Having spent 10 years in the outsourced staffing industry, I have found that people were often surprised to learn that the outsourced workforce did everything from bubble-pack lug nuts in West Virginia, to build centrifuges in the Middle East. Across the majority of industries – and likely markets as well – outsourced staffing solutions are employed to address a wide spectrum of business solutions. And one of them is corporate security.
Who outsources security risk management? It depends.
As experienced security risk management advisors, my colleagues and I often encounter widely varying approaches to corporate security departmental structures, alignments, and organizations.
- One global $10 billion company currently operates with an Executive Vice President for security with a 10-member staff.
- In contrast, another global $10 billion company employs a Security Director with a 100-member staff.
Same risk tolerance. Same industry. Same workforce. Same global footprint. So what are the variables that drive the difference? I started to make a list – and it kept growing and growing.
Too large, too small, or somewhere in between?
First, security organizations are subject to very different mandates from the business – with respect to identifying, managing and mitigating risk. Sometimes these programs fit neatly into the organizational structure, are championed at the executive level, and are expected to build and sustain strong in-house capabilities with limited external support. Others are much more modest – and, for many reasons, may restrict their primary focus to just a few traditional areas – such as investigations and physical security.
In general, these two approaches can help explain a wide variance in cost and headcount. And don’t forget to factor in differences in C-suite culture and preferences.
Get the scope right
At minimum, factors such as risk awareness, appetite and tolerance should define the scope and scale of your security program. As security leaders, our obligation is to help define the parameters of business-enabling capabilities. The decision that a business opportunity is “too risky” to pursue should be made with input from many different executive stakeholders. This is where the business opportunity team, including the project owner and representatives from departments associated with finance, law, risk, security and marketing, can really analyze the merits and drawbacks of pursuing an opportunity.
Build it or buy it?
Should you build in-house security programs with the ability to provide support directly to all internal and external customers? Or should you engage the right outside resources? I walked into a CEO office one day and saw a plaque on the wall memorializing the famous quote by Hunter Thompson: “Faster, Faster, Faster. Until the thrill of speed overcomes the fear of death.” If security leadership is committed to building the internal infrastructure to align with that perceived level of risk tolerance, the security budget may need to be doubled!
High-risk scenarios or unique opportunities demand specialized talent to assess, manage, and mitigate the risks. Outsourcing the solution team is the logical decision. You don’t want to attach that expense to legacy security costs if higher risk specialized business ventures are sporadic and uncommon. I’m familiar with a consumer goods company in California with 550 personnel among whom approximately 520 are outsourced. (In fact, if your’re interested, read our case study, “Engaging an ‘Outsourced CSO – and Establishing an Actionable Security Strategy.”)
Look inside first to see if you have the skillsets, time, and expertise to take on the workload. If not – look outside for a solution.