The ASIS Foundation Security Report: Scope and Emerging Trends Executive Summary From research performed by the Justice and Safety Center, Eastern Kentucky University, with support from the National Institute of Justice
ASIS Foundation Security Report: Scope and Emerging Trends Sponsored by NIJ Pasek Corporation ASIS Boston Chapter Toepfer Security Corporation Robert D. Hulshouser, CPP International Association for Healthcare Security and Safety ASIS Calgary/Southern Alberta Chapter ASIS Phoenix Chapter ASIS Greater Milwaukee Chapter ASIS Columbus Chapter ASIS Greater San Antonio Chapter Michael R. Cummings, CPP
Eastern Kentucky University College of Justice and Safety Eastern Kentucky University s College of Justice and Safety, a Program of Distinction, houses the Justice and Safety Center, the Training Resource Center, and three academic departments that award degrees in assets protection and security, corrections and juvenile justice studies, criminal justice, emergency medical care, fire safety, loss prevention and safety, and police studies. Justice and Safety Center The Justice and Safety Center (JSC) was formed in 1998 in response to the state s designation of the College of Justice and Safety at EKU as a Program of Distinction. The JSC consists of a team of faculty and staff professionals dedicated to the advancement of public safety and security specializing in research/ evaluation, prototype development/testing, and training/technical assistance. The JSC engages in numerous federal and state funded projects and programs from agencies such as, but not limited to, the Department of Homeland Security, the Department of Justice, the Kentucky Department of Commercialization and Innovation, and the United States Department of Defense. Moreover, the JSC has strived to work collaboratively with various organizations and agencies to build upon the strengths of each partner and avoid duplicative efforts. Currently, the JSC manages approximately 70 public safety and security projects, as well as three regional, national, and international programs. It also leads the Safety and Security Initiative for the Kentucky Department of Commercialization and Innovation. Since its inception in 1998, the JSC has managed over $35 million in grant funding. Research Team Principal Investigators Pam Collins, Professor, College of Justice and Safety, Eastern Kentucky University Gary Cordner, Professor, College of Justice and Safety, Eastern Kentucky University Kay Scarborough, Professor, College of Justice and Safety, Eastern Kentucky University Data Collection Kelli Frakes, Sr. Research Associate, Justice & Safety Center, Eastern Kentucky University Jacinda Cockerham, Research Associate, Justice & Safety Center, Eastern Kentucky University Lou Martin, Research Assistant, Justice & Safety Center, Eastern Kentucky University Irina Soderstrom, Professor, Correctional and Juvenile Justice Studies, Eastern Kentucky University Funding Agencies ASIS International Foundation, Board of Trustees National Institute of Justice, Office of Research and Evaluation 1
Acknowledgements Special thanks to the following work group members for their contributions to the project: Lawrence Berenson, CPP Security Director L-3 Government Services, Inc. Chantilly, VA Steven K. Bucklin President/CEO Glenbrook Security Services Glenview, IL Michael A. Crane, CPP Senior Vice President General Counsel IPC International Corporation Bannockburn, IL Michael R. Cummings, CPP Director, Loss Prevention Services Aurora Health Care Milwaukee, WI Michael D. Gambrill Senior Vice President, Industry & Government Affairs Dunbar Armored Inc. Hunt Valley, MD F. Mark Geraci, CPP Senior Director, Corporate Security Bristol-Meyers Squibb Company New York, NY Martin L. Gill, Ph. D. Director PRCI Ltd Leicester, United Kingdom Rudy A. Wolter, CPP Deputy Director, North America Region Citigroup Tampa, FL Ronald Lander, CPP Chief Specialist Ultrasafe Security Solutions Norco, CA James P. Litchko President/CEO Litchko & Associates Kensington, MD Glen W. Kitteringham, CPP Senior Manager, Security & Life Safety Brookfield Properties Calgary, Alberta, Canada Raymond T. O Hara, CPP Senior Managing Director Vance Palm Desert, CA Dennis D. Shepp, CPP Senior Partner Shepp Johnman Inc Edmonton, Alberta, Canada Bonnie S. Michelman, CPP Director of Police and Security Massachusetts General Hospital Boston, MA Edward G. Hallen, CPP Manager, Safety & Security Services Occidental Petroleum Corporation Los Angeles, CA Kathleen L. Kiernan, Ed.D. CEO Kiernan Consulting Group Arlington, VA William J. McShane, CPP Director Affinia Hospitality New York, NY 2 Timothy L. Williams, CPP Vice President, Corporate & System Security Nortel Networks Brentwood, TN
Table of Contents Overview...7 Methods...8 Characteristics of Respondents...11 Section 1: Section 2: Section 3: Section 4: Section 5: Section 6: Section 7: The Security Industry in the United States... 13 Impacts of September 11th... 24 Impacts of Legislation... 29 Information Security... 31 Relationships with Law Enforcement... 34 Relationships with Other Business Units... 43 Emerging Trends in Security... 44 References... 51 3
