For many facilities executives, security represents a common challenge with uncommonly high stakes. Companies often expect high levels of facility performance without making the investments required to achieve that performance.
That’s an all-too-familiar dilemma when it comes to matters of comfort, energy efficiency and aesthetics. But when security is at stake, especially in a post-9/11 world, the risk is far greater than the possibility of temperature complaints or a shabby workspace.
More and more, top management looks to the facilities executive to ensure that the assets of the organization are protected, regardless of whether the budget is adequate. To meet that challenge, facilities executives need to pay attention to three basic areas: careful planning, assessment of technology needs and an understanding of staffing requirements.
“We call it the triad of security,” says James Black, senior security consultant for Engineered Automation Systems. “The whole is greater than the sum of the parts. None of the individual parts of the program can be implemented by itself. They can’t stand alone.”
Viewing security changes through the lens of planning, technology and staffing and policy considerations can avoid knee-jerk program changes if a security breach does occur. For example, a student was assaulted in a university restroom. Student groups pressured the administration, which installed security cameras. But there was no response team in place to act if trouble was spotted on the monitors, says Michael Khairallah, president of Security Design Solutions.
“Clearly, they didn’t consider one of the elements, the human element,” Khairallah says. “Without a response team you almost need to save your money. You can’t do anything without a response team.”
It may sound easy to focus on those fundamental concerns, but in the real world they are too often neglected. Consider the facilities executive who is evaluating changes to the security program. It might seem like common sense to start by reviewing current security measures. After all, a top-level review of security policies and practices will enable the facilities executive to understand threats to the organization and consider the impacts on the facility. But all too often, that basic step is overlooked.
“The common mistake is implementation in the absence of policy,” says Khairallah. “You jump right to the solution without once sitting back and saying, ‘What is our policy here. What do we want to have happen?’”
Another essential early step that is sometimes neglected is a risk assessment. That is crucial because it identifies what kind of security threats a business faces and how critical the impacts could be if security were breached. The assessment is then used to shape the security program, from equipment to policies to staffing.
Performing a risk assessment can also help facilities executives justify the expense of new security technology. “If a facilities executive understands what a company’s objectives are and builds the program to help the company meet those strategic objectives, it helps them make their case,” says Ken Wheatley, vice president of corporate security for Sony Electronics.
Moving beyond the initial risk assessment, facilities executives should consider their security program in the context of planning, technology and staffing — focusing on only one area will hamstring their program.
With increasingly sophisticated security technology on the market, from biometric access control to digital video recording CCTV systems, technology can appear to be a panacea. It’s vital for facilities executives to understand the technology itself isn’t a cure-all.
“People think when they buy cameras or access control they are buying security,” says Elliot Boxerbaum, president, Security/Risk Management Consultants Inc..
Absent proper planning and staffing, new security technology cannot function properly. For example, a company upgraded the photo ID system it used for its 35,000 employees, but then wanted to use the photos in its existing system, some of which were 10 years old. “Giving an employee a credential with a 10-year-old image just doesn’t work,” Boxerbaum says.
When technology is installed absent a comprehensive plan, the system’s effectiveness is reduced while building occupants get a false sense of security. Assumptions are made about the system’s operation that often prove to be incorrect. “In some cases it is going to be very difficult if you picked the wrong stuff,” says Khairallah. “It doesn’t do what it is supposed to do because you didn’t define what you wanted it to do.”
Suppose a facilities executive installed a CCTV system after a security incident, thinking it would make the facility more secure. It might seem reasonable to position cameras only to view people entering the building. That could be a mistake. With a camera positioned only to record employees leaving, an employee removing company property would only be shown on tape from the back of his or her head, making identification difficult. “You want to monitor people exiting from the buildings; that’s where the crime is being committed,” says Bob Denny, security consultant for RMD Associates.
What’s more, facilities executives who don’t consider their specific needs as determined by a risk assessment aren’t likely to make the proper distinction in selecting competing technology systems. A company might solicit bids for a digital video recording system and have prices that vary between $999 and $6,000. The two systems are both legitimate recording systems, but with different technical specifications — video frame rate, hard drive size and image size.
“If you want to make an evaluation with a clear basis for comparison, the specifications should be performance-based and not hardware-based,” says Khairallah.
Facilities executives also need to fight the urge to buy security technology that is more sophisticated than they need. A risk assessment can help that common mistake, experts say. “Often, you see people buy technology and 10 percent of it or less is utilized because of the level of training and people hired to operate that technology,” says Denny. Although facilities executives should avoid buying a system that has features they will not use, the flip side of the coin is also true: They should avoid buying systems that will not allow for expansion.
Having a security program reviewed by an independent security consultant can help a facilities executive address vulnerabilities while reducing unnecessary security spending.
