This is the third article in a series of articles that explores the convergence of physical security technology and information technology, and its impact on security departments and IT departments, vendors and management. The topic of this issue, the bottom line, actually refers to both definitions of the term: (a) the primary or most important consideration; (b) the line at the bottom of a financial report that shows the net profit or loss.
Security bottom line
What is the bottom line (most crucial consideration) for an organisation's physical security? Physical security must effectively protect the organisation's assets (personnel and material) at an affordable cost. Initial security planning involves identifying the assets to be protected and the costs incurred in the event of their loss; identifying the external and internal threats; assessing the vulnerabilities and risks; and then identifying potential countermeasures and their costs. With this information in hand, and with an understanding of the organisation and its objectives, the next step is deciding how to handle the risks by accepting them (doing nothing), assigning them (for example, by insurance or by subcontracting a risky activity) or avoiding them (by implementing security policies and procedures as well as specific physical countermeasures including electronic security systems).
Which countermeasures to implement depends upon a cost/benefits analysis that balances the loss the organisation might experience against the cost to prevent that loss. There is always a finite limit on what organisations can pay for security programs and projects - regardless of their value. Thus security measures are usually implemented over time, with the most critical vulnerabilities being addressed in the near term. Low-cost measures are usually implemented immediately, and the remainder are implemented according to their funding schedules.
Financial bottom line
By protecting assets, security protects the organisation's financial bottom line. The effects of some security measures on the financial bottom line are easily seen, such as measures that reduce or eliminate ongoing theft of merchandise. The return on investment (ROI) for such security programs can be easily calculated. (See the article 'Security System ROI' in the March 2003 issue of ST&D for examples of ROI-based selection of security options.)
Formulas also exist for calculating the ROI for loss events that are not ongoing, and whose probabilities of occurrence are less than once per year. (See 'Risk Measurement', chapter three of the book Risk Analysis and the Security Survey by James F. Broder, CPP.)
The convergence of physical security and IT has created additional effects on the financial bottom line, some bad and some good. The bad effects (increased costs and system shortcomings) usually happen automatically, and to prevent them requires taking action. The good effects (increased benefits and cost reductions) do not happen automatically; to obtain them requires work and collaboration from both physical security and IT personnel.
Increased costs and system shortcomings
The negative effects of the physical security/IT convergence result from increased complexities and increased risks. The rapid introduction of information technology into electronic security systems has increased complexities and dependencies, increasing risks in two ways:
1. Increased likelihood that systems will not work (or be operated) as expected.
2. Increased opportunities for security cost escalation.
While most of today's state-of-the-art systems will work as expected, some probably will not. If systems do not work as expected or cannot be operated as expected, assets will not be fully protected and losses may occur. Even without asset losses, additional expenditures may be needed to get the systems or system operators working as intended.
However, it is possible to examine the various IT aspects of any security system, and to learn in advance what the requirements will be in terms of IT support and infrastructure requirements, personnel training, and full system testing.
The larger the security systems are - and the more information technology that they contain - the more complex the systems are to set up and test. Determine before the project starts what support will be required from IT to verify the system setup and to participate in the testing.
IT resource requirements for large networked systems are often underestimated, creating cost overruns and project delays. Request a close examination and documentation of what IT resources will be needed, and include them in budgeting and planning.
The more complex the systems are, the more extensive the personnel training requirements are. Sophisticated systems often require specially trained personnel for their operations. Sometimes the training concentrates only on the advanced aspects of the systems, glossing over the basics. For example, in December of 2001 the Charlotte-Douglas International Airport was shut down following the discovery of an unplugged screening device. The personnel on duty did not know enough to be able to tell whether or not the device was actually powered on. Check with existing users of the systems in other organisations to learn how their initial training suited them and what follow-up training was needed. This can help to identify specific training requirements that you may have.
Personnel turnover for operators of complex systems can create gaps in system knowledge, introducing risks of operational failures. Turnover also increases training costs. Anticipate the turnover factor by having several extra people receive each aspect of training.
Networked systems are vulnerable to network failures, and often no alternatives are planned to replace the missing security functions during network outages. For example, loss of a network connection from a monitoring centre to a remote office can cut access to the digital video recorder in the office. This leaves the monitoring centre unable to examine current or recently recorded video. Without the ability to identify a false alarm as false, unnecessary emergency response costs could be incurred. In such a case dial-in access may provide a less convenient but still workable means of accessing the remote office information. Identify the network vulnerabilities and their possible impacts on security operations, and work out alternate procedures to use in the event of network outages.
Sometimes recurring network infrastructure costs (such as telephone company charges) and system maintenance costs are not taken into account initially, causing unexpected increases in operating budget requirements. Make sure that vendors identify any costs that are not included in their proposals, including any recurring costs.
An organisation's personnel may have insufficient knowledge of a complex system to determine whether or not acceptance testing is adequate. A qualified consultant may have to be engaged to oversee the acceptance testing and verify that the system is commissioned properly. With an insufficiently tested system, operators may not know until it is too late that the system will not work the way they expect during a security incident. Support the testing effort by providing detailed scenarios of how you expect the system to be operated in response to various types of security or emergency incidents. Require that these be incorporated not only into training, but into the system operations and procedure manuals being provided by the vendor.
