Who should bundle Security?
Geoff Zeidler, Chairman of the British Security Industry Association, shares his thoughts on the issue of “bundling” in the security sector, and how his experiences on Channel 4’s “Undercover Boss” have helped shape his views of the issue from an end-user perspective.
The 2013 Security Research Initiative (SRI) study by Perpetuity Research and Consultancy International (PRCI), which investigated bundled versus single service security, concluded that there was no common view as to what “bundling” means; and that clear evidence does not exist to justify whether it is better or not. This certainly accords with my own experience, where the decision is more often defined by customers’ organisation, management and view of the scope of security than anything else.
Security is a hard service to procure, as businesses have to “spend to defend” against changing external threats. Like insurance, it requires clear corporate policy as to the level of risk deemed acceptable. Unlike insurance, the ratio of cost to cover is less well defined, making it always seem expensive unless something goes wrong. This means that any measure that seems to mitigate the cost is inherently attractive; but the critical question is whether or not it is as effective.
What is bundling?
The SRI’s first point is that “bundling” can mean either Service Bundling – integration with one or more other services (through many facilities management models, including self-delivery or sub-contract) – or Security Bundling of both the officer and technology solutions that combine to create a secure environment.
The rationale for Service Bundling is generally to allow shared management costs or officer duties, making it cheaper. In reality, security is a regulated business, whose licensed staff must be able to prioritise their security activities if needed and have specific management needs. Generally this means that, even in self-delivery models, the security function is reasonably independent, limiting the cost saving or risking compromise. Given that service bundles are larger contracts with more complex financial and contract performance metrics, it is a challenge for customers to ensure that the right spend and investment is being made in the security element. Finally, as part of a “bundle” of services, the customer inevitably makes a compromised selection of security provider which can, by definition, never be better than an independent choice. For these reasons, I believe that lower cost has to be the main driver behind Service Bundling, but that the effectiveness implications are rarely evaluated. Despite this, it is an approach that providers have responded to, reinforcing the perception that it is “better” despite the lack of evidence that the SRI identifies.
There is far more operational sense in Security Bundling. One of the most frustrating experiences during the filming of “Undercover Boss” was the number of times that I found the CCTV or other technology was not working properly, but the officers and company did not have the authority or relationship to sort it out. Security was at risk, and the security provider could not resolve the situation. Many security companies offer an integrated capability directly or through partnerships, and it is a model seen widely in Europe, so why is it not more prevalent?
It is driven by customers, as I have never seen an attempt to procure solutions with this approach. Customers may not see one provider as competent in all elements – although they believe this for services. Possibly the procurement becomes too complex and the provider base limited. I have seen it be successful, where, over time, customers come to trust their provider and accept integrated proposals as cost reduction. It is certainly a more sustainable route to cost reduction which assesses the impact on security effectiveness, unlike Service Bundling.
So which, if any, is the best approach for any given customer; and how are these choices made?
Despite the discussion of bundling, the vast majority of security contracts are still let as single service. This is probably because of the second point in the SRI study, based on surveys and interviews from 83 providers and 62 customers, which concluded that there was no evidence base for bundling decisions. This reflects my own experience, where customers in the same sector, with similar risks, often have very different approaches. What defines the approach is usually the relative authority of the customer’s Security Management to Facilities or local operational management and procurement; the clarity and importance of security policy at Board level; and the scope of the service.
In a challenging economic environment, the variance in authority of internal experts in the final decision obviously makes a difference.
At present, whether single service or bundled, price focus has led to contracts let at a level that many believe are independently unsustainable. This may be because customers do not understand the necessary infrastructure; but the effects, although not visible quickly, will compromise the “response reserves” (which include officer morale) necessary to maintain service. If this is the case, then it is a failure on the part of all parties. However, it is clear that many believe Service Bundling is a good route to cost reduction.
Policy and scope are more interesting drivers. If I was to say “Cyber Security” in any boardroom today, everyone would engage, as it represents a “known unknown” threat. Yet, whilst technical defences are certainly critical, the main risks come from supply chain and staff behaviours. These require a security policy that is not two lever arch files of protocols, but one which is clear, accessible and enforced to manage the behaviour of all the organisation’s stakeholders.
This is no different from the challenges of managing all security risk; and I see customers with a strong policy and wide scope focus tend to engage expert security providers and their partners more effectively, and more often use specialist or security bundling.
So should you bundle security?
The BSIA represents over 500 members from all parts of the security provider community and believes in the benefits of Single Provider or Security Bundled contracts, where customers implement clear, Board-led policy through a team of BSIA members and reduce cost with assessed risk impact, over Facilities led Service Bundling. Developing members’ broader security capability was behind the acquisition of Skills for Security earlier this year; a current focus on partnerships between members; and current plans to engage more with customer practitioners.
However, the BSIA realises that service bundling will suit some customers and has many members only happy to assist! Returning to the SRI study, I hope that by next year the SRI can develop the evidence base to ensure that all customers can make better decisions either way. If you have any such evidence, I hope you might share it with them!
For more information about the BSIA and the services offered by its members, visit www.bsia.co.uk