Tables Table 1. Table 2. Table 3. Table 4. Table 1.1. Table 1.2. Table 1.3. Table 1.4. Table 1.5. Table 1.6. Table 1.7. Table 1.8. Table 1.9. Table 1.10. Table 1.11. Table 1.12 Table 1.13. Table 2.1. Table 2.2 Table 3.1. Table 4.1. Table 4.2. Table 4.3. Table 4.4 Characteristics of Organizations Responding to the Four Surveys. Characteristics of Responding U.S. Companies By Industry Sector (All U.S. Companies Survey). Characteristics of Security Operations in Companies Responding to the Surveys. Characteristics of Security Operations in U.S. Companies By Industry Sector (All U.S. Companies Survey). Similar Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Differing Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Top Three Security-Related Concerns By Industry Sector (All U.S. Companies Survey). Similar Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Differing Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Security Systems/Products the Company Has Purchased or Plans to Purchase (percent indicating yes). Percent of ASIS Security Services Companies Indicating That They Provide Specific Types of Security Systems and Products. ASIS Security Services Companies Expectations of Business Growth in Specific Industry Sectors Over the Next Five Years. Anticipated Changes to Company Security Budget/Revenue in the Next Fiscal Year. Annual Security Budgets Over A Four-Year Period (Company Averages). Distribution of Company Security Function Between Internal and External Providers. Position/Title of Survey Respondents. Educational Level and Security-Related Certifications. If 9/11 Affected Company Security Spending, How Was it Affected (percent indicating yes). If 9/11 Continues to Affect the Business, How is it Affected (percent indicating yes). Impact of New Statutes on Security Policies and Procedures (percent indicating moderate or major impact). Post-9/11 Information Security Measures Adopted by Companies. Internal/Insider Breaches of Information Security During the Past Year. Outsider/External Breaches of Information Security During the Past Year. Percent of Companies Implementing Information Security Projects for the Next Year. 4
Table 5.1. Table 5.2. Table 5.3. Table 5.4. Table 6.1. Percent of Respondents Indicating at Least One Company Contact Per Year With Federal, State, and Local Law Enforcement. Percent of Companies Indicating That They Have Specific Types of Security- Related Contacts With Law Enforcement. Problem Areas in Company Relationships With Law Enforcement (percent indicating moderate or serious problem). Extent of Contact Between ASIS Security Services Companies and Other (Non-Law Enforcement) Entities. Percent of Respondents Indicating Six (6) or More Security-Related Interactions Per Year With Other Company Units. Figures: Figure 1.1. Figure 1.2. Figure 1.3. Figure 1.4. Figure 1.5. Figure 2.1. Figure 2.2. Figure 2.3. Figure 2.4. Figure 4.1. Figure 5.1. Figure 5.2. Figure 5.3. Figure 5.4. Figure 5.5. Figure 5.6. Figure 7.1. Percent Likely to Expand Various Security Arrangements. Percent Likely to Invest More in Security Equipment. Percent Likely to Invest More in Contract Security Services. Percent Likely to Invest More in In-House Security Personnel/Overhead. Percent Likely to Expand An Existing Security Program. Percent Indicating That 9/11 Affected Security Spending in Their Company. Percent Indicating That 9/11 Continues to Affect Their Business. Response to Terrorism by Security Services Companies: Percent Indicating Yes. Continuing Impact of 9/11 on Security Services Companies: Percent Indicating Anticipated Increases in 2004-2005. Percent Indicating Greater Concern About Specific Information Security Threats Post-9/11. Percent Indicating Increased Contact With Law Enforcement Post-9/11. Percent of Companies Indicating Six (6) or More Contacts Per Year With Different Types of Law Enforcement Agencies. Resources Made Available to Law Enforcement By ASIS Security Services Companies: Percent Indicating Occasionally or Frequently. Percent of ASIS Security Services Companies With Established Programs With Law Enforcement Agencies. Importance of Various Relationships With Law Enforcement: Percent of ASIS Security Services Companies Indicating Moderately or Very Important. Overall Relationship With Law Enforcement: Percent Indicating Satisfactory or Very Satisfactory. Percentage of Internal and External Attacks by Type of Attacker. 5
6
ASIS Foundation Security Report: Scope and Emerging Trends Overview This study represents one of the more current works describing the present status of security within organizations throughout the United States including what impacts, if any, 9/11 has had on security measures and budgets. Prior to this study the most noted and often quoted studies on the security industry have been the Private Security Task Force study which was conducted by the National Advisory Committee on Criminal Justice Standards and Goals in 1976 and the Hallcrest I and II Reports, the first published in 1985 and the second in 1990. Since that time there have been many other narrower studies, often of particular security sectors or individual security professionals. The current study differs from these other research efforts because the unit of analysis was companies of all sizes located in the United States. An important point to note is that in the survey of companies many of the respondents