Skip to main content

Process before Technology

There is a race for Technology implementation in every field. This affects Security Management too due to which ‘Security Automation’ is considered as the most important component amongst the five Security layers (https://securitypracticesandsolutionbysmit.blogspot.com/2021/08/the-five-layers.html). Many times, Security Technology is implemented not due need to mitigate the risk or bring efficiency, implemented for sake of it, there is no estimation of what in Security is to be automated, why to be automated, and how to be automated. This results in a bad investment, dissatisfaction amongst Management & Owners, unhappy users (employees, workforce, visitors, etc.), and most importantly, the risk remains.

Problem statement

In the last 19 years have seen several examples where Security Automation is not balanced with actual need. There are mainly four logical scenarios for imbalanced situations in Security technology:

1. Over-implemented – logically such cases should not be much as Security is not a priority, but surprisingly there are cases where implementation is over-doing, killing flies with cannon. Recently came across a situation wherein the Camera OEM was made system integrator, the vendor subcontracted ground tasks to a small-time technical vendor and installed four times the cameras needed on the perimeter and gates.  SMEs are important to provide the right balance. There is no concrete indicator for this situation where the Security manager can identify about over-spent, however, if quantification work is done by the Security manager / Management by bench-marking the Operations Vs Security cost for similar business/environment it gives the right implementation level. Another issue associated with this scenario is, high OPEX cost for technology maintenance which is recurring

2. Technology not implemented – though risks or need exists, still Security technology not deployed and leaving space for risk to reality. The major reason for this situation is, Risk is not known/undiscovered. It is important to note that a ‘risk exists’ situation doesn’t mean ‘risk visible’ – reference blog ‘speaking risk’, it is important to find the unknown risk (https://securitypracticesandsolutionbysmit.blogspot.com/2021/09/speaking-risk.html). In such a situation, the indicators for Security managers will be high-Security manpower dependent de-risking operations, high-error rates, frequent Security issues, complaints of inefficiency, high manpower OPEX cost.

3. Implemented but not what’s needed - this results in dissatisfaction, frustration. As the risk is not covered, frequent Security incidents will trouble in routine. The most common situation or example have noticed is, Management is giving importance ONLY to CCTV implementation rather than access control in the Industrial environment. Remember risk exposure is only due to unwanted movement of people, material, or information (physical or digital means).

4. Partial implemented – partial risk is covered with technology, and no further detailing is needed to explain the situation – treatment is half done. If the Security Manager is not able to provide correct information to management that investment done is not covering risks being faced after investment, he will be in problem. We do not consider management to understand investment on Security Vs needs.

The core reason for this imbalance situation is, implementing technology before the process. It is aimed to explain how these imbalance situations can be avoided.

 


Approach to Technology

Among the five Security layers to mitigate the risk, ‘Process’ is the least expensive to implement. However, it requires a deep understanding of the overall Security Management and the environment (people/users, business/operations, threat level/SRA, etc.) in which the Security Operations are being designed.

All other layers, except ‘Process’, requires clear, visible expenditure i.e.

a. Cost of infrastructure – perimeter wall, light, patrol track, watchtower, etc.

b. Cost of equipment – CCTV, e-gates, turnstiles, metal detectors, explosive detectors etc.

c. Cost of application – Video Management System, Visitor Management, Access control system, PSIM, and

d. Cost of manpower - on-roll/off-roll Security officer, manager, guards, supervisors

This blog is on Security technology to attempt answering ‘what to be automated’.

There are two approaches for becoming mature in terms of the Security management system while implementing Security technology.

Approach – 1:

Wherein manual processes are stabilized first and based on (documented)processes driven Security management, technology is selected and implemented. That’s generally the brown-fields projects.

Approach – 2:

When technology is being implemented, processes are modified around the technology accommodating space for technology to achieve the goal of de-risking. That’s generally the green-field projects.

When we talk about Approach-1 i.e. stable processes first, this includes and starts with effective risk assessment & identifying the risk level, this is base for how much prevention & protection is needed (refer https://securitypracticesandsolutionbysmit.blogspot.com/2021/08/finding-solution-to-break-risk-chain.html). The working philosophy and/or Security operating model gives the best mix of process, manpower, and infrastructure. When technology is added, change management (as one of the processes, expected to be available) allows smooth adaptation of automation and gives the desired result from technology. This is very important that technology is taken into routine operations as part of change management and regularly amending processes, infrastructure, manpower around new technology not only for stabilization but also to ensure new risk is not added with changes. The new technology(ies) settle-downs well.

