Building a Security Team That Works
By BOM Editorial Staff - March 2006 - Security
When assembling a team for any corporate project, it’s easy for egos, titles, department sizes, individual agendas and reporting relationships to hinder the team’s ability to accomplish its goals. When facilities executives are charged with forming a team to tackle an issue as sensitive as corporate security, problems can be amplified. However, there are many steps facilities executives can take to smooth the process and build an effective group that meets an organization’s objectives.
As a starting point, it’s wise to include employees from departments across the organization. The goal should be to bring to the table individuals likely to be affected by the security system, as well as the employees needed to assist with its implementation, says Jerry Cordasco, vice president and general manager with Compass Technologies.
Assembling a broad-based security team offers several benefits. Including employees from different departments helps build buy-in for the system that’s eventually implemented, says Debra Spitler, executive vice president of HID Connect.
In addition, having team members from a range of departments helps minimize the chance that critical details are overlooked. Tony Diodato, president of Cypress Computer Systems, offers an example: a representative from the human resources department may be the only one to point out that some employees speak little English, and any emergency signs should be printed in several languages.
Members of the team likely will come from the security, information technology, human resources and finance departments. In many cases, the facilities executive will lead the team, says Diodato.
Given their leadership role, facilities executives should feel confident that the proposed security solution addresses the problems it is supposed to solve. They should believe the system is cost-effective and allocate resources to maintain the system. Although facilities executives may not be the only individuals to weigh in on the system chosen,
their input usually will be weighted heavily. That’s especially the case when the security function falls under the facilities department.
Because many security systems today are linked with the company’s information systems infrastructure, it has become increasingly important to include a representative from the IT department on the security team. “There’s a convergence of IT and physical security,” says David Heinen, product market manager for enterprise systems with Bosch Security Systems. “You don’t just worry about who’s coming in the door, but also who has access to the network.”
Given the need to use the IT network for the security system, the security team will need to work closely with IT to ensure that the two systems are compatible. For instance, the team will want to verify that the bandwidth available for security applications is sufficient, especially in the case of closed-circuit television installations. In addition, members of the security team and employees from the IT department should decide such issues as who is responsible for protecting the security system against viruses.
Another reason to bring IT onto the team is funding. Within an organization, money earmarked for security often is allocated to both the security and the IT departments. In fact, the IT department’s budget often is larger than the budget of the facilities or the security departments, says Rob Zivney, vice president of marketing with Hirsch Electronics.
“A lot of companies use IT as leverage; they use their budgets to help fund security projects,” says Chris Crane, director of national operations for the security division of Siemens Building Technologies.
Perhaps most importantly, neglecting to include IT early in the project can lead to conflicts. “They can be either your greatest ally or your greatest enemy,” says Cordasco. “If they are told after the fact, egos get involved.” They may, for instance, balk at maintaining the new security system on the network.
On the other hand, it’s important that the IT department not dictate the security solution to be used, Cordasco adds. Some IT employees may believe that, because they know virtual security, they also know physical security. In reality, however, the two areas are very different.
So, while it may make sense for the IT department to provide specifications for systems residing on their network, it generally doesn’t make sense for IT to select the system.
In addition to IT, the security team should include representatives from the human resources department. In part, this is a practical matter. As Bosch’s Heinen notes, most security databases obtain information from the employment or human resources database. That way, once an employee is hired, he or she is automatically added to the security system and receives access to the office and the computer system.
Equally important, when the systems are linked, employees who quit or are fired and are deleted from the employee database also can be automatically expunged from the security system as well.
Human resources professionals can also offer important insight into workplace or employment laws that the security team might inadvertently violate, says Matt Barnette, vice president of sales with AMAG Technology. For example, improperly installing a security system that will monitor employees’ actions could raise concerns about employee privacy.
The human resources department also can be a great ally in getting other employees to accept, understand and use the security system that is implemented. For instance, perhaps the company will be asking employees to wear name badges. Ideally, all employees should question anyone in the offices without a name badge. This won’t happen unless employees know that they’re supposed to do this and that the company supports their efforts, Barnette says.
Role of Finance
Representatives from the finance department should also be part of the team. The finance group likely will request that a business justification be made for the security system. To be sure, most security systems will provide benefits that can be measured by their impact on the bottom line, as well as softer, less quantifiable benefits. It’s important to identify both types of benefits, as that can help the team determine the overall return on the company’s investment.
For instance, an electronic security system may allow an organization to eliminate several security guards, says Siemens’ Crane. This reduction in expense should show up on the financial statements. At the same time, an updated security system may help attract tenants to an office building. While it may not be possible to put a specific dollar figure on this, it’s still helpful to recognize that the new system will provide this benefit.
