A new comprehensive report prepared jointly by ASIS International and the Institute of Finance and Management provides the first big-picture look at the industry in more than 25 years.
Compared to a decade ago, three times as many top security leaders (24 percent) in the United States report directly to the CEO. Despite that progress, at organizations with a formalized risk-analysis process, security was not given a seat at the table from the beginning of that process 41 percent of the time. Those are some of the striking findings in a new study of the U.S. security industry.
Globalization, coupled with an increasingly challenging threat environment for U.S. businesses, has put security in the headlines with growing frequency, especially since the September 11, 2001, terrorist attacks. Yet there has not been a major study of the scope and size of the security industry in more than three decades. To shed some light on this important issue, ASIS International collaborated with the Institute of Finance & Management (IOFM). Over the past year, the organizations gathered data about the industry through a combination of joint original research and analysis of various existing studies. The result of those efforts is “The United States Security Industry: Size and Scope, Insights, Trends, and Data.”
Because the report takes the long view, it supplements its original research by with data from studies dating back several years that include projections well into the future. The report offers some caveats—including that much security spending is hard to quantify or crosses over into other sectors, such as business continuity and fire/life-safety and is, therefore, not included. But it takes on the difficult task of extrapolating from available data and trying to put some numbers to what can be quantified.
Chief among the top line number findings is that the U.S. security market, inclusive of operational and IT security, is about $351 billion—$282 billion of which is the private sector and $69 billion of which is federal government spending on homeland security. Homeland security spending is expected to grow at about 4 to 5 percent annually to 2020.
As for the remaining $282 billion, $202 billion is operational security, inclusive of physical and other broader traditional aspects of private security (comprising $39 billion for equipment, $141 billion for security services, and $22 billion for administrative costs) and $80 billion is IT-related (of which $29 billion is equipment, $22 billion is services, and $29 billion is administrative). The operational/physical security market is expected to grow about 5.5 percent in 2013, while IT is expected to grow about 9 percent.
The operational products and equipment market was estimated at $39 billion for 2012, up from about $12 billion in 1990. Current annual growth is projected to be around 6.6 percent—a bit lower than the rate of annual 7.1 percent from a decade ago. Growth will be strongest in basic systems, such as access control, alarms, and especially surveillance—on which 65 percent of organizations surveyed said they would spend more in 2013.
Networked cameras open up other opportunities, such as for remote centralized monitoring, which 38 percent of companies indicated they had done and which one of the analyzed IOFM studies found was the strategy that most outperformed expectations.
In terms of organizational budgets, 48 percent of organization polled said that they had increased their operational security budget in 2012 and 45 percent planned increases in 2013; for IT, those numbers were 41 percent and 33 percent, respectively. Operational budgets are rising fastest for businesses in arts, entertainment, and recreation; finance and insurance; and professional, scientific, and technical services. As to how much those budgets are rising, the median budget growth in 2013 for those sectors is expected to exceed 13 percent. Even so, nearly 40 percent of security executives feel that they don’t have the resources they need. Especially beleaguered are those in education, healthcare, and manufacturing organizations. On the plus side, however, the percentage of security executives who say that they do have adequate funding has been trending upward since 2005.
Nearly all organizations planned to spend the same or more on IT security in 2013, but the largest organizations were the least likely to have plans for increased spending.
In terms of the amount spent on private sector security services, one interesting finding was that training and maintenance costs are higher for IT relative to the total size of the budget. The total IT budget is $13 billion, while training is $1.72 billion and repair/maintenance is $7.31 billion. For operational security services, the total budget is $134 billion, while training is $1.65 billion and repair/maintenance is $4.75 billion. Those costs are headed up more than any other service sector—about 58 percent of those polled expected to spend more on maintenance in 2013.
Some areas of security services are poised for strong growth. For example, 42 percent of respondents indicated that spending would rise on training in 2013, with 12 percent anticipating increases of 10 percent or more. Spending on guard services was projected to increase at 41 percent of companies in 2013, but 43 percent anticipated no change and 16 percent expected cuts. By contrast with the plans on IT spending, it was the largest firms that more often (63 percent) anticipated more spending on contract officers. Spending on employee screening services was projected to increase at 36 percent of organizations in 2013.
Other segments of the service industry may see less growth. For example, 85 percent of those polled said they would hold spending on integration services level in 2013, 5 percentage points more than in 2012; 76 percent of those polled expected not to change the level of spending on alarm system monitoring/response in 2013; and 62 percent had no intention to spend more on consulting, planning, and management services in 2013. Fewer than one-third anticipate increased spending in this area, but even fewer than that (22 percent) expect to spend more on alarm monitoring/response. Still, that’s an improvement over the 2012 numbers and could signify the beginning of an upward trend as the economy continues to improve.
While 9-11 was a seminal event in terms of government funding for and attitudes toward homeland security, it did not have a substantial effect on the levels of private security personnel employed long term. After an initial increase, the levels dropped back to what they would have been absent those attacks, according to Bureau of Labor Statistics numbers.
The size of the market as measured in full-time security workers (FTEs) is estimated at between 1.75 and 1.94 million in the United States. The number includes any individuals a company counts as security personnel, whether contract or proprietary (more than half are contract), but it does not include people who work in the industry in support functions, such as a marketing person for a CCTV manufacturer. About 20 percent are senior and executive management.
