Security Benchmarking - A guide to obtaining upper management financial support

Securityinfowatch.com has a good article on on Security Benchmarking in regards to obtaining upper management financial support to advance your security program. It is an article by Sean Ahrens, CPP, CSC, full of some really good tips to all of you security professionals out there struggling to get the financial support for your new security initiatives that you realize is important but management won't write a blank check for.

Security Benchmarking
A guide to obtaining upper management financial support and to advancing your security program

As security professionals, we are continually being asked to do with more with less. As a corporate security professional takes on these new responsibilities, their core organizational offering becomes strained. This article delves into security benchmarking, which can provide another viable means to obtain funding for important security projects, thereby assisting your organization in being “proactive about tomorrow's uncertainties.”

The most important thing that a security professional needs to realize is that the days of walking into an executive's office and getting a blank check are, for the most part, over. Security professionals need to become knowledgeable and proficient in the business etiquette of requesting funds. To do this, a security professional should become familiar with topics including value, cost, risk, and most importantly, their independent evaluation through the business proposal. A good business proposal will indicate the costs compared to risk; and the costs compared to the expected value of the implementation.

Security professionals should also be aware that security risks, from a corporate executive's standpoint, are generally classified as low-impact, low-risk with a high probability. As a result, many executives choose to absorb or transfer these risks, rather than mitigate them. There are few methods to motivate an executive to finance a business proposal for additional funds to support a security management program. Some examples include:

• Codes, Standards and Guidelines — For the most part, as it relates to security, this is not recognized by executives currently. However, this influx takes time and you can expect changes in executive's attitudes as these are continually developed and integrated into the business community.

• Legislative requirements such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), etc.

• Current organizational security statistics, calls for assistance, losses through theft, damage, and litigation, etc.

• Benchmarking — Statistical evaluation of like programs within like organizations.

In the absence of internal incident reporting statistics. standards , codes or legislation, many executives are apt to provide funds for a business proposal if you can show a statistical correlation through benchmarking. Benchmarking compares what you want to do with what other organizations are currently doing or planning to do. In many instances, benchmarking your organization will have a greater benefit than statistical incident data.

Individual organizations and their senior management teams are continually comparing themselves to like organizations. From a process and liability standpoint, it is easy to convey that there is liability associated security programs that are delinquent compared to other like organizations being benchmarked. Also, the data presented is more readily verifiable as opposed to security incident data.

The Process

No matter what you are trying to do, ideally, the benchmark process is preceded by an idea that leads into a business proposal. A well-articulated business proposal or white paper backed by reliable, verifiable and quantifiable benchmark statistics, will both assist in validating your opinion to senior management, and also aid in your plan's implementation. A business proposal, at the minimum, must include an executive summary, which will include subsets of the entire proposal, such as:

• The problem statement;

• Methodology;

• Proposed resolution;

• Implementation Plan;

• Impact on budget;

• Return on Investment;

• Return on Investment (ROI) over “x” amount of years;

• Statistical data; and

• Respondents contact information.

The Benchmark

It is important to note that the benchmark is a tool, which substantiates the need for funding to support security management programs. Security professionals need to take into account the costs and the perceived ROI.

An important part of the benchmarking process is to validate and identify to senior management the need for security by comparing your organization to other like organizations. However, before you start your benchmarking process, you should be reasonably sure that the data you collect will validate your business proposal. I have worked with organizations that conducted benchmark analyses only to learn that there was no validation in what they wanted to prove, and that the data collected actually contradicted their assumptions. An unsubstantiated benchmark wastes a lot of time and the data cannot be released.

A benchmark, if correctly implemented, should clearly identify synergies and consistencies, in the areas you wish to compare like organizations or business units of related companies. Typically, security professionals will know that they have a need for benchmarking, but are unsure what they want to learn. The best method for vetting this would be an open and collaborative staff white board session. During this white board process, a multitude of topics and ideas can be expressed.

The second part is to validate and score all available topics for inclusion into a potential question pool. One suggestion is to associate each question to a rating on a scale of 1-10. Only questions in the 7-10 range should be selected for final inclusion into the development of the benchmark.

Once the question pool has been scored, you may have to further vet this process and narrow the question pool. The benchmarking process must not be qualitative, that is, in the form of open-ended questions such as: describe your organizational structure; to who do you report; and what types of security are in use. Questions, no matter how they are administered, must be quantitative and focused, which is easily achieved by providing multiple-choice answers. By implementing a quantitative process, there will be a clearer and more defined statistical correlation with the items that you wish to benchmark, validate and present to upper management.

Creating a Survey

Once you have the questions, you need to determine the depth of your benchmark. Clearly, whenever applicable, it is important to seek out like organizations, which are commensurate in staffing and geography. It is not necessary for you to obtain 50 or 60 respondents. Ideally, your respondents should be chosen using sources that identify competitors — which executives can relate to and will want to outpace. In a hypothetical scenario, showing an executive that 5 out of 6 competitors have selected digital video recorders will carry more weight than simply asking to deploy a DVR.

Consider how the survey will be administered — will it be on paper, online or via phone? In some instances, certain types of businesses, such as banks, may elect not to participate in a blind online survey. In these cases, allow plenty of time for a telephone interview. Typically, the most cost-effective route is to use a semi-free service such as SurveyMonkey.com. However, the best method to guarantee results for your benchmark will be through time-intensive phone calls and interviews.

A byproduct of the phone interviews is networking and relationship-building with organizations that are most likely dealing with the same issues. Timing is also critical to your survey, and should be considered throughout the administration of the benchmark. Avoid the holidays and end-of-fiscal year because like you, your respondents will be busy and less likely to participate.

The quantity of questions is also very important — the fewer the amount of questions, the more likely you will obtain responses. When faced with an extremely long questionnaire that cannot be reduced or vetted any further, identify leverage for the participant to take the survey, including free gifts, such as a gift card, or offering access to the final results of the benchmarking study.

Obviously, the number of respondents will determine the budget, but leverage can be found in networking and other avenues.

Consider Timing

Timing is critical — realize that even with the correct amount of leverage, organizations you wish to benchmark will be slow to respond. A benchmark process may take several months, which should be calculated when considering business budgeting cycles. Correlating your benchmark just before a budgeting cycle will allow enough time to present results and provide the best opportunity for obtaining additional funding.

As security professionals, we will continually be called upon to do more for our respective organizations; however, meeting those challenges does not mean that we have to do it with less. Use these concepts to validate to executive management the need for additional funding, and benchmark similar organizations to assist you in meeting your goals and assist your organization in being “proactive about tomorrow's uncertainties.”

Sean Ahrens, CPP, CSC is a project manager for security consulting and design services with Schirmer Engineering and has more than 16 years experience in the security industry, 11 of which has been as a practicing consultant. Mr. Ahrens volunteers his time on the ASIS International Commercial Real Estate Council (CREC). He can be reached at (847) 272-8340 or via e-mail at sean_ahrens@schirmereng.com.

- The Hackett Security Team

No comments: