Wednesday, July 27, 2011

Benchmarking And Expert System Software Can Help Companies Quantify Their Security Programs

Meet Company X. It has no formal, written security procedures and essentially handles security-related incidents on an ad hoc, case-by-case basis.

Our next contestant is Company Y. This organization has a formal security program in place and has distributed written procedures to all its employees.

Finally, behind Door No. 3, is Company Z. Not only does it have a spelled-out security program, but it measures its results internally and against other companies in a quest to adopt best practices.

What you have above are three companies at various points along the evolutionary scale of facility security. Where does your company fall in this spectrum? Judging from a recent survey of facilities professionals, you probably don't "wing it" like Company X, but you're also not as sophisticated as Company Z. Welcome to the world of Y.

In short, benchmarking can make the case that your group is providing "added value" to the company. The philosophy behind benchmarking is:

• To compare ourselves to competitors, knowing that the CEO values that comparison;


• To calibrate the quality and effectiveness of our processes with the best in the business;

• To spark our own creativity;

• To accelerate change by learning from other people's mistakes.

Security services in the company are splintered into three reporting areas: Worldwide security (legal); information technology security (business); and physical security (building management).

One technique is "secondary research" - a look at public information and the Internet is a great source on different processes. The goal here is to pick and choose the best elements from different sources to build your own model, rather than simply adopting someone else's program lock, stock, and barrel.

After best practices were identified came the fun part: site visits. The key here is to share information on your own processes, as well.

Benchmarking is just one way to measure security effectiveness. Technology, in this case computer software, can be part of the package, as well. The challenges range from the practical - whether the data collected on an employee can be transferred from one employer to the next - to the philosophical-whether the entire process constitutes an invasion of privacy.

Think back, for a moment, to Company Z mentioned above. It's dotting all the "I"s and crossing all the "T"s when it comes to security. Benchmarking is underway but there's just one problem. The employees have only a vague sense of what the security policies are, and compliance is half-hearted, at best.

Old-fashioned methods for measuring security awareness among employees, such as poster campaigns, audio-visual aids, and clean-desk tests, are not enough. Instead, companies can more accurately measure the security climate within the organization by using a "security thermometer"-a questionnaire for employees that relates to corporate culture and attitudes.

We need to dispense with the negative aura surrounding the term "security awareness." Security awareness is a buzzword we use when things are not going well. It has a negative, excuse kind of meaning-it becomes a garbage bin where we throw our problems. Are employees who don't cooperate with security procedures stupid, lazy, or unwilling? No, their inability to follow security policy probably results from unclear procedures or a lack of buy-in from upper management, which can undermine the policy.

The road to buy-in can be easier if your asset protection approach fits the culture, management style, and business planning of your company, and if the outcomes are measurable. The security thermometer allows security personnel to present quantitative, not just qualitative, data. The thermometer makes manageable the intangible aspects of security awareness of employees and managers.

Here's how it works. The survey is used to gauge perceptions and attitudes, using a five-point scale to rate open-ended questions. The answers can range from strongly disagree to strongly agree. For example, a group of questions might have to do with the protection of documents. Specific survey statements might read as follows: "In my office, I am equipped to take care of secure storage of confidential company documents," or "In my department, the secure storage of confidential documents is discussed at least once every three months."

Calling the thermometer a prevention tool rather than a crime-solving tool, the companies must use only positive statements/questions, not "cop-like, did you do it?"-type questions. As for methodology, it is advised using a questionnaire tailored to one's specific needs, sending it to the employee's home, and then sending a follow-up letter to increase the response rate, which can exceed 50 percent. After the surveys are returned, companies perform the statistical analysis, follow-up with interviews, and write the formal report, which includes improvement steps and an action plan.



Julian Arhire is a Manager with DtiCorp.com - DtiCorp.com carries more than 35,000 HVAC products, including industrial, commercial and residential parts and equipment from Honeywell, Johnson Contols, Robertshaw, Jandy, Grundfos, Armstrong and more.