There is a race for Technology implementation in every field. This affects Security Management too due to which ‘Security Automation’ is considered as the most important component amongst the five Security layers (https://securitypracticesandsolutionbysmit.blogspot.com/2021/08/the-five-layers.html). Many times, Security Technology is implemented not due need to mitigate the risk or bring efficiency, implemented for sake of it, there is no estimation of what in Security is to be automated, why to be automated, and how to be automated. This results in a bad investment, dissatisfaction amongst Management & Owners, unhappy users (employees, workforce, visitors, etc.), and most importantly, the risk remains.
Problem statement
In the last 19 years have seen several
examples where Security Automation is not balanced with actual need. There are
mainly four logical scenarios for imbalanced situations in Security technology:
1. Over-implemented – logically such cases
should not be much as Security is not a priority, but surprisingly there are cases
where implementation is over-doing, killing flies with cannon. Recently came
across a situation wherein the Camera OEM was made system integrator, the
vendor subcontracted ground tasks to a small-time technical vendor and installed
four times the cameras needed on the perimeter and gates. SMEs are important to provide the right
balance. There is no concrete indicator for this situation where the Security
manager can identify about over-spent, however, if quantification work is done by
the Security manager / Management by bench-marking the Operations Vs Security
cost for similar business/environment it gives the right implementation level.
Another issue associated with this scenario is, high OPEX cost for technology
maintenance which is recurring
2. Technology not implemented – though
risks or need exists, still Security technology not deployed and leaving space
for risk to reality. The major reason for this situation is, Risk is not
known/undiscovered. It is important to note that a ‘risk exists’ situation
doesn’t mean ‘risk visible’ – reference blog ‘speaking risk’, it is important
to find the unknown risk (https://securitypracticesandsolutionbysmit.blogspot.com/2021/09/speaking-risk.html).
In such a situation, the indicators for Security managers will be high-Security
manpower dependent de-risking operations, high-error rates, frequent Security
issues, complaints of inefficiency, high manpower OPEX cost.
3. Implemented but not what’s needed -
this results in dissatisfaction, frustration. As the risk is not covered,
frequent Security incidents will trouble in routine. The most common situation
or example have noticed is, Management is giving importance ONLY to CCTV implementation
rather than access control in the Industrial environment. Remember risk exposure is only due to unwanted movement of people, material, or information
(physical or digital means).
4. Partial implemented – partial risk is
covered with technology, and no further detailing is needed to explain the
situation – treatment is half done. If the Security Manager is not able to provide
correct information to management that investment done is not covering risks
being faced after investment, he will be in problem. We do not consider management
to understand investment on Security Vs needs.
The core reason for this imbalance
situation is, implementing technology before the process. It is aimed to
explain how these imbalance situations can be avoided.
Approach to Technology
Among the five Security layers to mitigate the risk, ‘Process’ is the least expensive to implement. However, it
requires a deep understanding of the overall Security Management and the
environment (people/users, business/operations, threat level/SRA, etc.) in
which the Security Operations are being designed.
All other layers, except ‘Process’,
requires clear, visible expenditure i.e.
a. Cost of infrastructure – perimeter wall,
light, patrol track, watchtower, etc.
b. Cost of equipment – CCTV, e-gates,
turnstiles, metal detectors, explosive detectors etc.
c. Cost of application – Video Management
System, Visitor Management, Access control system, PSIM, and
d. Cost of manpower - on-roll/off-roll
Security officer, manager, guards, supervisors
This blog is on Security technology to
attempt answering ‘what to be automated’.
There are two approaches for becoming
mature in terms of the Security management system while implementing Security
technology.
Approach – 1:
Wherein manual processes are stabilized
first and based on (documented)processes driven Security management, technology
is selected and implemented. That’s generally the brown-fields projects.
Approach – 2:
When technology is being implemented, processes
are modified around the technology accommodating space for technology to
achieve the goal of de-risking. That’s generally the green-field projects.
When we talk about Approach-1 i.e. stable
processes first, this includes and starts with effective risk assessment & identifying
the risk level, this is base for how much prevention & protection is needed (refer https://securitypracticesandsolutionbysmit.blogspot.com/2021/08/finding-solution-to-break-risk-chain.html).
