Directions: Security Budgeting

By Donald Skorka
Published in the September 2004 issue of Today’s Facility Manager

American businesses have been increasing their security expenditures at a sharply accelerated pace. Recent surveys have tracked the increased spending on physical security–the protection of staff, facilities, and equipment–using technological products. Such products include: smart cards, biometrics, video surveillance, three-dimensional modeling, and video imaging systems.

A new survey by Stamford, CT-based Meta Group predicts the average security investment in the U.S. will peak at 8% to 12% of IT budgets by 2006.”Information security remains a top five issue for CIOs, and the debate regarding appropriate investment levels continues to rage,” states Tom Scholtz, vice president for Meta Group’s security & risk strategies advisory service.

One particular area of spending that is slated to increase is biometric systems, which will grow by 42% a year, versus 28% a year in the preceding five years according to a recent report from The Freedonia Group, Inc., Cleveland, OH. Biometrics represent the newest technological promise for access control. Biometrics offer a range of options including fingerprint, face, hand, palm print, iris, retina, and voice identification to identify an individual.

Biometric technologies may offer advantages over smart cards in terms of convenience and the potential for more accurate identification and authentication of a specific individual. At the same time, in many facilities, biometric technologies are being used more frequently as a supplement to smart cards and passwords.

On the other hand, many still perceive that some biometric techniques have significant weaknesses that can be exploited. Facial geometry scanning, for example, can be achieved accurately only at certain angles and at certain lighting levels.

As experience with biometric technologies increases, and greater confidence in them develops, biometrics may eventually take their place as standalone authentication and identification methods.

Making Wise Security Decisions

Though spending is increasing rapidly, security budgeting has its limits too. The appropriate spending decisions will depend upon the industry, the facility location, and a wide range of other workplace factors specific to the particular company.

The decision process involved in making these choices should be an effort at prudent security budgeting. But what’s involved in making wise security spending decisions?

As security technologies proliferate, it becomes increasingly difficult to make accurate judgements about purchases. A security audit by a qualified, independent security professional is advisable as a first step in savvy budgeting.

The audit will point to security requirements that are being inadequately met and to solutions that can be implemented. The potential weaknesses of a security system will include physical terrorism, computer hackers, viruses, and many other threats.

Keeping Up With Advancing Technology

Today, facility professionals–and even security officers–are having a tough time keeping up with developments in security technology. Before they can make decisions about the most appropriate technologies, facility professionals must have sufficient understanding of them to evaluate their benefits versus their costs. Facility professionals need to consult with manufacturers and vendors to evaluate their capabilities and cost effectiveness.

In the area of biometrics, for example, it may be necessary to decide between facial and voice recognition technologies; between retinal, fingerprint, or hand scanners; or whether to implement infrared scanners.

Advanced security technologies typically bring such benefits as richer features, lighter weight, greater ease of use, and greater speed. And, as in all technological advances, costs also tend to decline over time.

But despite these increasing advantages that come with technological improvement, higher tech may not always be the wisest expenditure for a specific facility’s security program. It is entirely possible that low tech solutions actually provide the more cost effective security for a particular facility.

Can increased effectiveness be achieved with less than the latest technologies? How much high tech security does a facility truly need?
It is always an exercise in stretching the security budget to its fullest.

“There are a lot of security tools available, but are they the right tools for us? Will they do what we want?” asks Al Garcia, vice president of IT at Comac, a Milpitas, CA-based marketing/collateral materials fulfillment unit of records management company Iron Mountain. “We have no fear of spending money, but we have to do it wisely.”

Budgeting Using Net Present Value Analysis

One way to reach smarter security spending decisions is to apply the Net Present Value (NPV) financial analysis that is commonly used in all types of investment decisions. In an April 2004 Network Computing article on protecting corporate information assets, authors Lawrence Gordon and Robert Richardson wrote that “a growing number of IT professionals are starting to use NPV to quantify the benefits of their security expenditures.”

In a forthcoming study on the subject, they reported that about 1Ú3 of survey respondents said “NPV and other economic metrics are becoming important factors in weighing the costs and benefits of security investments.”

Essentially, finding the NPV of a particular security investment involves looking at the expenditure in terms of all the costs and benefits associated with it over its estimated useful life, and discounting the future costs and benefits by an appropriate discount rate to account for the time value of money. This results in an NPV figure for the investment. If the NPV is positive, the investment should be made.

Of course, like many other investments, estimating future costs–and especially benefits–for security investments is not always straightforward. But the NPV process establishes a framework to assist facility managers in making smarter spending decisions.

Gordon and Richardson note that NPV analysis is superior to ROI analysis, since ROI cannot adequately account for the often intangible benefits from security purchases (e.g., what is the return on a firewall investment?) Also, ROI does not take account of the time value of money.

From their survey, as well as additional information, Gordon and Richardson report that “we see many CFOs starting to require [NPV] analysis from information security managers, just as they do from other department heads.”

Analyzing NPV Security Spending

The following is an example of how NPV analysis would be applied to a security spending decision. (See Table 1.) A facility manager is deciding whether or not to implement either a retinal scanning system, with a cost of $300,000 at the end of the first year, and $100,000 at the end of the second year; or a facial recognition system, with a cost of $200,000 in each of the first two years. Discounted at a 10% annual rate, the cost of the retinal scanning (with a substantially higher cost in the first year) has a present value of $355,730, while the cost of the facial recognition system has a present value of $347,100.

Based simply on the present value of the costs of the two systems, the facial recognition system would be preferable. Now assume that the useful lives of both systems are estimated at 10 years each and that the retinal scanning system delivers an estimated $80,000 annual security benefit; the facial recognition system delivers $70,000 annually in security benefits. Again, using a 10% annual rate of discount, the present value of the benefits would be $491,568 for the retinal scanning system and $430,122 for the facial recognition system.

Based on this analysis, while both systems result in a present value benefit, the retinal scanning system delivers a greater net benefit over the life of the system, because the greater present value of its benefits offsets the higher present value of its costs.

With the continuing advances in security technologies of all kinds, it is clear that corporate executives and facility managers need to collaborate and spend the time and energy to determine the most cost-effective security solutions. This will require continuing reeducation about developing technologies and continuing investment in maintaining strong security for the company.

Skorka is senior vice president of New York City-based Custom Design Communications. He can be reached at dsorka@customdesigncom.com or (212) 216-9240.

You can find an NPV analysis with many examples in Principles of Corporate Finance, 7th edition, by Brealey & Myers, published by McGraw-Hill/Irwin, 2003.