January 1, 2010
How do you make apples & oranges security decisions? The Answer: Metrics
No two guard companies are the same. No two alarms companies are the same. How do you know what company to choose?
When security challenges turn up, how do you decide what mitigation strategy to apply? How do you decide how much of one remedy to apply as opposed to an alternative remedy? When you uncover threats, how do you know how serious the threat is on a scale of one to ten? What is the predicate on which your security budget is based upon and what is the targeted return on investment for that budget commitment?
The answers are that security decisions must be data driven. This means that risks and threats must be quantified in a manner that expresses the probability of occurrence. Proposed mitigation strategies must be framed in quantitative terms that define risk reduction. Back in the old days, one of the measures retailers applied to measuring the effectiveness of their theft abatement program was to compute the total dollar value of recovered merchandise through the shoplifter apprehension program. I remember hearing a retail security director proudly telling me that he had increased his recoverables by more than 15% over the previous year. However, it is very likely that this number was an expression of increased thefts and a reflection of a failed theft prevention program.
The point is, with a little creative thinking, those charged with making security decisions must do so predicated on factual data, and more importantly, a combination of data. Going forward, it is important to track the effectiveness of your program and to have the capacity to apply analytics to that data.
This process should be embodied in as many decisions as possible. If your company is contemplating hiring a contract guard service, will you be looking for the lowest bidder? That may or may not be an acceptable criterion. If the guard company you hired performs in a negligent manner and your company is on the losing end of a multi-million dollar lawsuit, maybe the low bid decision isn’t the best way to go.
When doing business with any security vendor, you should be trying to determine which vendor with provide your organization with the best value, not necessarily the best price. This means that you must develop a multidimensional matrix that allows you to score each vendor on a set of common criteria. Consider this: It may be that the vendor with the highest price provides the highest return on investment.
At some point in time, an objective baseline security/risk assessment is a must. This is one way to avoid compounding the mistakes of the past. Risk assessment will utilize incident history, police data and data from organizations such as the CAP Index. Moving forward all security activity must be tracked in a manner that facilitates statistical analysis and trend project. The usage of products such as Perspective from PPM 2000 is well advised.
The suggestions mentioned herein are rapidly becoming normative.
Leave a comment