The best time to implement technology is when other Security layers (process, infra, and manpower) are working in absolute sync with each other. The stable process itself will speak about what is to be automated and in what quantity. Users, management, and the Security team will enjoy the new technology best at this stage. At this stage when Security Technology is implemented, qualification of risk reduction, estimation of efficiency improvement, and appreciation of investment in technology can be done easily. The only challenge in Approach-1 is lots of retrofitting is required, infrastructure changes, which adds to Security automation project cost and time, but worth it.

For the greenfield projects, technology implementation from ground zero is always an issue because we do not get an opportunity to understand risk, user behaviors & expectations in totality. Unless all levels of stakeholders in coordination and understanding with each other contribute to ‘document’ what is needed, the pilot conducted for the technology, the implementation in greenfield will have fewer chances of success. So, in greenfield / new projects, Approach-2 comes into the picture. The technology is implemented, and processes are stabilized around the same, however, it is important that the process with (to be implemented) technology Operations / flow-charts are documented, piloted/rehearsed, and validated/accepted at all levels. The benefit of the green-field project is, we can accommodate infrastructure for technology since inception like the location of power supply, ducts, space, type of doors, etc.

Therefore, in both approaches, the ‘process’ is what is decided, designed & documented first to be balanced and mature in Security Management System thereby omitting the major reason for the failure of technology. Security technology is one of the components of the overall Security Management system, and to get the answer for what is to be automated, the ‘process’ layer is important to be strong.

 

What is to be Automated

As stated above there are two approaches which mainly is segregation between ‘Green field’ and ‘Brown field’ Security Automation projects, so the answer for ‘what is to be automated?’ also varies for both the situations.

In Approach-1, we need to observe & analyze through a process where the manual way of Security is resulting in issues. Below are the indicators/situation and what technology is needed to handle the same:

1. Human errors in detections:

Deploy sensors, CCTV with centralized monitoring.

2. Requires more manpower to maintain deterrence level:

CCTV, siren, auto-announcement systems with adequate warning signs. Automated gates with a clean and clear approach.

3. Repeated tasks, manual governance, need of standardization in processes, need of centralized monitoring, delay in analysis, delay due to lots of paper-works, large-distributed work, trust issues, forgery issues in paper-works.

Digitize Security processes like registration process, visitor management, material movement management system, incident reporting & analysis system, PSIM, etc.

4. Delays in people movement or more manpower required in movement regulation

Biometric-based access control with access barrier (full-height, waist height as per threat). Integrated Visitor management system.

5. Delay in the screening of manpower / personal belongings

Screening systems – x-ray, body scanners, metal detectors

6. Lack of visibility especially during incidents, lack of information during incidents

PSIM, C4i


There are many more indicators like frequent Security issues, security breaches (in similar businesses or surroundings), changes in the risk environment in the region, where rather than increasing manpower to mitigate risk, Security technology can be used. Thinking that ONLY Security manpower is to be reduced by bringing technology is not correct, which is a very common mistake by most of the management. However, it is important that the Return on investment against technology should be justified.

What is to be automated in the case of Approach-2 requires:

1. Discussion with the ground team on what technology is needed, validation from middle managers and leaders. Inputs from the user are also important. More tabletop exercises. Record all points.

2. Take reference to a successful technology model in a similar environment WRT operations, risk, and infrastructure level.

3. Documenting process steps – manual process to automated or vice-versa or combination.

4. No harm in hiring SMEs, but important that SMEs are not bound to OEMs/suppliers and independent of giving advice on which technology will gel. Right partner with domain knowledge or the right project manager from the organization is important.

4. Pilot setup, Proof-of-concept this keeps the lower cost of failure. Please keep in mind analysis-paralysis can lead to missed opportunities especially in technology, therefore speed in pilot/POC is important.

It is very important that the Security manager can justify the technology cost with few credible assumptions, that Return on investment is before obsolescence. E.g. if CCTV is not implemented on the perimeter, how much manpower is needed for the same level of surveillance – The security manager can put calculations to justify the spending for green-field projects.

 

Impact of technology – Measure

Efficiency improvement, time-saving, error reduction, and Risk reduction cannot be measured easily, hence this cannot be part of the Security KPI easily, though these are important. It is critical for the Security manager (especially in Approach-1) to justify the spent-on technology is going in the right direction. Security manager to observe and record factors getting affected by the impact of technology implementation.

