This article is the first in a series on security technology and ROI. It was compiled based on the guidance of security leaders at Fortune 500 companies. If you have additional suggestions to make, we invite you to share them with us here.
Security technology budget is carefully scrutinized at many organizations because the return on investment (ROI) is not always readily apparent. Security programs inherently do not generate revenue, arguably the most coveted return on any investment. Further complicating this issue is the fact that the budget used by security teams often comes from multiple business units or divisions (e.g., human resources, facilities, operations, legal, etc.). This means that a business leader from one division might not be impressed by a benefit that accrues to another division.
Whether you wish to understand the true cost of selecting a given technology or advocate for additional budget, you must understand the costs and benefits of investments in security technology.
Here is a suggested approach for assessing the ROI for physical security technology. We recommend you consider both hard (e.g., dollars spent) and soft (e.g., time spent) costs and benefits.
When you are calculating ROI, you are essentially asking: What specific benefits is your organization getting from your investments in physical security technology?
Calculate Your Investment in Security Technology
In theory, physical security technology ROI is a straightforward calculation: net gain / cost, multiplied by 100. In practice, the calculation is often more complicated because not all contributors to the investment and return translate directly to a dollar amount.
“Investment” is not simply the sticker price of a given technology component or line items on an invoice. Instead, you should calculate investment in terms of total cost of ownership. Here are examples of the costs you should include when calculating your investment in security technologies, and some questions you can use to aid your calculations.
- Subscription and user license fees: These should be straightforward and easy to identify. What specific features/functionality do you get, and for how many people on your team?
- Training and support: Training costs can vary significantly based on whether the trainer is remote or in-person, as well as other factors. What type of training works best based on your staffing model and other factors? How long will it take for end users to comprehend and competently use the technology?
- Integrations with other technologies: No one in the security industry is asking for more disconnected systems or data. What does it cost to add new data or connect other systems? Are there any trade-offs in terms of functionality?
- Person-hours or specific skills: Some technologies require trained administrators, often at a higher paygrade, to make even modest changes. Are you able to maintain or change a given technology when you want and without a costly human resource? If not, what is the cost of that resource to make the needed changes?
- Configurations and updates: As your mandate or programs expand, you will likely need more from your technology Do these changes require additional consulting or coding? Are there delays in making these changes due to the expertise or specific personnel required? What types of changes require additional fees?
- Inefficiencies: Unfortunately, inefficiencies often scale automatically. When a basic task is time-consuming, error prone, or otherwise inefficient, the impact compounds over time. Even additional mouse-clicks add up over time. Does the technology create more or fewer steps for your team members to perform their basic duties? Are their redundant processes that could/should be automated?
- Hardware purchases: Obviously you must include the cost of any cameras, gates or other hardware components – but are there supporting technologies you must also purchase? For example, does your desired software purchase require new computers for your team or an on-prem server?
- On-prem solutions: The security industry is in the midst of a migration to the cloud, with many legacy technologies still requiring an on-prem installation. Does the technology require servers or other computing equipment onsite? Product updates may need to be manually uploaded to these machines. This usually requires IT expertise. Operational downtime can often result the case of disaster (e.g., a power outage). Consider carefully the pros and cons (and costs) of on-prem vs. cloud-based technology.
You can gather some of this information from the technology vendor. It is prudent to speak with at least one of their customers to hear their perspective.
How you use this information depends on the context. When making a purchasing decision, you definitely want to factor in all of these costs. You’ll be accountable for any dollars you spend, and it will be your team who is responsible for providing the person-hours to implement and use a given technology.
On the other hand, when requesting additional budget from business leaders, volunteering all of this information upfront might hinder your negotiations. The most important aspects: 1) be transparent in your request for financial resources and 2) connect the expenditures to specific organizational benefits and objectives (e.g., the return).
Identifying Your Return on Investment: Quantify What You Can
Because security budget is often owned by different business units, and because security programs do not generate revenue, security teams often face recurring budgetary pressure and are asked to justify spend. Sometimes ROI is challenging to calculate because the ‘return’ component of the equation does not translate automatically into dollars and cents.