had no formal affiliation with the ASIS International and would not describe themselves as full time security staff. Therefore, this study provides a picture that may, in fact, be more generalizable to security within companies located throughout the United States than studies in which the ASIS membership was used as the primary sampling frame. Over the last 30 years there has been tremendous change in the security profession, which began primarily as an industrial security function strongly influenced by the Department of Defense but has evolved to a profession that is multi-faceted and present across all types of organizations and sectors. The profession has also begun a process of self examination in the wake of the tragic events of September 11th and the formation of the Department of Homeland Security. This study provides some insights as to the initial impacts of 9/11 along with the scope of security as well as emerging trends for the security profession through four surveys used to collect data and information on security within organizations throughout the United States. 7
Methods The Four Surveys This project utilized four different nationwide surveys. Three surveys were targeted at executives responsible for security functions, while the fourth was sent to law enforcement agencies. It is important here, however, to carefullly distinguish between the four surveys, since information from them is presented throughout the study s findings. 1. All U.S. Companies Surveys were sent to a stratified random sample of almost 4,000 U.S. companies listed in nine industry sectors in Ward s Business Directory. These companies ranged from small to large. Many did not have separate security managers or security departments. The responses to this survey are most representative of the entire population of U.S. companies. The companies listed in the Ward s Business Directory are subdivided into 9 categories (sectors) of industry type based on Standard Industrial Classification (SIC) codes designated by the U.S. Department of Labor Office of Occupational Safety and Health Administration (OSHA). The sectors are as follows: Agriculture, Forestry, and Fishing Mining Construction Manufacturing Transportation, Communications, Electric, Gas, and Sanitary Services Wholesale Trade Retail Trade Finance, Insurance, and Real Estate Services 2. ASIS Companies Surveys were sent to a random sample of 339 ASIS International members identified as security managers for companies. The responses to this survey are most representative of companies that are large enough to employ professional security managers. 3. ASIS Security Services Surveys were sent to a random sample of 302 ASIS International members identified as managers of companies that provide security services (e.g., alarm companies). The responses to this survey are most representative of the security services industry. 4. Law Enforcement Surveys were sent to a random sample of 375 local U.S. law enforcement agencies, proportionately assigned as 304 municipal and 71 county. This sample was drawn from the National Public Safety Information Bureau database of over 16,000 law enforcement chief administrators. 8
Using these four national surveys and secondary data analysis, this work describes the present status of private security in the United States including what impacts, if any, 9/11 has had on practices and budgets. The research objectives were to describe: 1) The Security Industry in the United States: A description of security concerns, outsourcing of security functions, growth areas in security, purchasing of security systems and services, services provided by security services companies, and the size and economic strength of various industry sectors using the company as the unit of analysis. 2) Changes in Security Since 9/11: A comparison and contrast to changes in security pre- and post- 911 focusing on future trends and changes in security expenditures. 3) Impacts of Legislation: What, if any, impacts legislation such as the HIPAA, the Sarbanes-Oxley Act and the USA Patriot Act have had on U.S. Companies. 4) Information Security: A description of the level and type of information security that exists in various types of organizations including the number of staff dedicated to information security. 5) Relationship Between Private Security and Law Enforcement Agencies: A description of the relationship between security segments and law enforcement agencies. 6) Relationship with Other Business Units: The extent to which security interacts with other business units such as human resources, finance, operations and others to better describe how security works within an organization and the co-dependencies that exist. In addition to the survey research and secondary sources, a focus group was used to assist in the research design and identification of the research objectives referenced above. The focus group was held in September 2003, at the annual ASIS International meeting. The purpose of the focus group was to determine how the study would be conducted and to finalize the primary research objectives. Following this meeting, some members were asked to serve on the Security Study Working Group (SSWG). Throughout the study, members of this working group were asked to provide feedback on survey instruments and research methodology. All survey instruments were reviewed and approved by the ASIS SSWG. 9
