowest bid will win. 6) Reseller wins this bid, but does not win the next. There is no plan for maintaining institutional knowledge around the implementation, integration and maintenance of the system architecture, much less the risk profile. 7) The executives of the organization: • either do not recognize, or do not have ownership over risk; • have no value proposition for risk, resilience or security; and • are increasingly at risk and underleveraged in value. The industry must find a different way. We are at an inflection point and the transactions of value within the ecosystem of consultants, integrators, product vendors and security and facility executives must evolve to meet the new business and risk reality. According to many studies, security executives have very little time for aggregating knowledge around the local and global risk picture. Additionally, they have the same challenge with staying current in best practices and standards for their profession. Finally, like their business counterparts, they must leverage subject matter experts to help research and assess new technology that may impact their strategy and their practices — and they must do all of this with pressures on their budget, their value and their resources. A more strategic and comprehensive value model is needed, but a specific challenge still stands in the way. Many security and facility executives do not have a scorecard or a dashboard to measure and manage to an evolving 360-degree picture. Plus, they are under-leveraging their culture, which may be one of their greatest risks. Peter Drucker, the respected corporate strategist and author, noted that culture can derail the best strategy. There is a reason for this. Change is difficult for most organizations, especially when confronted with new strategies that disrupt or evolve old behaviors. We are learning, as an industry ecosystem, that we must get the strategy and measures right before initiating the implementation of technology. Now, we are also saying we must get the cultural change process right as well. How do you create a high-performance culture, adaptable to change and innovation, while also generating and leveraging a comprehensive all-hazards risk mitigation program that redefines how the risk ecosystem behaves? Security and facility executives are longing for a fresh perspective on how to organize and optimize people who are performing roles in core processes using technology or tools. They are asking: • How do you create effective and empowered leaders? • How do you provide them clarity in their purpose and mission? • How do you create a highly adaptable organization that has a culture of resilience and a culture of continuous change and continual improvement? UNIFYING BUSINESS AND SECURITY DRIVERS Facility executives can lead in the C-suite by understanding how the organization’s investment in secure facilities is inextricably tied to business drivers and core processes. They must know their current program performance baseline, which will include measures of risk defined by them and their internal stakeholders, as well as the efficiencies of their people delivering core processes through technology. When negative risk is presumed, the technology baseline represents potential value creation through mitigation of risk and opportunity. But it must have measures of performance as well. Many of these measures can be expressed across the “ilities”: • availability • defensibility • reliability • sustainability • maintainability But technology without a strategy for adapting the people, processes and tools first will accelerate problems. If done with a proper methodology, organizational resilience truly becomes the capacity to be adaptive in a complex and changing environment. To do this well requires a collaborative effort between many management disciplines, which are usually silos within an organization. Silos can be accepted, but the measures and feedback from security executives are clear: The more you can integrate the silos, the more time, money and resources you will save and the more secure you will be. There is a category of emerging services that will help navigate the journey — security risk management services (SRMS). An SRMS provider can operate in any of the consulting, services or technology areas. What differentiates them is knowledge of their role and competency in helping to unify the language, processes and information management architecture of ESRM. Ultimately, organizations will need to find, assess, contract and manage the external domains of knowledge and resources within the SRMS category if they truly want to create ESRM. Few organizations have the resources and skills needed to do this. New organizational competencies are required; the DNA must evolve to muster the will, strategy and operational discipline to engage the ecosystem. There is a better way to mitigate risk and improve the value of security to the organization through collaborative relationships with vendors that are adopting a security risk management services practice. They will prove their value by answering the “Why” question with a deliberate methodology based on best practices. DAN NIELSEN is a principal consultant within the Enterprise Security Risk Group (eSRG), Aronson Security Group. He has been a director of security, facilities and business continuity for a high-growth natural gas distribution company. He is also an authority on fraud investigations and computer-related crimes on a national and global level. Nielsen blends 23 years as a special agent with the Federal Bureau of Investigation (FBI) with consulting and management of security programs in the private sector. At the FBI, he became accomplished in computer-based crimes as well as bank, mortgage and wire fraud.
Published by International Facility Management Association . View All Articles.