Outsourcing physical security functions, such as manned guarding, is well established. However, can such outsourcing be structured to minimise risk still further or in a more co-ordinated way? In this article, Alan Field explains what should be considered at the early stage of negotiations.
Outsourcing of physical security management is now commonplace. Typically, only very small or very large organisations may still manage their own security. So, outsourcing security management is common and, sometimes, may be part of what might be described as managed services or total FM packages, where security is delivered with other services such as reception, cleaning, landscaping. Sometimes even wider activities — such as IT help desks or HR functions — may be delivered along with other more usual hard services functions.
However, when security management is being outsourced, or re-tendered, one approach is not just to consider the package of services being offered but — rather — what suite of services security itself actually includes. This article will consider how an outsourcing contract should be used to support the outcome of defining security in a wider context.
Asset protection can be as limited or wide as the organisation chooses to make it. The scope of the level of security can be based on what the organisation sees as valuable assets that should or can be protected.
This implies a risk assessment has been undertaken and the consequences of the loss of assets have been understood. This is not always the case and an FM professional should be clear on what an organisation has — or has not — done in recent times in terms of a security risk assessment. Non-existent or old risk assessments can lead to fundamental misunderstandings of what an outsourced security function should or could perform.
In broad terms, risks previously identified can mutate and, equally, new ones emerge, eg the changing nature of terrorism and so-called industrial or corporate espionage. The nature of change can be impacted by both external threats, and internal ones as well — be these directors, staff or other trusted stakeholders. It is often forgotten that the controls defined for asset-related risks can also change in their effectiveness over time. A good security contractor — through their regular reporting to their client — can give added value by making sure these are identified.
Over a period of time, the perception of risk can also change, both from within an organisation itself and from those outside it. This can, in part, be due to changing business priorities or stakeholder expectations. So, the changing status or vulnerability of assets to be protected should always be included within a risk assessment review. Also, consideration should always be given as to how the security contractor is going to provide added value within this changing risk landscape.
Like any other type of contractor, different security companies will have different strengths in their different service offers. Having a good awareness of what an organisation sees as the most important to them can, in turn, help them choose the right security contractor.
Machine or human?
Risk assessments should take into account new and emerging technologies that can mitigate asset risks. For example, the use of CCTV as well as more sophisticated intruder alarm systems and other methods of electronic surveillance have become more prevalent and sometimes cheaper in real terms. In other words, does a security guard need to physically protect an asset or can it be done remotely from a control room? There is no simple answer to this complex question. The organisation may need guidance to make its choices and this may involve the security contractor and/or other business advisors.
However, once these decisions have been made, the security contractor may be asked to manage these technologies (perhaps with the involvement of specialist sub-contractors) as part of the overall security package. The other option might be that they will be working in tandem with other contractor(s). These are critical questions that need to be decided upon in advance. An FM professional needs to be mindful of drawing its client’s attention to any arrangements where these interactions have not been appropriately defined and implemented.
Larger security contractors may have divisions to manage such technologies directly and, if so, the key question is to determine how the contract manager assigned will interact with these divisions. Again, none of this should be assumed. Making enquiries about how any large security contractor actually integrates, or otherwise aligns, their internal business systems and divisions should be examined.
Any security outsourcing needs to be based on the most up-to-date information — an organisation wouldn’t outsource cleaning if they didn’t know what they actually wanted to be cleaned and to what standard. Yet some organisations may not have a clear idea of what assets they choose to protect and to what extent. An effective security contractor will offer advice and support on such questions.
In short, an organisation needs to understand what it is outsourcing in terms of security and, second, what it actually expects in terms of added value. This is not simply a matter of looking at what the current contractor does but, rather, considering what future asset protection expectations are.
What is physical security anyway?
This may not be as obvious at it seems. For example, if there is a mobile workforce then the assets they carry (eg handheld devices and laptops) may be as valuable as at any at the premises where there is more physical security. A potential security contractor should demonstrate it can advise on this issue. Another example might be where premises are shared with a landlord or other tenants, then what level of risk or vulnerability do they present that needs a different security approach?
Also, the concept of physical security itself cannot be assumed. For example, many organisations see information security as something completely separate from physical security. Yet both are concerned with assets.
While many organisations would righty argue that information security is a specialised aspect of IT management, there could still be a strategic overview of all asset protection.
For example, where employees are using mobile data devices and/or laptops, these are valuable assets including the data they can store. International Standards — such as ISO 27001:2013 for Information Security Management — expects that physical security of data to be managed. It is all too easy for organisations to expect data breaches to be only through “hacking” or other virtual intrusions. However, the threat could also be through the theft of hardware, members of staff sharing passwords with criminals and, equally, criminals simply entering the premises to interrogate data sources. So, there are clear links with physical security and data security.
Combining some element of risk assessment may produce surprising synergies, where again a security contractor could advise upon how an overall strategy, even where a separate IT security consultant is involved.
Security should not be about internal boundaries and all contractors should have a clear approach to how they co-operate and complement one anothers activities. This is especially true with, arguably, a wider range of emerging risks of corporate espionage, along with wider scams perpetrated against staff (and sometimes very senior ones!) that enable intrusion — either virtual or physical — to compromise business assets, especially confidential data. Security contractors should always minimise the risks of intrusion “slipping between the cracks” of different areas of responsibility between IT and physical security.
Selecting a security contractor is not as straightforward as it seems. The client organisation needs to have a clear idea of what assets it wants to protect and why. A good security contractor does not just provide these services but also advises on the wider risk and opportunities that could present themselves. Any outsource arrangement should always provide added value.
Last reviewed 15 November 2016