Instrumentation All U.S. Companies The original survey instrument for industry sectors was made available in two forms. The first was a 41-item, self-report pen and paper survey intended to be administered by mail and accompanied by a cover letter describing the purpose and intent of the study, sponsorship of the survey, instructions, a promise of confidentiality, and notification of approval by the University Institutional Review Board. This survey was mailed to all companies identified for sample inclusion. A second, identical survey instrument was made available to all companies in the sample on the web. As a follow up to the mail and web versions of the survey, a shorter survey was used for administration by phone. That instrument included 27 items with modifications for appropriate phone delivery. ASIS Companies Because this group of members are affiliated with corporate America, they received the same surveys (paper, phone, and web) used for the industry sectors. This allowed for easy comparisons between ASIS Companies and All U.S. Companies. ASIS Security Services A different survey was created for the ASIS Security Services sample. This 37-question survey focused more on the unique aspects of their role in the security services industry. Questions consisted of economic strength, interaction with law enforcement, impact of 9/11, and legislation. The survey of ASIS Security Services was also available in web format. Law Enforcement Once again, a different survey was created for the Law Enforcement sample to focus more specifically on their relationships with corporate security and security services. The 14 questions focused on frequency and extent of contact with security, in addition to opinions on training and education for security officers. Law enforcement administrators were also able to complete the survey online. Response Rates From the very beginning of any survey research project, consideration is given to expected and desired sample sizes. Expectations for response rates must be considered within the context of response rates derived from similar survey efforts of a particular population and the specific topic of study. The final response rate for the survey of All U.S. Companies was 21.6%. According to previous studies, this rate falls within the acceptable range for surveys of the security industry. Similar response rates were seen for the survey of ASIS Security Services (20.6%) and ASIS Companies (27.9%). The Law Enforcement survey had the highest response rate at 35%. Data Analysis The data were analyzed using the Statistical Package for the Social Sciences (SPSS), version 13.0 for the PC. Many of the questions answered were measured on rank-order scales (e.g., none, minor, moderate, and major). Therefore, most of the statistical analyses involved generating frequencies, percentage distributions, and means. 10
Characteristics of Respondents The four surveys tapped the experiences and concerns of significantly different Top types Three of Security organizations (see Table 1). One difference is size. The median size of All U.S. Companies responding Concerns for all to the survey was 50 total employees, compared to a median for ASIS Companies of 950 employees. U.S. Companies: (Table 1 presents both means and medians. Because of a few very large companies in each sample that skew the means, the median is a better representation of the typical responding 1. Computer company. Network The median indicates the middle point in the distribution i.e., half of responding companies Security were bigger and half were smaller.) Clearly, ASIS Companies tend to be significantly larger 2. Liability than the Insurance normal or average company as represented by All U.S. Companies respondents. ASIS 3. Employee Security Theft Services companies also tend to be smaller; the median size of ASIS Security Services companies responding to the survey was 70 employees. Another measure of size is company revenue. The median annual company revenue for ASIS Companies responding to the survey was $51 million, compared to $4.2 million for All U.S. Companies and $3 million for ASIS Security Services companies. Table 1. Characteristics of Organizations Responding to the Four Surveys. All U.S. Companies ASIS Companies ASIS Security Services Law Enforcement Total employees range 1-200,000 1-190,000 2-5,000 1-625 Total employees mean 1,486 8,334 302 52 Total employees median 50 950 70 20 Annual company revenue (2003-2004) median $4.2 million $51.0 million $3.0 million --- Within the overall category of All U.S. Companies it is possible to examine differences between industry sectors (see Table 2). Median annual revenue was smallest for companies in the manufacturing and transportation-communication-utilities sectors and greatest for companies in the services and wholesale-retail trade sectors. Per company employment was highest in the financeinsurance-real estate sector (median of 200 employees) while the rest were in the range of 37-66 median employees. Table 2. Characteristics of Responding U.S. Companies By Industry Sector (All U.S. Companies Survey). 11