 


Summarizing the blog with a graph which shows an impact on various factors while technology implementation is in stages starting from no technology (0%) to 25%, 50%, 75%, and 100% technology. Reference %age figures in the graph must not be considered as sacrosanct, these are indicative based on experience and research of individual, may vary from situation to situation.

Explanation of Factors affecting due to technology implementation:

a. Cost – this indicates what is the cost of technology we pay to reach from 0% to 100% technology implementation level. At the 100% level, the cost is more than 120%.

b. Effectiveness – between 75% to 100% there is hardly any impact on effectiveness. This shows that the best technology level is never at 100%, the effectiveness in mitigating risk or contribution in overall Security Management reaches to peak and remains unchanged.

c. Manpower dependency – Very strange, but the fact is till stage manpower will reduce after which manpower requirement increases. At a max of technology, the skill set required to manage the overall Security operations will be different/technical, here the situation will be more costly than routine guards (refer cost graph goes above 120% at 100% technology).

d. User Experience – Like effectiveness, there is no impact between 75% to 100%, but when there is no technology, everything is manual in Security, user experience is negative (bad). Imagine users need to manually fill forms to get access to a particular area, which will be a hard-copy authority letter to be referred by the Security guard managing the restricted area access.

e. Risk reduction –the risk though reduces till the peak of technology implementation but not much after 75%. The risk reduces as ADD(ability to deter and detect) continues to increase even if effectiveness remains constant near the peak of implementing Security technology (at 100%).


The important message is Security manager should be able to evaluate the optimum Security technology level to have the correct balance and correct level need can only be possible when the ‘Process’ layer is given importance before technology.

Comments

  1. Very insightful sir thanks for sharing

    ReplyDelete
  2. Very useful, thanks sir for sharing this

    ReplyDelete
  3. This is one of the best article for security technology brainstorming and implementation.

    This acts as an white paper for security process and technology deployment.

    Very well written sir, thank You.

    ReplyDelete
  4. Dear Smit, a very well conceived, analysed and to the point article on use of modern Technology.It covers almost all technical aspects on Security issues and I am sure Security Managers at all levels will be find it very useful in discharging their duties in security establishments of any Govt, Corporate or other entities as a true professional, keeping in mind the cost effectiveness.Well done and keep it up.Col Amar Yadav

    ReplyDelete
  5. Very insightful and elaborate Smit. Thanks for penning this Blog

    ReplyDelete
  6. Sir, Indeed a deep research. Thanks for enlightening the Physical Security ecosystem.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Great Insight sir, agreed that before process and SOP are not in line with business requirements no tech can give us maximum output, and also agreed to the fact which you rightly highlighted here is the assumption that manpower will get reduced after implementation of new tech, but instead it is seen that gradually it will cross the earlier requirement, tech don't always give 100% ROI sometimes and it just an an Aesthetic requirement like a better user experience in terms of access control of man and material
    regards/Vikas Dogra

    ReplyDelete
  9. Well scripted and illustrated .
    Would like to add few more things . Technology never fails it's the will to adapt , except and execute is challange . There are gaps in accepting and adapting entire philosophy of requirement and deliverables which leads to undesirable results .

    ReplyDelete
  10. Good one Sir and indeed helpful..
    Technology should be implemented after planning and understanding the need of it.. Certainly, process implementation, execution and requirement of technology are linked to each other and there are number of aspects which should be considered before adopting and implementing any technology...

    Wonderful blog for security professionals.. Thanks for sharing it..

    ReplyDelete

Post a Comment

Popular posts from this blog

The Master Plan - achieving end state

Master plan is the ‘end state’ Security Manager wants to reach with respect to all desired improvements & upgrades are complete/full-filled, Security is best-in class, best-fit and “perfect” in today’s risk scenarios. The definition of "best-fit Security" is very simple, which is sufficient and logical to balance all credible risks (its a myth). <Overview - how to get visibility of Security Master Plan> But as we know risks are dynamic, changing with time, reshaping and threat-actors are innovating & instituting new ways to attack, therefore “Master Plan” cannot be static. Reaching perfection is a mirage, achieving or completing master plan will never appear possible. Adversary, the bad guy will always find new path to breach, one time made & achieved master plan cannot prevent such innovated risks. So the queries arises, why we need a master plan? how to make it? How to manage master plan? The blog aimed to explain the experience of drafting, practice imp...

The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term. The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, sho...

Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment. 1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge. 2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk...