How return on security investment has evolved
The Global Economic Crisis of 2008 had a serious impact on the security industry. Although the advanced technology that was non-existent at the turn of the century had become available for purchasers, the fragile state of world financial markets made corporate leaders hesitant to actually invest in it. Buyers found themselves with a new pressure – that of justifying security purchases in terms of return on security investment (ROSI).
To make things more difficult, traditional calculations used to measure ROSI were complex and cumbersome, due to the many ‘soft figures’ included in them. As executives tried to navigate the new requirement for ROSI, they began to consider viewing security management solutions in three categories, each of which provide incrementally more tangible return on investment (ROI):
- effective security
- risk reduction, and
- business efficiency that transcends security.
The result was an easier method for articulating the scope of, and the need for, these security solutions and a clear way to demonstrate ROSI.
The concerns of security professionals echoes those of IT managers, including the need for scalability, flexibility and resilience; the desire to meet the wide-ranging (and often competing) needs articulated by business silos; the mandate to reduce operating costs; and the requirement to maintain standards and establish clear processes. The evolving climate spurred executive teams to try to plant the seeds of a ‘security culture’ by educating employees not only about the need for effective security management, but also about the types of value security may bring to a business.
As global financial markets continued to gain downward momentum, businesses took drastic measures to weather this new storm by making staff cuts, implementing expense controls, freezing capital expenditures and more. This made justifying the purchase of security management solutions even more important. As demand plummeted, security integrators saw requests for ways to prove the ROSI increase incrementally.
The emergence of software driven security solutions
By this time, software-based solutions had become prevalent in the new security landscape. Software-managed security solutions actually had been one of the drivers for the convergence of physical security and information technology.
Software, data collection and storage, and IT networks all became key elements that enabled the provision of actionable information as a fact-based decision-making tool for executives and their teams. This led to more effective security management at a lower overall cost and paved the way for more innovations in the security management arena.
In large corporations, the availability of more actionable information than ever before meant the ability to operate proactively versus constantly reacting to threats. Software-driven solutions not only delivered the means to collect information, but also equipped operators with the necessary facts for them to prevent events from happening in the first place. Software-driven solutions offered an alternative to traditional product-based systems – one that facilitated the sharing of data via a shared infrastructure.
Three levels of security
To make the process of articulating ROSI easier, security professionals look for new easier ways to make a convincing case for the investments they needed to deliver proper security management solutions. One of the options was viewing security management solutions in categories. Three categories emerged, with their differences delineated by the scope and impact a solution provides to an organisation.
- solutions that provide Security Effectiveness
- solutions that Reduce Risk, and
- solutions that deliver Business Efficiency.
The first level: security effectiveness
The promise of security effectiveness represents the most basic reason why executives invest in security management solutions. Integrating multiple disparate technologies onto a single comprehensive IT network drives more effective security protection. It ultimately results in lower capital expenditure costs in new construction and in lower operating expenses over time.
In enterprise environments, a single system can integrate a building management system (BMS) and security. Such a solution is easier to operate than many disparate systems. In addition to enabling operators to do more with less, Integrated Security Technology enables the provision of additional protection and situational awareness for more square miles or more properties and provides the capability to monitor and protect a much larger corporate environment than was previously possible.
The second level: risk reduction
The second level of value that a security management solution can deliver is risk reduction. This level of protection protects brand reputation, bolsters business continuity and ultimately provides tangible ROSI. Integrated security solutions can help alleviate the kinds of interruptions that threaten business continuity. With this second level of security, the assignment of a monetary value to security is less problematic. Typically, executives have the background information to quantify the hourly or daily cost of a business shutdown. They have precedents to gauge financial liability in the event of an accident caused by inadequate protection.
The third level: business value that transcends security
Using a security management solution to support the primary mission of an organisation represents a third level of security. In this instance, security technology is used to improve business processes, reduce variable costs and increase revenues. Today, it is clear that security positively impacts the bottom line. It is also easier than ever before to prove ROSI with tangible real-life examples and hard numbers.
This article is an abridged version of a Schneider Electric white paper titled ‘The Evolution of Return on Security Investment (ROSI)’ by Aaron Kuzmeskus and Kathy Holoman.