Two of the four surveys also asked about the number of security employees and annual company security budgets. ASIS Security Services companies were not asked these questions because their whole staff and budget is security-related, albeit focused on providing security services to other companies and entities. Law Enforcement agencies were not asked these questions because, given their nature, most would not employ security staff or contract with others to provide security for their own organizations, although it is true that a few large police departments use security guards for facility protection and other duties. Top 3 Security Concerns for all U.S. Companies: 1. Computer Network Security 2. Liability Insurance 3. Employee Theft Top 3 Security Concerns for ASIS Companies: The number of security employees for ASIS Companies ranged from 0-3,200 with a mean of 97 and a median of 19. The median security budget was $755,000 (see Table 3). By contrast, All U.S. Companies had 0-4,000 security employees with a mean of 35 and a median of three (3) security employees and a median security budget of just $2,000. These latter figures are somewhat distorted, though, because numerous companies indicated that they had a few security employees but no security budget. This seemed to signify that several individuals in a company might have part-time security responsibilities without the existence of any specific security budget. If means rather than medians are compared, ASIS Companies had about three times as many security employees and about six times more security dollars, compared to All U.S. Companies. Table 3. Characteristics of Security Operations in Companies Responding to the Surveys. All U.S. Companies ASIS Companies 1. Access Control 2. Property Crime 3. Terrorism and Workplace Violence Total employees with security responsibilities range Total employees with security responsibilities mean Total employees with security responsibilities median 0 4,000 35 3 0 3,200 97 19 Annual security budget (2003-2004) range $0 $55 million $90,000 $85 million Annual security budget (2003-2004) mean $1,031,309 $6,157,089 Annual security budget (2003-2004) median $2,000 $755,000 Another indication of the peripheral role played by security in the typical company (as represented by the All U.S. Companies survey) is that the modal number of employees with security-related responsibilities was zero (0) that is, the most common specific number of security employees was none. Moreover, 27.4% of All U.S. companies had either zero or one employee with securityrelated responsibilities. The individuals who completed the surveys were also asked whether security was their primary responsibility. In ASIS Companies, 78.7% of respondents indicated yes, contrasted to only 15.6% of respondents from All U.S. Companies. This would seem to indicate that in smaller companies the individual who is responsible for security almost always wears other hats, and in fact security is not their primary job. Median security employment per sector ranged from 2-6 employees and median security budgets were miniscule across all sectors (see Table 4). Survey respondents in the manufacturing and agriculture-mining-construction sectors were least likely to indicate that security was their primary responsibility (10-11%). In the other sectors, 23-29% of respondents indicated that security was their primary responsibility. 12
Table 4. Characteristics of Security Operations in U.S. Companies By Industry Sector (All U.S. Companies Survey). Manufacturing Agriculture- Mining- Construction Transportation- Communication- Utilities Wholesale- Retail Trade Finance- Insurance- Real Estate Services Total employees with security responsibilities range 0 60 0 4,000 0 83 0 150 1 200 0 2,500 Total employees with security responsibilities mean Total employees with security responsibilities median Annual security budget (2003-2004) range Annual security budget (2003-2004) mean Annual security budget (2003-2004) median 9 2 *** *** *** 30 3 $0 $1.4 million $54,086 $1,000 10 6 $0 $16.2 million $1,387,167 $6,000 9 3 $0 $2.0 million $135,329 $10,000 32 4 *** *** *** 90 3 $0 $30 million $2,724,038 $1,000 Terrorism ties with Workplace Violence as a top 3 concern for ASIS Companies. Section 1: The Security Industry in the United States 1.1 Top security-related concerns of All U.S. companies. Tables 1.1 and 1.2 provide information about the greatest security-related concerns expressed by survey respondents, who were asked to identify their top three concerns. Those concerns with similar significance for both All U.S. Companies and ASIS Companies are grouped in Table 1.1. Items on which the two categories of companies diverged substantially are presented in Table 1.2. The most frequently identified concern for All U.S. Companies was computer/network security. Concern about access control was cited most often by ASIS Companies. There was no overlap at all between the top three concerns of the two groups. The top three for All U.S. Companies were computer/network security, liability insurance, and employee theft. For ASIS Companies, the top three were access control, property crime, and a tie between workplace violence and terrorism. Interestingly, terrorism tied for third for ASIS Companies but was only 16th for All U.S. Companies. Similarly, violent crime was the 5th most commonly chosen concern of ASIS Companies but only 17th for All U.S. Companies. Table 1.1. Similar Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Security-Related Concerns All U.S. Companies ASIS Companies Employee theft 26.6% 21.6% Property crime 25.4% 33.8% Information security 23.1% 14.9% Burglary 18.2% 13.5% Vandalism 14.4% 9.5% Substance abuse 14.2% 5.4% Privacy issues 7.7% 5.4% Identity theft 7.2% 9.5% Product tampering, counterfeiting, diversion 6.5% 8.1% Ethical misconduct 6.0% 4.1% White collar crime 3.5% 5.4% Corporate espionage 2.5% 2.7% 13