As might be expected, the largest percentage (70 percent) are security officers, of whom slightly more than one-fourth are armed. Within this category are not only security officers/guards but also armored car guards and gaming surveillance officers. The first category (guards) will grow the most, at 19 percent, through 2020, while gaming surveillance officer positions are expected to grow by 9 percent.
But those looking for a career in security may want to take note that private detective/investigator is expected to be one of the fastest growing of all occupations, with growth of 21 percent projected through 2020. The only other area where growth of that level is expected is in IT, where it is difficult to break out the security positions, but the positions of IT analyst and related IT Web and network positions anticipate growth of 22 percent through 2020. Among the employers expected to be hiring are government and healthcare.
With regard to the top security executive, the report finds, not surprisingly, that the worldwide recession had an impact on professional growth prospects because jobs became scarcer, and competition tougher, which also led to less leverage in salary negotiations and slower growth in compensation. “After years of aggressive salary gains, large annual raises (6 percent or more in the past) have become exceedingly rare,” notes the report. But those who do get and retain these top spots are more educated than they used to be, with 37 percent holding a master’s degree—up 300 percent since 2001. And that’s reflected in their total compensation package, which at a large company can range from $215,000 to as high as $400,000, though the industry average is a more earthbound $155,000. By contrast, the average salary for a chief information security officer is $170,000.
Management structure. The report also looks at how departments are structured, reporting lines, how organizations address enterprise risk, and related issues. For example, it notes that in the year 2000, many experts predicted that IT and physical/traditional/operational security would merge. In fact, only about 7 percent of those polled said that has happened, with another 5 percent indicating that they are working on integrating those functions. However, “more than half of organizations are using a risk council or similar advisory group to facilitate risk management,” not just between IT and operational security but among all risk-management stakeholders.
Other findings in the report aren’t just about the numbers. For example, it notes that the growing value companies place on intangible assets, such as intellectual property and brand reputation has to lead to a shift in the focus of security. “The effectiveness of corporate security today depends significantly on how well companies manage this shift from securing hard assets to protecting intangible aspects of company value,” the report says. For example, the report finds that brand protection is the number one reason CEOs care about security incidents.
Security also has to adapt to a mobile workforce, notes the report. It is now less about providing a physically secure location and more about “addressing risks when the company has little or no control over the location itself.” That means making employees aware, providing tools, and getting them to take some responsibility for assisting with the security mission.
Similarly, a company has to get its external business associates, partners, and providers along their supply chain to accept shared responsibility for the company’s security, because any weak link in this chain of dependencies can lead to catastrophic failure should a tsunami-like event occur. And yet, a 2010 IOFM survey found that fewer than half of large companies made sure suppliers had business continuity plans.
The report also notes that “technology and devices are making great leaps in capabilities but most security executives still evaluate them the same way.“ While that’s okay for some simple systems, like turnstiles, “security software should perhaps now be viewed in a more strategic fashion...[and] security strategy should now be examined in conjunction with the capabilities of technology,“ the report states.
Another issue addressed in the report is how to assess the real value of cutting-edge technologies, such as camera analytics and biometrics when they are found to be less impressive than the PR. Though they don’t live up to the initial hype, they can prove to be genuinely useful once soberly evaluated and realistically implemented, those interviewed for the report note. But, the report cautions that “organizations should not take the effectiveness of electronic security systems for granted,” Properly training staff and monitoring systems for performance is critical.
And then there is the issue of how to communicate security’s value. In many cases, security continues to be plagued by a view that it is a cost center or a necessary evil. That relates to two core challenges that security department heads face, according to the report: the need to better align security goals with business goals and the need to better document security performance. With regard to the latter, some progress has been made. For example, the report notes that use of quantitative security performance metrics, once rare, has grown more common, with one-third of companies reporting that they have extensive metrics programs. And those departments that have good measurement systems have been found in IOFM studies to be twice as likely to have their strategic value recognized. However, “the effort to forge performance metrics that reliably apply across the profession is still in its infancy,” states the report.
Measuring security’s performance is not the primary issue, however. The bigger question is what should security be doing in the first place, which gets to the first of the core challenges--aligning with business goals. To answer that question security department heads must be able to properly assess the company’s vulnerabilities in conjunction with other departments and in the context of macro business trends (such as offshoring), management’s goals, and the company’s appetite for risk, and then use that information to formulate and present security solutions with a clear return-on-investment plan. The report notes, for example, that there is a greater demand for proof of payback than three years ago.
But as important or more so, the report states, “the goal of more sophisticated security accounting should not be to ’sell’ senior management on the idea that all security spending is wise, but rather to more accurately describe the value of security spending versus the cost of residual risk.”
The ultimate goal is to make sure that corporate leaders are presented with the information they need to make an informed decision about which risks to counter and which to tolerate or insure against. Thus, notes the report, “a truly strategic look at a security issue...will occasionally yield a recommendation for doing nothing.”
Ultimately, chief security officers--like all species--must adapt or die. As the report notes, “if top security leaders fail to promote a more business-like, strategic risk management approach to security, then the strategic thinking will be handed to others.”
(To get the full report, contact ASIS Customer Service at 703/519-6200)