The “Fractional” Security Manager:
A Cost Effective Approach to Managing Security
I have met with a large number of business leaders – especially in small business – over the years because of a security issues they faced such as internal theft, threat to executives, employee malfeasance, compliance issues, or other security problems. These issues turned into the need for an investigation and/or an assessment to determine what happened and how to prevent future incidents. What I have observed is that most of these problems could have been prevented through the use of sound security practices. The lack of a competent security plan is usually due to lack of industry knowledge and typically due to the lack of a security manager. By security manager, I mean someone dedicated to the position, not someone simply appointed as such, which seems to be common in many small to medium-sized companies.
Security events are not accidental but are the deliberate actions of employees and/or non-employees who have the motivation to take or destroy an asset because they perceive there is no guardianship over that asset. They often take place without warning, requiring quick-minded response. Sometimes security events can develop from minor issues and failures – security events that might have been avoidable with proper security controls in place.
Security is also about people. It’s not about whether a tree branch may fall onto a roof; it’s about how that tree branch is making it easier to gain access to the roof. It’s about deterrence, target hardening, proactively seeking out security lapses and addressing them, properly investigating the incidents that do occur to resolve them, and identifying and installing safeguards to prevent future such incidents. It includes making security a part of company culture. For this to occur, there has to be a competent level of knowledge of current security issues and practices.
If security is not of high importance to a company, it can expect that some people – employees included – will take advantage of them because they are vulnerable. We have seen high-paid executives steal hundreds of thousands of dollars from their employer because the security lapse was so significant it was too inviting to pass up.
A good security program can reduce a company’s exposure to loss, help make risk more manageable, and increase the safety of employees and visitors. However, a good security program needs an effective security manager. For some companies, this is often not practical. For many small businesses, physical security is limited to the obvious: locking doors at night, installing a few CCTV cameras, and installing intrusion alarms. Unfortunately for many of these companies, this is the extent of their security program, making them more vulnerable and more prone to an incident. Many of them already have a security issue in progress and are not even aware of it.
One approach for a small business is to utilize an existing manager or supervisor and then add security duties to that person’s job description, with or without additional salary. However, a title does not bring industry knowledge and it is not what builds a proper security program. There are too many variables in play to expect a job description to create effective security solutions that protect your company’s assets and economic advantage. A security manager is someone educated, trained, and experienced in applying the principles of security, not a human resource representative that took a few “security” courses. To believe otherwise is to not take security seriously.
Another approach is to hire a security manager with the education, training, and experience to create an effective security program. A security manager can help make a business run more efficiently because security issues are addressed before they become problems, employees and vendors know someone is watching, and problems like workplace violence and internal theft can be minimized. While this is a common business practice for larger companies, it is not cost effective for smaller businesses, whose bottom line is usually fairly thin. Every company could benefit by employing a security manager – some just cannot afford to do so. A security manager is likely to cost around $100,000 per year or more with salary and benefits. This cost is absorbed in large business settings where losses could easily total much more than that. An alternative is to find a security manager willing to work part-time, but it is rare to find someone with the requisite skill-set willing to work part-time. It is difficult enough to find a full-time security manager who individually possesses the expertise necessary to effectively manage all of the aspects of a comprehensive security program.
There is a third approach: “lease” a security manager through a professional service agreement (PSA). This is accomplished by contracting with a security consulting company that can provide a security manager with the education, training and experience needed to competently fulfill the position. In our current economy, many companies are switching to “fractional” titles to save money. A PSA provides an economical and efficient solution to security management needs. It is economical because the cost is a fraction of what it costs to employ a full-time, salaried security manager. It is efficient because a company pays only for the time expended on security-related matters as directed by the company, unlike a full-time security manager that is paid 40 hours per week regardless of how the time is used. Under a PSA a company does not pay a full-time salary and does not pay benefits. With a “leased” security manager the company gets the services of a security professional that can conduct professional security assessments, provide loss control, oversee installation of technology, interview employees, create policies, assist HR during terminations, conduct pre-employment background screening, escort individuals from company property, investigate incidents, liaise with law enforcement when necessary, and provide any other security-related function deemed necessary by the company. Similar to a security manager, the “leased” security manager works for and at the direction of the company. Under a PSA model, companies have a security manager who has “real world” experience. The PSA is tailored to create an effective security program, to fit the company’s culture, and to be cost effective and sustainable.
Another benefit of a PSA agreement is that, depending on the “leasing” organization, the company gets the investigative and administrative support that complements a security and investigations program. This is something large companies with security managers rarely have. With the right organization, the company retains an entire division of security and investigations professionals at their disposal complete with security experts, design experts, and former police investigators, complete with thousands of hours of professional law enforcement, security and military training.
So how does a PSA work? Each PSA is tailored to meet the needs and budget of each individual company. It starts with an evaluation of security needs based on current security posture, trends in the community, company history, vulnerability and exposure, industry, annual hiring rate, and interviews with company officials. A minimum monthly rate that fits the company’s budget – the base rate – is agreed on for which time and expenses are incurred. Services are anything related to security that a company requests, such as workplace violence and other training programs, internal and external investigation, employee investigation, outplacement of terminated employees, background investigations, security assessments, threat assessments, policy development, review/check security systems operations, card readers/keypad systems, CCTV, oversee installation of new systems, creation of security related documents, reports and logs, and many other services. PSAs not only help businesses achieve effective security solutions but they can also be used to provide training and expert security consulting to existing security directors and security managers.
Failure to properly address security is like driving without insurance: you’re gambling your personal worth on a hope that a mistake is not made by you or someone else. Most likely that failure is driven by company economics. With a fractional security manager under a PSA, security management can not only be achieved, it is cost-effective.