Table 1.2. Differing Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three Security-Related Concerns All U.S. Companies ASIS Companies Computer/network security Liability insurance Access control Workplace violence Parking lot/garage security Terrorism Violent crime 46.5% 39.6% 12.4% 12.2% 10.4% 5.5% 5.2% 20.3% 5.4% 37.8% 27.0% 23.0% 27.0% 25.7% Proportionately, the two security-related concerns identified much more by All U.S. Companies than by ASIS Companies were liability insurance and substance abuse. From the other perspective, ASIS Companies were much more likely than All U.S. Companies to identify terrorism and violent crime as top security concerns. Among areas of general agreement, less than 10% of each group chose corporate espionage, white-collar crime, ethical misconduct, privacy issues, product tampering/ counterfeiting/diversion, and identity theft among their top three concerns. The top three security-related concerns for each of the industry sectors in the All U.S. Companies survey are presented in Table 1.3. Computer/network security was the top concern for three of the sectors and showed up in the top three for all six sectors. Liability insurance was the top concern for two sectors and rated in the top three for five of the six. Other common high-ranking concerns were property crime, employee theft, and information security. Perhaps most interesting, but not necessarily surprising, employee theft was the top concern for the wholesale/retail trade sector, substance abuse made the top group for the transportation/communication/utilities sector, and identity theft was in the top three for the finance/insurance/real estate sector. The concern for identity theft by the finance sector is understandable given the recent events of Citifinancial, a consumer finance division of Citigroup providing personal and home equity loans, which had to notify 3.9 million customers that computer tapes containing information about their accounts were missing. The missing data included customer Social Security numbers, loan account data, names and addresses. According to the Washington Post, this puts the number of U.S. consumers whose personal data having been lost or stolen, to more than 6 million in just the last six months (Jonathan Krim, Washington Post, June 7, 2005). 14
Table 1.3. Top Three Security-Related Concerns By Industry Sector (All U.S. Companies Survey). Industry Sector Agriculture-Mining-Construction Manufacturing Transportation-Communication- Utilities Wholesale-Retail Trade Finance-Insurance-Real Estate Services 1.2 Outsourcing of security functions. Top Three Security-Related Concerns Liability insurance Property crime Computer/network security Computer/network security Liability insurance Employee theft Liability insurance Property crime Computer/network security and Substance abuse (tie) Employee theft Liability insurance Computer/network security Computer/network security Information security Identity theft Computer/network security Information security Liability insurance and Property crime (tie) One common security concern exists across all industry sectors: computer/network security. Companies sometimes provide their own security functions, often referred to as Proprietary Security and sometimes these functions, in whole or in part, are contracted to outside firms providing contract security services. Tables 1.4 and 1.5 summarize survey findings on this issue for All U.S. Companies and for ASIS Companies. Table 1.4 presents security functions for which the degree of outsourcing was similar between All U.S. Companies and ASIS Companies. Among these, the functions most commonly contracted out (60%+) were alarm monitoring and substance abuse testing. By contrast, the degree of outsourcing of investigations, information services, and disaster planning/recovery was less than 20% for both categories of firms. Table 1.4 Similar Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Alarm monitoring services Substance abuse testing Training Investigations Badging services Information services Disaster planning/recovery U.S. Companies ASIS Companies 68.9% 61.6% 18.8% 18.7% 15.1% 12.1% 10.9% 68.0% 60.5% 26.8% 17.2% 22.4% 12.1% 15.8% 60% of All U.S. Companies and ASIS Companies contract out Alarm Monitoring and Substance Abuse Testing 15
