Measuring a return on security investment (ROSI) can be a complex task for businesses, especially where small teams of employees are in place. ROSI allows businesses to identify gains, enhance user experience for clients and consumers, and ensure that their security model is improved on a regular basis. Mike Bluestone CSyP, executive director of Corps Consult, who heads up our department that provides expert advisory services on security risk management and resilience, offers the following advice when it comes to understanding your return on security investment.
The metrics for success
To understand ROSI measurement, the first step is to identify metrics for your organisation’s gains. These measurements need to be conducted regularly, but also require quantifiable means to understand the confidence of an organisation’s personnel. Essentially, firms need to monitor whether their staff are too relaxed on security procedures, and how confident they are regarding incidents and breaches. When you can measure these, you can gage the culture of your organisation, and future-proof it against hostile reconnaissance and attacks.
As well as monitoring incident detection to see what types of breaches are identified and how they are dealt with, the key to measuring effective ROSI is by also monitoring whether there are increases or reductions in incident reporting. Verified reductions will indicate an improvement in incident detection and confirm that effective, and proactive, procedures are in place.
Examine the strength of multiple security measures with routine checks on physical security measures. For example, physical penetration tests should be a top priority, as they identify how individuals may breach the premises and what layers of security need to be improved. Mystery shoppers are another example for retail areas; using covert customers to ask staff questions can indicate whether they are well-versed on taught procedures and know how to identify and report any suspicious behaviour.
These measures are effective because their outcome, whether positive or negative, ensures staff are well-practiced on necessary procedures. This makes their worktime and response awareness more streamlined and effective.
Invest in the right people and procedures
Enhancing user, customer, and staff experience also relies on outreach. Routinely interview your staff and provide questionnaires for team members working in the business.
To develop your own security model, you will need to apply proactive planning, and an outlined programme for your security measures. Regular drills, tests, audits, and feedback will ensure procedures are effective.
Your staff should be encouraged to stay up to date with current legislation and new technologies available. This doesn’t necessarily mean that your business requires a dedicated security manager, as a well-qualified facilities premises manager can also have oversight on security. For example, a member of the Institute of Workplace and Facilities Management (IWFM) who possesses the right level of security experience and qualifications can also provide the expertise required.
If your services are spread thinly, develop strong relationships with professional security advisors, who can advise on your contingency plans which are necessary to mitigate the impact of serious security breaches and emergencies.
It’s having the right people and procedures in place that will ensure ROSI. It can be too easy to think that investing in the latest security technology and systems will be enough. However, if your staff, security team, and management are unclear on your business operation and procedures, even the most advanced security system can be compromised. Remember, be proactive, strategic, and routinely test your plans, procedures, and planning.
If you’d like to know more about Mike’s work and the advice Corps Consult can offer, read more about the service and make an enquiry. The next blog on ROSI will explore the eight principles of security programmes.