At the same time, the finance and business operations managers need to let the security team know the company’s business objectives for the next few years, as these can significantly affect the design of the security system. For instance, if management expects employment to increase significantly in the next few years, the security team will need to look for a system that can grow with the company.
Finally, it can be helpful to include an independent expert or consultant who can assess objectively any security weaknesses within the facility and suggest cost-effective ways to address them.
Although it’s critical to obtain input from a variety of departments and outside consultants, the facilities executive charged with implementing a security system still will need to make the final decision. This balancing act — asking for input and listening to concerns while moving in the direction that makes the most sense for the company — requires leadership skills, Diodato says. Facilities executives have to convince their colleagues to respect the decision, even though they may disagree with it.
Steps to Take
Once the team is assembled, one of its first steps should be defining clearly the security challenges the team must address. That means identifying the priorities of the organization, Diodato says. In some companies, such as pharmaceutical firms, securing physical space and its contents often is just as critical as safeguarding people. In other facilities, such as schools, the focus is shifted significantly to protecting people — in that case, students and staff.
The security team does not want to assume that simply purchasing a system will solve the security problem. For instance, some facilities purchase a security camera system, but then allow the back door to the facility to be left open. Typically, the right solution will be a combination of hardware, software, processes and policies.
An effective security system will reduce the risk of unwanted outsiders getting into a facility, yet allow the business to conduct its operations as efficiently as possible. The optimal system depends on the use of the building, says Spitler of HID Connect. For instance, the facilities executive of a multitenant office building may want to enclose the lobby so visitors are unable to access tenant areas without signing in and receiving a name badge.
On the other hand, at a corporate headquarters office where employees use identification cards, it probably will make sense to install a card reader near the employee entrance. That way, employees won’t have to use another entrance and won’t be tempted to prop open the door to get in more quickly.
A regular, ongoing maintenance program also is key to an effective yet unobtrusive security system, says Crane of Siemens. Poorly maintained security systems are even more of a problem for organizations that prefer security to be as visible as possible. That’s often the case with schools and college campuses, Diodato says. “They’ll say, ‘We want security to be visible and intrusive. We want everyone to know it’s there.’”
To choose a system that will provide the most value, the team will want to pay attention to both initial expenses and any ongoing costs, such as for software or hardware upgrades, Barnette says.
Heinen of Bosch says that security teams should forego the temptation to purchase a lower-priced proprietary system. Any initial savings will be lost later on when it’s difficult and expensive to move from that system to a newer one, he says.
The team also will want to consider whether capabilities of the security system can be leveraged across multiple departments. For instance, many identification cards also can be used by employees to pay for lunch in the company cafeteria or to access the copy machine, says Spitler of HID Connect.
Team members also need to consider how best to connect the various databases that might be used in the system. For instance, it might make sense to link the access control and closed-circuit video systems. That way, the system will record both the card that was used to enter the building as well as an image of the person using it.
Industry experts agree that most members of security teams have similar agendas: They want to protect the company’s physical and electronic assets, as well as its employees and customers. Where differences of opinion can occur is in deciding just how to accomplish these goals. For instance, the security department may believe that its employees should have access to the information network, while the IT department may want to limit the number of people with access.
To minimize the chance that team members will develop strong differences, it helps to develop a mission statement and goals for the group, says Heinen of Bosch. “That way everyone understands their role within the security team.”
An Organizational Priority
To be effective, the security team will need to promote the system to both management and the broader organization. Given the attacks in the United States on Sept. 11, 2001, as well as attacks and instability in other countries since then, most executives are aware of the need for security.
However, spending on security in many companies still tends to be a reaction to a specific event. For instance, when one hospital experiences a baby abduction, hospitals nearby often rush to beef up their security systems, says Barnette.
To help management and employees develop a more proactive mindset, facilities executives need to point out the benefits of the security system. If the installation of the system has reduced the company’s insurance costs, management should know. Similarly, if a security system helped to prevent a theft or violent incident, the facilities executive should spread the word.
“The facilities executive must be enthusiastic about what security can do for the organization,” says Spitler of HID Connect.
The “A” List
Who belongs on the security plannning team? The goal should be to bring to the table individuals likely to be affected by the security system, as well as the employees needed to assist with its implementation.
SIA Certified Project Manager
As facilities executives determine who to include on the security team, they may want to consider individuals who are Certified Security Project Managers (CSPM). The CSPM program, which is offered by the Security Industry Association, recognizes individuals who have demonstrated proficiency in managing security system projects.
About the Security Industry Association
The Security Industry Association provides an array of services — including education, research and standards — to promote industry growth and professionalism.