ROI can also be challenging to articulate because effective security programs often result in fewer events and incidents, prompting the question: “Do we need to be spending this money for something that doesn’t appear to be an issue?”
Business-savvy security leaders are able to articulate and demonstrate ROI by connecting security investments to specific organizational objectives. They position security as a business enabler, a means through which important priorities are safely achieved. These priorities vary by industry, organization size and location, leadership teams, and other factors.
To calculate ROI, you first quantify positive outcomes and whenever possible identify a monetary amount associated with each of those outcomes. Here are some examples of different ways to quantify and discuss return on investment:
- Places and people protected: This may seem obvious, but it’s important to document the places and people protected by investments in security technology. Think of the number of employees, the types of locations (e.g., manufacturing vs. administrative offices; any sensitive or restricted access areas, etc.).
- Revenue protection: This depends on the revenue streams for your organization. Here is a supply chain example: tracking the number and economic value of shipments monitored/protected by the SOC.
- Decreasing incidents: These could be instances of workplace violence, forced entry alarms, attempted cargo theft, anything that the organization seeks to reduce.
- Threats against executives and employees: A security team may not be able to reduce social media threats against employees, but it is still important to quantify and investigate them to determine whether they are credible and involve law enforcement accordingly.
- Investigations conducted and actions taken: It’s important to quantify investigations but also to report outcomes and actions taken.
- Other team performance metrics: Any security output could potentially be a metric, and over time you may identify additional ways to measure team performance. Here you are focusing on your team’s ability to triage or otherwise address the volume of incidents, alerts, and investigations you need. Wherever possible, you want to connect your team’s outputs to positive outcomes. A travel risk advisory for a particular region is an output. Making corporate travel less risky (e.g., by selecting safer options, evacuating employees or avoiding high-risk regions) is a positive outcome.
Many of these items will not translate to a specific dollar amount. When considering or reporting these numbers as part of an ROI discussion, context often helps tell a story. This context could be numbers from previous years (e.g., showing a trend), data which better illustrates the impact of security (e.g., the value of cargo) – anything that helps qualify or quantify what the organization is getting from its investments in security programs or personnel. Describing how you make efficient use of resources can be especially persuasive to business stakeholders and can help you build the case for further investments.
Identify ‘Soft’ ROI with Demonstrable Value:
Once you have quantified positive outcomes and assigned a monetary value wherever appropriate/possible, it’s time to consider soft ROI – the benefits that are tough to quantify or don’t translate to a dollar amount but still provide value.
Throughout the pandemic, our customers have relied on our COVID-19 Briefing Dashboards. These decision-making tools provided maps with rich geolocated intelligence alongside customized data dashboards. Our customers were able to replace multi-hour daily data collection process with a brief data review. These security teams could then focus on other physical security risks because they had automated the data collection process.
2020 has been a banner year for all-hazards risk. Time not spent on COVID data collection is time that can be spent on mitigating risk from natural disasters, civil unrest, criminal activity, etc.
Our customers also used the Briefing Dashboards to help guide operational decisions: Where can we conduct business? Which locations should we open or close? What travel guidance should we provide our employees? How are the local communities – including our employees and their families – impacted by the pandemic? The Briefing Dashboards provided concrete data points for these and other key questions. This enables benchmarking, comparisons, and other insights that streamline decision making.
These are just a couple examples where the ROI is soft: valued but challenging to measure. The amount of time saved can be calculated, as can hourly rate of the relevant employees, but those numbers don’t truly reflect the overall impact on the organization.
Other examples of soft ROI include improved employee morale or job satisfaction, improved security team productivity, and improved company reputation. Security leaders should understand and be able to explain the impact of soft ROI from technology spend, especially in situations where quantifying benefits or assigning a dollar amount.
This article has focused on how to measure ROI from your security technology purchases. In future articles we’ll explain how a common operating picture can provide the data you need to quantify and document ROI, and how to present ROI figures to your leadership team.
Image courtesy of QuoteInspector.com