The working philosophy and/or Security operating model gives the best mix of process,
manpower, and infrastructure. When technology is added, change management (as
one of the processes, expected to be available) allows smooth adaptation of automation
and gives the desired result from technology. This is very important that
technology is taken into routine operations as part of change management and
regularly amending processes, infrastructure, manpower around new technology
not only for stabilization but also to ensure new risk is not added with
changes. The new technology(ies) settle-downs well.
The best time to implement technology is
when other Security layers (process, infra, and manpower) are working in absolute
sync with each other. The stable process itself will speak about what is to be
automated and in what quantity. Users, management, and the Security team will
enjoy the new technology best at this stage. At this stage when Security
Technology is implemented, qualification of risk reduction, estimation of
efficiency improvement, and appreciation of investment in technology can be
done easily. The only challenge in Approach-1 is lots of retrofitting is
required, infrastructure changes, which adds to Security automation project
cost and time, but worth it.
For the greenfield projects, technology
implementation from ground zero is always an issue because we do not get an
opportunity to understand risk, user behaviors & expectations in totality.
Unless all levels of stakeholders in coordination and understanding with each
other contribute to ‘document’ what is needed, the pilot conducted for the
technology, the implementation in greenfield will have fewer chances of success.
So, in greenfield / new projects, Approach-2 comes into the picture. The
technology is implemented, and processes are stabilized around the same,
however, it is important that the process with (to be implemented) technology
Operations / flow-charts are documented, piloted/rehearsed, and validated/accepted
at all levels. The benefit of the green-field project is, we can accommodate
infrastructure for technology since inception like the location of power supply,
ducts, space, type of doors, etc.
Therefore, in both approaches, the
‘process’ is what is decided, designed & documented first to be balanced
and mature in Security Management System thereby omitting the major reason for the
failure of technology. Security technology is one of the components of the
overall Security Management system, and to get the answer for what is to be
automated, the ‘process’ layer is important to be strong.
What is to be Automated
As stated above there are two approaches
which mainly is segregation between ‘Green field’ and ‘Brown field’ Security
Automation projects, so the answer for ‘what is to be automated?’ also varies
for both the situations.
In Approach-1, we need to observe &
analyze through a process where the manual way of Security is resulting in issues.
Below are the indicators/situation and what technology is needed to handle the
same:
1. Human errors in detections:
Deploy sensors, CCTV with centralized
monitoring.
2. Requires more manpower to maintain
deterrence level:
CCTV, siren, auto-announcement systems
with adequate warning signs. Automated gates with a clean and clear approach.
3. Repeated tasks, manual governance, need
of standardization in processes, need of centralized monitoring, delay in
analysis, delay due to lots of paper-works, large-distributed work, trust issues,
forgery issues in paper-works.
Digitize Security processes like registration
process, visitor management, material movement management system, incident
reporting & analysis system, PSIM, etc.
4. Delays in people movement or more
manpower required in movement regulation
Biometric-based access control with access
barrier (full-height, waist height as per threat). Integrated Visitor
management system.
5. Delay in the screening of manpower /
personal belongings
Screening systems – x-ray, body scanners,
metal detectors
6. Lack of visibility especially during
incidents, lack of information during incidents
PSIM, C4i
There are many more indicators like frequent Security issues, security breaches (in similar businesses or surroundings), changes in the risk environment in the region, where rather than increasing manpower to mitigate risk, Security technology can be used. Thinking that ONLY Security manpower is to be reduced by bringing technology is not correct, which is a very common mistake by most of the management. However, it is important that the Return on investment against technology should be justified.
What is to be automated in the case of
Approach-2 requires:
1. Discussion with the ground team on what
technology is needed, validation from middle managers and leaders. Inputs from the user are also important. More tabletop exercises. Record all points.
2. Take reference to a successful technology model in a similar environment WRT operations, risk, and infrastructure level.
3. Documenting process steps – manual process
to automated or vice-versa or combination.
4. No harm in hiring SMEs, but important
that SMEs are not bound to OEMs/suppliers and independent of giving advice on
which technology will gel. Right partner with domain knowledge or the right
project manager from the organization is important.