Personnel being trained on the system do not know how thorough or complete their training is. Insufficient training could mean that operators may not know all they need to know to operate the system during a security incident. Identify each feature of the system that you expect to use, and make sure that it is included in the training.
Increased benefits and ROI
There can be unexpected benefits available and increased opportunities for ROI from security system investments due to the physical security/IT convergence. For example, retail chains can lose thousands of dollars for each day that seasonal merchandise displays are not in place. The ability for a manager to use the store's security cameras to remotely verify that displays are in place according to schedule, can pay for cost of the remote viewing capability many times over.
Security cameras can also be used for many operational purposes, such as verifying the effectiveness of training, supervising parking lot or airport runway snow removal, overseeing warehouse shipping operations, or recording employee exit interviews.
Access control systems can be used to generate reliable time and attendance records in place of manual punch time cards. Traffic level reports from access control systems can be used to optimally tune elevator system operation.
For many businesses, especially those with several geographic locations, the IT components of security systems can now be outsourced, significantly reducing initial capital expenditures and recurring maintenance costs. For example, Infrasafe - a global security design and integration firm headquartered in Orlando, Florida - offers several remotely hosted services: iCast for access control; iVisitor for visitor management; and iBadge for employee ID badging. (See www.infrasafe.com)
For companies who manage their own wide area networks (WANs), implementing the ability to automatically switch over segments of the business network to the security network for temporary use during high-bandwidth security response actions can reduce the monthly Telco costs of the security network.
Physical security and IT brainstorming
Sometimes it takes a bit of homework and brainstorming by a team of security and IT folks to identify all the benefit and cost savings opportunities.
On one recent large-scale video security project the vendor proposed a system that would have required additional telco lines costing $200 000 per month, or $2,4 million per year in additional operating costs. The selection of a different video transmission technology reduced the telco line costs to $45 000 per month - a difference in annual operating costs of $1,86 million.
Sometimes advanced features, like using video alarming on change of picture to track snow removal progress, can free up personnel time and provide instant notification of change in task status. The man-hours saved should be included in ROI calculations.
One example is the case of a manager who wanted to view the warehouse security video camera images from his desktop computer. The security software contained a Web-based video viewing client, which allows viewing video in a browser. It seemed like a simple thing to connect the security video server to the corporate business network, and give the manager access to the live and recorded video.
Closer examination of the system revealed that to connect the video server to the business network would have required the installation of a new firewall and other network components. Furthermore, the network switches on the business network were not compatible with the video technology, so a portion of the business network would have required an extensive upgrade. The IT folks who examined the business case said, "Too expensive and too risky".
However, the security folks discovered that a short extension of the security network into the manager's office would allow the manager to connect his laptop computer to the security network to view the video. It turned out to be an inexpensive approach, and was accomplished with the help of the IT folks who extended the security network, and set up the security configurations on the video server and on the manager's laptop computer. IT was also able to limit the manager's security network access to the one physical network connection in his office, to maximise security.
The video viewing capability freed up six hours per week of the manager's time because he no longer had to walk down into the warehouse to visually check on the status of shipments. This enhancement to the security system paid for itself in less than two months, and continued to provide a return on investment thereafter.
Maximum ROI
To get the maximum ROI from today's electronic security systems requires a case-by-case analysis for each organisation. Both security and IT personnel should participate. Business objectives, personnel, management structure, business network infrastructure, security network infrastructure, and business threats and vulnerabilities all differ from company to company.
Regardless of the corporate differences, there are significant benefits for all companies that establish a good working alliance of security and IT, and support the security and IT personnel in their efforts to learn and collaborate.
The South African perspective
By Ettiene Swanepoel, technical director, Reditron
To me, the term 'bottom line', immediately suggests a checklist or what steps should be taken to ensure that - when IT and security converge - the overall financial impact for the installing company is positive.
The following text logically lists the considerations for South African companies. Admittedly, several will appear simple, but it is amazing how common sense seems to fly out the window when two different disciplines and departments are required to work together.
* Ensure that a detailed functional specification outlining the operational procedures of the system exists.
* Clearly define the roles and functions of both the security and IT departments.
* Involve both IT and security specialists in the design of an IP security system.
* Take into account future expansion when designing or upgrading the network.
* Ensure that the IP system installer is adequately qualified and trained to successfully implement the system.
* Insist on involving the IP product supplier for further assurance of compliance and support.
* Implement the IP security system in properly planned phases, especially when using an existing network.
* Allow for enough redundancy in the system to minimise system downtime.
* If shared network clearly define what bandwidth can be utilised for security purposes during normal operation.
* Also define what bandwidth can be utilised in cases of emergency and alarm verification.
On any given day in today's business world, it is more costly to install a security system utilising IP technologies compared to a dedicated LAN or WAN security network. However, there are benefits to consider when calculating the total investment over time.
* Within IP's digital context, the number of products that can develop faults is less in comparison to analog equivalents.
* Although IP security systems are more infrastructure dependent, they are more easily managed on a daily basis.
* The technology used in IP security systems is so-called 'future proof' and easily upgradeable whereas analog is far less so.
* IP security includes additional video analysis capabilities that can be used as a business management tool, in addition to its normal security functions.
* Software upgrades including newly developed features are normally free of charge.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.