I was once asked by the V.P. of Security and Safety of a large university how an independent technology-based security consulting firm, with individuals trained in engineering infrastructure and networks, justifies return on investment (ROI) when seeking resources outside the department staff for technical help.
A technology-based security consulting firm with electronics and software engineering capabilities can be your most beneficial ally. The consulting firm should act independently while promoting the correct direction to enhance security procedure while addressing security technology for resilience and sustainability.
An independent security consulting firm can be the sounding board upon which executives of agencies and officers and trustees of corporations will be more persuaded in striking the correct security balance while increasing safety and protection; resulting in the approval of more funding. Master planning and “gap analysis” provided by an independent security consulting firm may provide more focused strategy, enhancing and expanding on the basis for reasoning behind a department’s request for funding, improved technology, and enhanced operations.
Such lack of gap analysis is apparent in two demonstrative and recent examples: the White House grounds trespass incident and the hackings of Sony’s email and Target’s confidential consumer information.
This brings us to the two modes of return on investment in security technology. The first being physical security, the next being logical security. The former is measurable in dollars, while the latter is measurable in loss of service, customers, and the liability of business interruption.
Going back to our two examples, technology investment to prevent the White House incident would have had a direct dollar impact, while Sony’s and Target’s hackings directly impacted service, customers, and incurred unknown costs directly attributed to business interruption and customer identification theft.
Keys to “Physical Security” Return on Investment
Regarding physical security, let’s assume you’ve had an assessment performed by a trusted integrator who provided a “roadmap” of physical systems for your department’s use. However, if there is no complete project coordination and documentation at the outset, and the bid documents are furnished by the installing contractor after the bid for the base job, change orders for a $300,000 expected security project could top $100,000 more for infrastructure and network support than that estimated. And, simply for lack of coordinated hardware, change orders yielding $5,000 to $30,000 may be expected. One wrong electromagnetic lock with code or install issues, could be a $5,000 to $10,000 change for that one door. And, if delays are incurred, everyone’s cost and frustration on the entire team goes up.
The following are some of the key elements of physical security which offset the cost of security consultants with deep technical skills, to provide value to stakeholders and direct monetary return on investment:
- Reduction of Proprietary Bid Environments
- Detailed Specification and Coordination of Expected Infrastructure
- Code Compliance with Best Practice Standards
- Construction-Appropriate Subcontractor Installation Timing
- Exacting Physical Hardware Conformance with Matching Code and Functional Appraisal
- Inherent Third Party Evaluation Process
- Non-Vested Third Party Installation Conformance for Commissioning
Applying these key elements to the gaps at the White House intrusion allows the independent technology security consultant to address situations and apply preventive measures that may be overlooked avoiding the status quo of inadequate physical security measures.
Keys to “Logical Security” Return on Investment
Regarding logical security this generally means a loss of services incurring control, observation, or record losses. The ever expanding role of cyber security in our diligence to prevent cyber theft and disruption must be pegged as critical in all levels of management, production, logistics, and software support.
Experience shows IT groups are sometimes “left behind” on strategic mission critical business planning issues. A third party security consulting firm with cyber reach gives precedence to every issue that shows symptoms of a gap.
As today’s expectations of networks reflect 99.999% uptime (five 9’s), the return on investment to activate and maintain communication may be more consequential as an “unavailable critical resource” as opposed to assuming a strict dollar value. Costs of loss of perceived security continuity are a value that is difficult to re-attain after network security losses on a campus or throughout the enterprise. Its indirect monetary consequences could be ten-fold more than the costs of the physical loss.
The following are some of the key elements of logical security indicative of quality security network and cyber engineering consulting:
- Intrusion Detection/Credential Protection/Server Access Controls
- Use of Best Practices for Network Architecture/Firewall/External Access
- Superior Appliance/Panel Protocol Usage and Security Communication Processes
- Operating System/Domain Matching of Database and Applications Servers
- IP Licensing Review and Charge Offset
- IP Address Hooks/APIs/Standards Integration
- NOC/EOC Operations Software and Network Monitoring Centers
A common theme in the Sony hacking and the theft of Target’s customer information is both stolen credentials used to gain login capability and unprotected network access. Directly proportional to increased risk is inadequate staff to address gaps due to the number of internet devices, lagging security procedures, and evolving threats.
Monetary benefits are often realized on return on investment regarding both the physical technical aspects of security and the software-based logical security.
A third party that is both licensed to practice and highly trained, as well as having had multiple similar engagements, can cut through the challenges to network sustainability, codes, and standards, while offering valuable experience. Notwithstanding, we should expect the recommendations of a successful independent technology-based security firm to foster better operations, better technology, and better student/staff/employee/community safety for improved physical security. All while recommending appropriate network security safeguards while increasing ROI in subtle but direct ways.
To put in perspective the third party’s expected knowledge, while this V.P. of the department’s staff lives with the systems in place daily, a well-heeled technology-based security consultant has experience with many systems and applications often more in one year than this department will see in a lifetime. It is this match that can provide synergy to a group’s success in managing technology roll-outs and improvements equating to long-term sustainability.
Jerry ‘Dutch’ Forstater, PE is CEO of PSE, a security, fire, communications technology consulting firm. He is Vice Chairperson of the Greater Philadelphia Chapter of ASIS International and a graduate of the Wharton Executive Security Management Program. ‘Dutch’ can be reached by phone (800) 839-5060 x107 or by email @