The two goals go hand in hand. Consider the security impact of the nation’s worst blackout — the Aug. 14, 2003, blackout on the East Coast and Midwest that left 50 million people without electricity. “Many organizations that made good and solid investments in security technology suddenly found themselves without that security,” says Boxerbaum. “Ensuring that you have a plan when the technology fails is very, very important. We see a lot of organizations that don’t have that.”
Security programs need to have appropriate policies set and staff allocated if they are to remain successful over the long term.
For example, facilities executives may be tempted to assign other duties to security staff as a way to reduce operational expenses. At some facilities, security personnel deliver mail, drive company shuttles and complete landscaping inspections, says Denny.
“When something suspicious does happen, it goes undetected or unrecognized,” he says. “Security personnel are not mentally prepared at the time because they were not given the recurrent emphasis and training to look for things out of the ordinary.”
Established policies can help keep those responsible for security from letting attention away from the mission, says Stephen Meyer, president, S. Meyer and Associates. “Part of security is equipment. But the other part is policies and procedures that everyone understands and one person is responsible for.”
Equally troublesome are the vulnerabilities that can result when facilities executives underestimate the amount of staffing support a new security system will require. One company had assigned responsibility for a new emergency telephone system to security personnel, who were already responsible for an access control system, says Black. But the staff was so busy dealing with visitors that no one answered the emergency telephone system when it was tested.
“A common mistake we see with facilities executives who don’t have security experience is that they don’t understand the back-office work that needs to be done to make systems work,” says Boxerbaum.
Staffing requirements also need to be considered when signing contracts for new systems, says Khairallah. A contract for an access control system, for example, may initially require the vendor to do the data entry for the system. Once the system is running, it is the company’s responsibility to make changes to the system. With a system that covers 500 employees, a system administrator could spend a third of his or her time making updates.
Facilities executives should also avoid the temptation to view contract security as a commodity, says Denny. “With security, it’s a big mistake to measure the value of security as cost per square foot or cost per employee. It’s a much more subtle business,” he says. It can be difficult for facilities executives to show how much money the security system saved by preventing thefts, for example. Communicating a clear objective for the security department and signaling what they are expected to accomplish can help show the department’s value.
Just as security programs require top-level commitment during the planning stage, administrators must maintain their support after the system has been implemented. Inconsistent implementation of a system can send the message that security is unimportant, hampering the system’s effectiveness.
“I can’t tell you how many times an owner put in an $80,000 or $100,000 access control system that someone disconnects because it is inconvenient or someone in senior management forgot their badge or they didn’t want to use it,” says Wheatley.
Companies that loosen their security systems may face legal action, especially if loosening their systems for convenience violates company policy, Wheatley says.
“Now you’ve got to sit on the stand as a manager or vice president and say, ‘I had to disconnect the system because people were too lazy to use a badge and it was inconvenient and we didn’t lead by example,’” he says.
On the other hand, facilities executives also need to consider occupants when they upgrade or install new security equipment. Failure to get input from occupants at the forefront, and poor training during a rollout, will lead to user frustration, which means the system could be bypassed.
Boxerbaum says one company designed a pamphlet for employees when it installed a new access control system. The sheet included contact information, frequently asked questions, and dos and don’ts. Occupants were told not to hold doors open for people with boxes, for example, because such actions can allow unauthorized personnel into the building.
“There is this huge education process that is ongoing. The people are absolutely essential,” he says. “The system is only as good as the people who use it.”
If contemplating upgrades and modifications to a security program, bring the IT department into the fold at the beginning of the process, experts say.
“Early on, if the IT side and the physical side aren’t symbiotic and upper management doesn’t manage the relationship, it’s a colossal mess,” says James Black, senior security consultant for Engineered Automation Systems. “It’s probably the biggest problem we have now.”
For facilities executives, embarking on a security upgrade without collaboration from the IT department can lead to costly mistakes. One company spent $1.5 million upgrading its security system with digital video recorders, says Elliot Boxerbaum, president, Security/Risk Management Consultants Inc. But the equipment had to be replaced within 18 months because the project did not include enough involvement from the company’s IT department.
Increasingly, security equipment from access control to CCTV systems is residing on a company’s computer network. But if the IT department and the facilities executive cannot work together on a project, the facilities executive could be forced to create a duplicate computer network for the security system. That means extra software licenses and servers.
A computer network should undergo a thorough review to make sure that network backups exist before it is used to operate security equipment. “Most LANs are designed for business purposes,” says Boxerbaum. “If e-mail is down for 30 minutes, it’s not a big deal typically. But if you lose real-time alarm and video information for 30 minutes, that could be a big deal.”
The International Association of Professional Security Consultants was founded to establish a high set of standards for professionalism and ethical conduct in the security consulting industry.
Members are required to remain independent of any product or service they may recommend as a consultant, eliminating the appearance of a conflict of interest.
Memberships are available in three tiers — active member, associate member and internal consultant member. Members are required to have practical experience and either a college degree or a professional security certification. For more information, visit the Web site.