When does it make sense for a business to consider investment in security protection measures such as alarms, barriers, cyber controls, or guards?
Spending on security protective measures for small to medium sized businesses is a big deal even in the best of times. In the absence of a well-calculated return-on-investment argument, profit will trump the opaque “what if’s” of security risk every time. Concrete, practical, sensible security protection strategies must be articulated in terms of real risk when making a pitch for corporate investment. A tone-deaf laundry list of security measures to protect against unarticulated or ill-defined threats is a poor hand to play in the corporate board room.
For large businesses, standard “duty-of-care” security protection measures are the norm. Physical and cyber protective measures are part of the baseline package, and a USD $100K – USD $1 million spend is, in the grand scheme of things, a drop in the bucket. In the proverbial “best of times”, this amount is small enough not to even show up on a corporate financial report.
But what of losses due to security failure?
Back in the “drill baby, drill” days of the Shale Oil boom in 2014, one of our oil & gas clients blithely commented that a USD $100 million annual loss “wasn’t even big enough to worry about.” They calculated that adding security measures to reduce that loss fell short of a return on investment (ROI) for the measures in the first place. It was cheaper to absorb the risk than add security to reduce the risk.
That was then. Now? As oil plunged to below $50/barrel…and lower, losses grew dramatically. Everyone – big, medium and small – is operating on razor thin margins just to survive. There are no resources available to implement security measures. The tide changed overnight, and with it, the ability to maintain even baseline security systems. Corporate security plans and personnel get chopped in these business cycles and must cut spending to the bone and hunker down to wait for better days.
While the O&G industry has contracted severely, another industry appears to be booming. Butchko has several medical industry clients who are expanding into storefront Urgent Care and Clinic facilities. Despite the seeming boom, however, security budgets are as tight as in the O&G industry. Many of these new facilities are doctor-owned, even when affiliated with a large hospital system. Under the changing healthcare market and regulatory environment, many of the sites are living with thin profit margins. Putting $20K-$50K into a video, intrusion, and access control system means reducing staff hours or medical equipment purchases. It’s a very hard sell, until the first security incident occurs. Whether it be a break-in and loss of pharmaceuticals, theft of equipment, or the regulatory nightmare of patient information theft, the cost of recovery and pressure for quick action balloon initial cost expectations. No one is happy with this situation.
So how do businesses determine the appropriate threshold for an investment in security? At Butchko, we believe that it all revolves around understanding the impact of a security loss (injury or death of employees or patrons, lost business, lost equipment, reputation impact, etc.) and thinking of security as a means of both active protection and an insurance policy. Yes, you are spending money in hopes that the bad event will never occur, but that’s the same concept as buying liability and property insurance and keeping your fingers crossed that you will never have to file a claim.
Our bSMART™ system provides an automated means to gather and assess Impact of Loss and Risk information. It also provides Return on Investment and other financial ratios to help businesses consider security as it does other business and weather risks. Then security professionals can work with the CFO to justify or reject security protection measures. The goal is to keep the business operational, healthy, and profitable. When done properly, security is an integral part of that equation.