Having an influence on the budget is important, in part because security rarely own it, and so influencing is the next best possibility. That was among the findings from the latest report by SRI (Security Research Initiative), the regular work by Prof Martin Gill’s consultancy Perpetuity Research.
As in previous years’ SRI reports, whether about the physical or cyber security world, or the convergence of the two, this 2022 study provides the most insightful, weighty and authoritative evidence around, based on respondents’ views and interviews to tease out some more details. Most of those surveyed believed, that being able to influence the budget is key to delivering good security.
The report discussed such questions as: are corporate security managers budding CEOs? How do the roles of contractors and corporate security vary? Are security managers as influential as other managers? Who owns security budgets and how are they set? Do security managers have enough influence over budget? What helps security managers influence budgets? And last but not least, an intriguing question – is there an incentive to perform badly in security? By that SRI meant the ‘perverse contradiction’t that poor security resulting in incidents in turn might highlight the need for security investment. Some of those interviewed agreed, in the sense (to quote the words of an in-house security director) “It feels like we are punished if we are doing too well – why do you need more money if things are great.”
What determines, then, whether an appropriate budget is allocated? Some noted in interviews that a serious incident was the best generator of more spend. That aside, prime amongst them were the organisation itself viewing the security function as core business and it understanding the risks and threats it faced. Where the security function has a high status, that was associated with an appropriate budget; and where there was a requirement to meet statutory regulation requirements and/or adhere to accredited standards, that drove a focus. A lesser but still important factor is the quality of the supplier, as a good one can increase the chances of meeting budget requirements from a security standpoint.
A baleful influence of procurement was raised by some who replied to SRI; a majority (58pc) believed that clients’ buying decisions are guided more by procurement professionals (who may buy goods and services from toilet rolls to gardeners) than security professionals; that the buying process lacks sufficient input from security experts; while near half, 46pc of the sample associated a high level of involvement of procurement professionals in the buying process with a less than adequate budget. Where security is influential, it seems that the power of the procurement teams can be managed or matched; they were sometimes spoken about as being good allies. Where security professionals are not influential, procurement gains the influence seen as negative, the report authors suggested.
So much for the problems; what of tactics that might help to secure the appropriate budget? Relating the investment in security in terms of the benefits to the business was regarded as key; presenting the dangers of not investing (without scaremongering) was legitimate, not least when it had the potential to impact on effective business operations; using data and metrics to support evidence based arguments was highlighted; selling the benefits of investing and drawbacks of not investing in terms of other corporate professionals not meeting objectives was also mentioned (so not investing became their problem). Justifying the spend in physical security to improve cyber security (which was widely viewed as having a high profile and was seen as a bigger risk) had much to commend it, those responding suggested.
A majority (58pc) believed that security personnel are not effective at selling the benefits of security – a running theme of SRI. The security function was seen to be at a disadvantage as many security leads were lacking in business acumen. Not many security personnel aspired to be CEOs. Even if they did, it was felt many could face difficulties in integrating with the wider business culture and suffer from not being comparatively as able at speaking the language of business. Often, rather, the security managers were not strategically placed; and because many security leaders were in second careers, they lacked the necessary ambition.
See also some of the past years’ SRI reports, such as 2018’s on the barriers in the buyer-supplier relationship; and security suppliers and corporate security.
About the Security Research Initiative
SRI is sponsored by the security sector (buyers and suppliers) and involves an annual study. The reports are made available for free to provide a more informed information base about the workings of the security sector. Visit https://perpetuityresearch.com/security-researchinitiative/. The initiative is supported by the security associations ADS, the UK chapter of ASIS International, BSIA, IFPO UK, IPSA, Security Institute and from the information security world The SASIG.