Table 1.5 identifies the security functions for which the difference in the degree of outsourcing was greater than 10% between the two groups of firms. ASIS Companies outsourced armored courier services, shredding, off-site record storage, systems integration, and security engineering twice as much or more than All U.S. Companies. Only computer security was substantially more likely to be contracted out by All U.S. Companies compared to ASIS Companies. Table 1.5. Differing Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Outsourcing of guard services is ranked 7th by both All U.S. Companies and ASIS Companies. ASIS Companies are much more likely than All U.S. Companies to expand security, with 80% saying they will invest more in security equipment and programs in the upcoming year. Security Functions All U.S. Companies ASIS Companies Alarm installation/maintenance/repair Background investigations Pre-employment/psychological testing Computer security Guard services Shredding Off-site record storage Systems integration services Armored courier services Security engineering 69.4% 43.8% 34.0% 31.6% 30.3% 25.0% 21.8% 18.0% 14.4% 9.7% 85.4% 62.4% 47.8% 12.5% 49.1% 63.2% 48.7% 38.2% 63.8% 22.8% Looking at the information in the two tables together, the security functions outsourced to the greatest degree were alarm installation/maintenance/repair, alarm monitoring, substance abuse testing, and background investigations. These are security functions that most companies need, regardless of size, and ones that are specialized enough to be logical candidates for contracting out. Other functions like training and investigations are universally needed too, but can often be provided in-house even by smaller companies. Those security functions that were outsourced to a greater degree by ASIS Companies probably fall into two categories. Some functions, such as shredding and off-site storage, are substantially more burdensome for bigger companies, and thus more susceptible to contracting out to other firms that have specialized equipment or facilities for those purposes. In other words, all companies do some shredding, but shredding for a big company is a big enough job to outsource. Other security functions are actually more likely to be needed by bigger companies, and thus probably more likely to be both contracted out and provided in-house. An example of this would be guard services. The information in Table 1.5 might seem to imply that non-asis companies are more likely to provide in-house guard services, because their degree of outsourcing is lower than for ASIS Companies. However, it is more likely that All U.S. Companies may be less likely to have any guards at all, because many of these firms are rather small. 1.3 Growth areas in company security. Respondents were asked about likely expansions in various security arrangements over the upcoming year. As Figure 1.1 indicates, ASIS Companies were much more likely than All U.S. Companies to anticipate security expansion. Over 80% of ASIS Companies said it was likely or very likely that they would invest more in security equipment and expand existing security programs, compared to 35% of All U.S. Companies. Compared to purchasing equipment and expanding existing programs, both groups indicated that it was less likely that they would be increasing in-house security personnel or investing more in contract security services. Given the choice between these two options, though, ASIS Companies were about twice as likely to favor in-house personnel increases over contract guard increases, and All U.S. Companies indicated a three-fold preference for increased in-house personnel over increased contract guard services. 16
Invest more in security equipment Figure 1.1. Percent Likely to Expand Various Security Arrangements 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Wholesale/ Retail Trade Companies were least likely to increase spending on security equipment. Invest more in contract security services Invest more in in-house security personnel/overhead Expand an existing security program All U.S. Companies ASIS Companies Among All U.S. Companies (see Figures 1.2-1.5), those in the Finance/Insurance/Real Estate sector were especially likely to anticipate increased investments in security equipment and expansions in existing security programs. Wholesale/Retail Trade companies were least likely to expect increased spending on security equipment, while Manufacturing companies were least likely to anticipate expanding existing security programs. Figure 1.2. Percent Likely to Invest More in Security Equipment 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services Fewer respondents indicated that they anticipated cut-backs over the next year in any of these areas. Among All U.S. Companies, only 5-7% expected reductions in equipment spending, contract guard services, and in-house security personnel. The comparable figures for ASIS Companies were 8-12%. Less than 5% of each group anticipated cut-backs in existing security programs. 17
Finance / Insurance and Real Estate is much more likely than any other sector to increase investments in security equipment, services, and personnel. Figure 1.3. Percent Likely to Invest More in Contract Security Services Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade 0% 20% 40% 60% 80% 100% Fin/Ins/Real Estate Services Figure 1.4. Percent Likely to Invest More in In-House Security Personnel/Overhead 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services Figure 1.5. Percent Likely to Expand An Existing Security Program 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services 18