Reflection on data and digital driven corporate security strategies

The loss control profession or security management, as it is historically known, makes significant and more often unnoticed contribution to corporate profitability and growth. This unfortunate scenario continue to exist because the security profession has not raised its stakes to the same level with other professions and consequently the security function continues to be inappropriately placed and subordinated to lower levels in organisation structures. Its contribution is thus delivered through the hands of those other professions who obviously receive the credit.

Data-driven security modelling refers to application of measurable factors in developing and implementing security strategies and programs. It is probable the most effective model that Chief Security Officers (CSOs) can use to demonstrating the value of the contribution of the security function to corporate profitability and growth. For example, physical protection systems can be measured via penetration times, and barriers are measured using delay and defeat times; Karrim H Vellani (2007). While not all elements of a security strategy or program lend themselves to data and quantitative measurement their components, including data on attitudes of security personnel, can be collected and quantitatively assessed or measured effectively.

A carefully and professional crafted and developed data and quantitative corporate security and loss control strategy has potential to eliminate or reduce and quantify preventable losses that may be caused by a number of weak security measures andrisk exposures including those associated with criminal behaviour and employee negligence. Consider in the retail industry;A typical example is given by Karrim H Vellani (2007) in his book strategic security management. He gives an example of a major chain store with sales of $1 billion which might realize a 3% net profit as well as a 3% inventory shrinkage (these figures are quite realistic in USA). This firm, then, realizes $30 million in profits and $30 million in losses, or lost profit. In this casethe Chief Security/Loss Control Officer through his effort and well-crafted data and quantitative model driven security strategy reduces the inventory shrinkage by just one half of 1%, profit would rise by $5 million! This is a significant recovery of loss that would have gone otherwise unnoticed.In Zimbabwe, and perhaps elsewhere, there is a limit to which the cost of raw materials can be reduced; actually raw material a scarce and expensive input andthe cost of labour is already a hot potato; that just as expected, in Zimbabwe just like in normal economies, executives earn fair salaries and may not have them reduced without affecting organisation performance; the costs of so-called other expense such as rates and electricity, utilities, and taxesare beyond corporate influence and control, they are all fixed. Losses reported by both private and state enterprises are so enormous to ignore. Their sources and cause may not be solely operational.Obviously corruption, poor governance and consequently weak controls play a role. Reduction of loss or return to profitability may be partly in the hands of security professionals who manage corporate loss control systems in organizations. This is a task that requires data driven professional security and loss control strategy development and implementation. The most critical aspect that makes security and loss control professionals fail to articulate their relevance in organisations, to the extent of having their service unappreciated and their existence in the organisation insignificant, is their lack of necessary skills in the development and implementation of data driven corporate security and loss control strategies and programmes.


Data-Driven loss control and Security strategy and the SMART Metrics

Good metrics are attainable when security professionals strive for metrics that are SMART—Specific, Measurable, Actionable, Relevant, and Timely.

What cannot be quantitatively measured or qualitatively assessed cannot be managed-Read Hayes (1991). This is a logically accepted business paradigm, yet the security Industry still remains away in the shadows, instead on moving into the data driven business environment as has already happenedto other industries. Some have argued that security is an art and not science and use of quantitative techniques in solving security problems is irrelevant. True as it may sound butcorporate security continues to rely on data manipulation and technology application which in the domains of science. It therefore flows that security management continues to drift from being pure art as is policing hence making it not purely an art per se. The security function constitutes a department in an organisation and is in no waysdifferent from other departments within the organisation. The unfulfilled requirement for CSOs to justify their presence in organisations and for them to be financially rewarded at the same level with other functions is inescapable. But for that to happen they have to appreciate that development of data and quantitative model driven business management strategies are key to communicating the relevance of the security management profession in enhancing profitability in organisations.

As the security industry grows to include not only physical security, but also information technology, it is incumbent upon today’s CSOs to focus more on the business than operational side of loss control. This necessity is best summarized in the “Chief Security Officer Guideline (2013)”:

Today’s business risk environments have become increasingly more severe, complex, and interdependent, both domestically and globally. The effective management of these environments is a fundamental requirement of business. Boards of Directors, shareholders, key stakeholders, and the public correctly expect organizations to identify and anticipate areas of risk and set in place a cohesive strategy across all functions to mitigate or reduce those risks. In addition, there is an expectation that management will respond in a highly effective manner to those events and incidents that threaten the assets of the organization. A proactive strategy for mitigation of the risk of loss ultimately provides a positive impact to profitability and is an organizational governance responsibility of senior management and governing boards.

The guideline goes on to discuss the role of the chief security officers (CSOs) as business leaders, problem solvers, experts in security and above all security strategists for their organisation. Interestingly, the guideline also suggests that the CSO’s background toStrategic Security Management include business, not law enforcement, since the CSO’s key responsibility “is to develop and implement a strategy that demonstrates the processes in understanding the nature and probability of catastrophic and significant security risk events.” As organisations security departments grow and begin to encompass more responsibility for the protection of people, property, and information, so too must be the CSO’s ability to fall back on empirical data to support his position. No longer can security professionals rely solely on gut instincts.

It is common for recommendations from the security department to be presented with little or no thought to why certain procedures or security equipmentshould be used. Often, inappropriate security equipment is recommended for procurement and deployed because other companies are using without regard as to why they are doing it. It has appeared too common in the security industry for there to be a propensity for using, for example, CCTV as aloss control measure without complete understanding of the problem or a thorough analysis of the other security measures’ ability to be effective in a given situation. Resultantly the deployment of such equipment would be inappropriate, cost ineffective and with return on investment. Data-driven security strategy can help CSOs overcome this problem by identifying key concerns, the specific security measure’s ability to solve the problem, and the anticipated cost.

In his book Karrim H Vellaniasks how security professionals can justify to senior executives a sizable and usually growing annual security budget. By now, most CSOs should be keenly aware that a security program’s success depends on the commitment and support, or buy-in as it is commonly known today, of senior executives and boards of Directors. Karrim goes on to suggest that aquantitative model and data-driven security program should help management understand that security is more than a must-have expense; it should justify costs to management by showing the proof of success that, when presented effectively, can garner the necessary support from upper management and demonstrate a convincing return on investment that can earn the security profession the recognition it is itching for. Security expenditures, just like other departmental budgets, need to be justified with empirical data and supplemented with cost-benefit analyses and bench marking.

Threat, vulnerability, and risk assessments along with specific types of assessments such as crime analysis are common methodologies used in the protective security industry. Quantitative models are used in each of these methodologies to establish a baseline from which security systems effectiveness can be measured.

The qualitative approach to security managementmay not be recommended for abandonment but its use should be limited to those instances where the quantitative approach cannot be used for lack of measurable variables. Thus, loss control and security management, continues to drift away from being a pure art to somewhere in between art and science.The response of some counter measures to certain trigger situations in security management are predictable under assumed conditions. This article is very helpful to ICLM Advanced Diploma in Loss Management students who take the Advanced Security Management module under the Security and Risk management option and to those doing the Executive Diploma in Security and Risk Management programme.


It does not matter how brilliant you are as a Chief Security Officer or how skilled you are at deploying Security Guards, if you are not professional about loss control and security, you are already a failed practitioner and your path to professionalism is closed.


Retired Colonel Joshua Murire is an Independent Loss Control and Security Management Researcher, DPhil Student and ICLM Executive Director.

For Comments Call 0778927618, 263 4 781870, 263 4 781995, 263 4 3253894 or browse: