The financial case for making the investment in a security program review
Updated: Feb 11, 2021
"What does a Security Consultant do, and why would a business spend thousands or tens of thousands of dollars to hire one?” This is often one of the first questions I am asked when introducing myself to a new business acquaintance or potential client. Even when they don’t ask, I can often tell that they are thinking it and just don’t feel comfortable asking it directly.
A security consultant is an individual or group of individuals who have specialized knowledge in the security industry and use this expertise to assist their clients in developing and managing their security programs. During a security program review a Security Consultant, or team of Consultants, provide an outside unbiased evaluation of an organization’s security program, use their experience to identify security risks to the organization that are not currently being mitigated or that could be mitigated more efficiently, and utilize their expertise to make recommendations on how the organization should best address these deficiencies.
Many companies make the decision to retain a consultant simply because organizational leaders want to ensure that they are doing all that they can protect the people and assets of their company, or because the organization already has an executive tasked with managing their security program who recognizes that an unbiased outside review can help identify gaps that may be easily overlooked from the inside. In other cases, and increasingly so as organizational budgets feel the impact of the economic downturn, an organization’s leadership sees the value of engaging a consultant but must be able to demonstrate a quantifiable financial return on investment from any sizeable new expenditure.
Security, at its core, is an anticipatory discipline. When potential threats can be identified prior to their occurrence and appropriate mitigation measures applied, the desired result of prevention can be achieved. Unfortunately, it is difficult to quantify the financial impact of an event that may have occurred if mitigation measures were not in place but has been prevented by due to the organization’s security program.
In spite of this there are times where a security consultation engagement identifies an ongoing issue and makes recommendations that are used to rectify it that can then be translated in quantifiable cost reductions, below we have provided several case studies from organizations that we have worked with where this was the case (some details have been changed in order to conceal the identities of the organizations involved).
Case #1: Corporate Client Vendor Management
A client in the financial services industry with multiple locations had centralized responsibility for all their security technology installations and upgrades to a single vendor who they had established a trusting relationship with over the course of more than a decade. Our review identified that the price that they were paying for some projects was out of line with what we typically see across the industry and recommend that they seek competing bids for their upcoming projects. The competitive bidding process revealed that their trusted vendor was charging them over fifty percent more than other vendors. While they choose to maintain their relationship with the initial vendor, they were able to use the information they had gained to negotiate new pricing that reduced their overall spend on security technology installations by over thirty percent annually.
Case #2: Healthcare Security Staffing
The employees in the Emergency Department of a hospital that was part of a mid-sized health system had expressed concern over their safety after a number of assaults on staff members by patients. The Level II Trauma Center campus already staffed their Emergency Department with one Security Officer twenty four hours a day and review of Security Department records showed that Security staff were spending on average over six-hundred hours a month in the Emergency Department assisting staff with “combative” patients. In spite of this level of Security presence the Emergency Department employees still felt unsafe and were requesting, through their union representative, that they add the organization contract with the local Police Department to add an around the clock Police presence in the Emergency Department. The hospital wanted to ensure the safety and happiness of their staff but were hesitant to make the trade-offs necessary in order to absorb the nearly $800,000 per year cost of an around the clock Police presence.
Through a collaborative root cause analysis conducted with the departments involved we were able to identify that much of the concern that patient care staff were experiencing came not from a lack of Security or Law Enforcement support, but instead from a nearly universal level of discomfort working with patients who were suffering from mental illness, trying to defuse potentially violent situations and protecting themselves from assaults when they did occur.
In light of the findings, rather than implementing a Police presence, the hospital decided to invest in training for their Emergency Department staff in crisis de-escalation, self defense techniques, and in working with patients who are suffering from mental illness. Additionally, the hospital was able to fund a position for nurse who was an expert in metal illness to serve as resource for the staff in the Emergency Department when patients presented with symptoms of mental illness. Once these measures were implemented, the hospital not only saved several hundred thousand dollars a year by not implementing the request for a Police presence, but assaults on staff decreased by nearly fifty percent, patient complaints declined significantly, staff satisfaction scores increased, and calls for security assistance were reduced to a level where Security Officers were spending less than sixty hours per month in the Emergency Department and the Security Department was able to allocate resources to other areas of the hospital that were in need of their assistance.
Case #3: College Campus Loss Prevention
We identified a potential for theft from the material and tool storage area of a technical college where we were performing a review and recommended that policies be changed to reroute all foot traffic away from an unmonitored emergency exit that was being propped open and to an nearby exit that was already being monitored by video surveillance. Shortly afterward, the campus used this video surveillance to identify theft of material and tools that had previously been going unnoticed. The subsequent investigation revealed that ongoing theft by one instructor and several students that had averaged several thousand dollars’ worth of material and tools a month for at least a year before it being discovered.
Case #4: Nightclub Security Training Program
During a review of the security program for a nightclub operator who had been subject to multiple lawsuits, averaging three a year, alleging excessive use of force by their security staff. They had not been found negligent in any of these suits but had sustained extensive legal expenses and had settled two suits by providing compensation to the plaintiffs. Our review identified significant deficiencies in their training program and policies governing the use of force by the security staff at their properties. In response, based on our recommendations the organization developed policy guidance on use of force and implemented a standardized training program for their security staff which included instruction on approved defensive tactics and appropriate use of force. As a result, in the two years following our assessment the organization was only forced to defend itself against one threatened legal action based on use of force by their security staff, which was dismissed on summary judgement.
Case #5: College Campus Security Staffing
A mid-sized career college located in a relatively high crime area utilized third party security staff provided by a large international contract security provider. Their security provider had assisted them in developing their security plans for the campus and had performed annual risk assessments to help them identify security risks and implement solutions to mitigate them. One risk mitigation that had been implemented after a rash of thefts was to staff each entrance with a uniformed Security Officer to ensure that only students and staff were accessing their buildings. During our assessment we identified that four of the staffed entrances could be more efficiently managed using security technology. The campus was able to install an electronic access control system that allowed these doors to remain locked and staff and students to access them using their campus ID card. Implementation of the electronic access control system cost the college nearly $100,000 in capital spending, but once implemented they were able to eliminate the Security Officer positions that had been tasked with providing access control at those doors for an annual savings of slightly over $400,000.
While, there can be no guarantee that a review of an organization’s security program will result in cost savings of this magnitude, it is common that an outside expert looking at the program without pre-conceived biases will identify significant efficiencies that the organization can implement relatively easily that not only improve their security posture but also result in cost savings.
The benefits that each of these organizations garnered from a review of their security program were not limited the financial benefits outlined, each organization was able to implement changes to their security program that helped them realize annually recurring savings that were many times the fee they had paid for the assessment.