4. Pilot setup, Proof-of-concept this keeps
the lower cost of failure. Please keep in mind analysis-paralysis can
lead to missed opportunities especially in technology, therefore speed in
pilot/POC is important.
It is very important that the Security
manager can justify the technology cost with few credible assumptions, that
Return on investment is before obsolescence. E.g. if CCTV is not implemented on
the perimeter, how much manpower is needed for the same level of surveillance –
The security manager can put calculations to justify the spending for green-field
projects.
Impact of technology – Measure
Efficiency improvement, time-saving, error
reduction, and Risk reduction cannot be measured easily, hence this cannot be
part of the Security KPI easily, though these are important. It is critical for the Security manager (especially in Approach-1) to justify the spent-on technology
is going in the right direction. Security manager to observe and record factors
getting affected by the impact of technology implementation.
Summarizing the blog with a graph which shows an impact on
various factors while technology implementation is in stages starting from no
technology (0%) to 25%, 50%, 75%, and 100% technology. Reference %age figures in the graph must not be considered as sacrosanct, these are indicative based on
experience and research of individual, may vary from situation to situation.
Explanation of Factors affecting due to technology implementation:
a. Cost – this indicates what is the cost of technology we pay
to reach from 0% to 100% technology implementation level. At the 100% level, the
cost is more than 120%.
b. Effectiveness – between 75% to 100% there is hardly any
impact on effectiveness. This shows that the best technology level is never at 100%, the
effectiveness in mitigating risk or contribution in overall Security Management
reaches to peak and remains unchanged.
c. Manpower dependency – Very strange, but the fact is till stage
manpower will reduce after which manpower requirement increases. At a max of
technology, the skill set required to manage the overall Security operations will
be different/technical, here the situation will be more costly than routine guards
(refer cost graph goes above 120% at 100% technology).
d. User Experience – Like effectiveness, there is no impact
between 75% to 100%, but when there is no technology, everything is manual in
Security, user experience is negative (bad). Imagine users need to manually fill
forms to get access to a particular area, which will be a hard-copy authority letter
to be referred by the Security guard managing the restricted area access.
e. Risk reduction –the risk though reduces till the peak of
technology implementation but not much after 75%. The risk reduces as
ADD(ability to deter and detect) continues to increase even if effectiveness remains
constant near the peak of implementing Security technology (at 100%).
The important message is Security manager should be able to evaluate the optimum Security technology level to have the correct balance and correct level need can only be possible when the ‘Process’ layer is given importance before technology.
Very insightful sir thanks for sharing
ReplyDeleteVery useful, thanks sir for sharing this
ReplyDeleteThis is one of the best article for security technology brainstorming and implementation.
ReplyDeleteThis acts as an white paper for security process and technology deployment.
Very well written sir, thank You.
Dear Smit, a very well conceived, analysed and to the point article on use of modern Technology.It covers almost all technical aspects on Security issues and I am sure Security Managers at all levels will be find it very useful in discharging their duties in security establishments of any Govt, Corporate or other entities as a true professional, keeping in mind the cost effectiveness.Well done and keep it up.Col Amar Yadav
ReplyDeleteVery insightful and elaborate Smit. Thanks for penning this Blog
ReplyDeleteSir, Indeed a deep research. Thanks for enlightening the Physical Security ecosystem.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGreat Insight sir, agreed that before process and SOP are not in line with business requirements no tech can give us maximum output, and also agreed to the fact which you rightly highlighted here is the assumption that manpower will get reduced after implementation of new tech, but instead it is seen that gradually it will cross the earlier requirement, tech don't always give 100% ROI sometimes and it just an an Aesthetic requirement like a better user experience in terms of access control of man and material
ReplyDeleteregards/Vikas Dogra
Well scripted and illustrated .
ReplyDeleteWould like to add few more things . Technology never fails it's the will to adapt , except and execute is challange . There are gaps in accepting and adapting entire philosophy of requirement and deliverables which leads to undesirable results .
Good one Sir and indeed helpful..
ReplyDeleteTechnology should be implemented after planning and understanding the need of it.. Certainly, process implementation, execution and requirement of technology are linked to each other and there are number of aspects which should be considered before adopting and implementing any technology...
Wonderful blog for security professionals.. Thanks for sharing it..