Created by the Security Executive Council
Security leaders are often faced with the budget reductions that accompany lean economic times and an ever-broadening risk/threat picture. How they keep the security department functioning effectively as it becomes leaner goes to the heart of profitability, sustainability and even survivability.
Few companies are able to hold operating costs steady in the current climate. Some companies are experiencing downsizing and layoffs, some for the first time in their history. Security practitioners need to be better prepared and more strategic when their existing budget is challenged or when across-the-board cuts are ordered. The Security Executive Council has documented the three common responses that executives typically employ to address the issue.
Most Common Reponses
- Reduce the budget while maintaining staffing/services, and hopefully future capabilities until the financial outlook improves. They accomplish this by attacking the low-hanging fruit. In the name of minimizing the pain, executives typically gravitate toward cutting training costs, travel costs, new equipment purchases and sometimes incentive pay. Staffing survives the cuts, and disruptions in services provided are minimal.
- Transfer security programs or services to a corresponding staff group that might have a more commonly perceived responsibility for this service. This often comes from one charged with trimming the fat from a departmental budget. For example, if there’s a battle between the security unit and human resources over who should manage pre-employment screening, the function is transferred from one department to the other in order to cut cost. The service doesn’t go away, but it comes off the books of the department that must cut its costs. Like response number 1, that’s a legitimate method, not inappropriate during difficult times.
- Not filling open positions, cutting program services across the board and freezing new hires, delaying expenditures into the next fiscal year and sometimes outsourcing services round out the most common responses to the battle of the budget.
However, based on our work with industry recognized successful programs and assisting burgeoning programs to become successful, we have found less common, and perhaps less intuitive—yet more business-based—strategies are more often employed by successful leaders.
Business Based Phased Response
- Total Cost Analysis / Services Analysis
In order to play in this space, the executive must maintain a Risk/Threat Services Directory replete with service levels provided by customer, the FTE commitment, associated costs and a current service capacity analysis finding. It is a lot of work but forms the foundation for making good decisions, communicating the reasons those decisions are made, and defending the choices.
- Service Criticality Ranking
This requires an examination of security programs or services and the degree to which senior management values the services in supporting their critical business goals. In addition, every service in the directory is evaluated based on regulatory, contractual, business goal criticality, threat/risk assessment, corporate culture requirements and convenience value. They are ranked accordingly and merged with FTE and cost analysis information. Management concurrence is then obtained on the criticality ranking and prioritization of the services provided.
- Program Analysis and Budget Management
Armed with this information, the analysis and decision making can begin. The basis of decisions can be adjusted to meet current executive priorities as long as each of the elements is considered and understood. This includes the risk and mitigation strategy for each service and the residual risk after the current or reduced mitigation is deployed.
Key Points to Keep in Mind
Obviously, services that come under the umbrella of regulatory requirements and contractually required matters are untouchable. Once those are identified, programs and services that are not highly valued by customers, or that don’t necessarily support the security mission, should be examined closely. Target the programs and services that are the least critical to the business, that are not required by regulations, and that mitigate lesser risks.
Some non-critical services will survive though because they have become traditional within the company, although they might not have much impact on the security mission. Their exact cost and the FTE (Full-Time Equivalent) commitment necessary to provide the services are known. Once the pertinent information has been laid out, decision-makers can eliminate the services that represent the least value to the company’s security mission and business goals.
Any of the three most common responses reported could be appropriate for a given situation, and all three offer learning examples of ways to respond to budget cuts. However, most business function decisions are made using the process described in the business-based phased approach. Security should do the same, which is more in line with "running security as a business."
Why Businesses Turn to the Security Executive Council
Budget Defense is one of many reasons successful security leaders call on the Security Executive Council. Our staff of security executives have been in your position and understand the difficulties you face. We have helped security leaders around the world identify the value security brings to the organization and successfully communicate that message to senior management.