Good security management practices require balancing the amount of money spent on security improvements with the level of security risk. While almost any security problem can be solved by spending enough money, it often does not make sense to do so. As in many other areas of business, there comes a point of “diminishing returns” in investments in security improvements. This is shown graphically in the chart below.
When you begin to improve to security at a facility, there are many simple and inexpensive things that can be done. During the first stage of security improvement, you can do things such as create good security policies and procedures, conduct security awareness training for employees, and make simple improvements in physical security that can greatly enhance security with very little investment. Because of the ease in which security can improved at minimal cost at this stage, it is often called the “low-hanging fruit” stage.
The second stage of security improvement often requires major capital investments or making commitments for significant ongoing security operating costs. This can involve things such as hiring an on-site security staff, installing card access control or video surveillance systems, or remodelling the lobby to better control the flow of visitors. These things can increase security significantly, but cost substantial money to install and maintain.
The final stage of security improvement is the most expensive. This stage usually involves making investments in things that increase security incrementally, but at a very great cost. This can involve installing biometric access devices, weapon screening equipment, biological agent detection systems, or blast resistant rooms. Often, only those facilities with the highest level of security risk can justify making these investments.
The key decision is deciding when there is “enough” security and when you are about to pass the point of diminishing returns. Any investments made beyond this point won’t reduce your risk by any appreciable amount and are probably a waste of money.
A common mistake is for a facility owner to jump right to the second stage of security improvement without harvesting the “low-hanging fruit” available during the first stage. An example of this would a facility manager who installs a video surveillance system before he has developed good security policies or provided adequate security training for his employees.
The critical factor in deciding what security investments to make is a good understanding of your specific security risks. Every security improvement made should be in direct response to one or more of your specific risks, starting with your highest priority risks, and working your way down to your lowest priority risks.
For example, if your risk assessment shows that the theft of trade secrets is your greatest risk, the greatest emphasis of your security program should be in protecting trade secrets. This could involve installing better filing cabinets, more effective shredders, or enforcing a clean-desk policies for employees. Installing cameras in the parking lots would not be a effective measure to offset this type of risk and should only be considered after your trade secrets risks have been mitigated.
Many facility owners make bad security investment decisions because they really don’t know what their security risks are or how to prioritize them. As a result, they spend a lot of money solving problems that are unimportant, and completely ignore problems that are critical. Formal Security Assessments are one way to properly identify and prioritize your security risks. Having a Security Assessment conducted is often the best first step in improving security at a facility and should be considered before making any substantial investments in security improvements.
To learn more about managing your security risks in the most cost-effective manner, or if you have any questions, please Contact Us.