How does risk influence buying decisions for security?

Risk should always be the central question when it comes to buying security! Before you look at the potential technology or the cost, understanding the risk factor for any project or installation is key.  Every location is different and faces a unique set of risks, so it is important to ensure you understand these before looking for the right solution. Once the risk factors have been properly assessed this should be at the forefront of the decision criteria, so you can properly consider the adoption of the best technologies and the choice of security providers.

In the physical security market, the concept of risk greatly influences buying decisions. Organisations invest in physical security measures when they perceive a higher level of risk or threat to their employees, infrastructure, or assets. However, relying solely on perceived risk may not be ideal as it may not accurately reflect the actual risk or threat level. Perceived risk is subjective and can be influenced by a number of factors. A buyer's perception of risk can be higher or lower than the actual risk level, resulting in an inefficient allocation of resources. To make informed decisions, security leaders should conduct a thorough risk assessment to identify the level of risk and potential threats. By considering objective factors such as the likelihood of threats and potential consequences of security breaches, buyers can make smarter investments in measures that are appropriate and proportional to the actual risk level. 

At its core, taking a risk-based approach to buying decisions means that the security buyer understands the key exposures of the business, has quantified, and assessed the impact of those exposures, and has determined the operational or technical tools best equipped to mitigate against them. For example, there is minimal value in spending a significant budget on a complex travel intelligence and tracking tool at a company with 98% domestic travel to low-risk locations, whereas companies entering new, often volatile global markets will want to prioritise spending for that exact purpose. Organisations that recognise the importance of duty-of-care know that it is their obligation to mitigate against reasonably foreseeable risks, so buying decisions should be made aligned with those pre-determined and agreed-upon risks and not on tools or services that, while they may seem flashy or “standard” in the industry, do not actually address the specific needs of the business. Sophisticated buyers will first ask themselves “What is the likelihood and impact of this threat event occurring?” and prioritise their spending based on that conclusion. 

Managing and mitigating risks to their business, employees, and executives is critical to a corporate security team’s role. Effective risk mitigation means teams constantly identify and analyse potential threats to their organisation and create and administer effective strategies to mitigate, avoid, transfer, or accept each risk. Because of this, security teams utilise technology solutions that can help to collect intelligence on potential threats to manage risks, increase efficiency, and better protect their organisation. It also means security teams must demonstrate their value and the multiplying effects that a technology-enhanced strategy brings (time, efficiency, reporting, prompter investigations, connected information, etc.) to mitigate business risks and improve decision support. The threat landscape is dynamic; technology assists security teams in mitigating risks to their organisation and is a tremendous factor in a buying decision. 

In the QSR (Quick Serve Restaurant) space we have seen an uptick in physical safety risks to employees and customers from harassment and violence. In certain urban environments, the risk becomes a wholesale inability to run the business. Major QSR brands can be located just steps away from mini-tent cities where drug use, violence, and general desperation bring panhandling, outbursts in dining rooms, and provocation in the drive-thru. Instead of focusing solely on the business, employees must police the premises. It’s not uncommon to see high turnover and employees refusing to show up to work. Some businesses have resorted to security guards, but costs can be prohibitive, and the service is not always reliable. Many QSRs are turning to virtual guard interactive remote video monitoring solutions. This can include tours to clear areas of vagrants, escorting employees to and from vehicles, and responding instantly to issues without waiting on police at a fraction of the cost. 

For years, the primary motivation for selecting a security system has been risk mitigation. While this still plays a significant role in the decision process, organisations are starting to see how security systems can be more than a risk mitigation tool. With the rise of data analytics, physical security systems are now being seen as more than just a tool to respond to threats or a necessary expense to keep assets and people safe. Physical security systems are becoming key to the digital transformation of organisational processes. Data from these systems can highlight pain points, streamline processes, and improve the guest experience. When this data is in one unified platform, it can be analysed more accurately so companies realise important cost savings and operational efficiencies. Now, security departments are not only mitigating risks, but they are also becoming central players in their organisations’ strategic planning. 

To get the most out of limited security dollars and resources, companies must first identify their biggest risks. Those risks are often closely connected to the areas most critical to financial success (e.g., transaction systems or storage of critical intellectual property). If intellectual property is a key asset, solutions guarding against intrusion and detecting east-west traffic anomalies are critical. If processing high volumes of transactions is critical, then distributed denial-of-service (DDoS) protection and strong identity and access management will likely be prioritised. Of course, your biggest risks today might not be the same as the ones you will face tomorrow. As sectors and technologies evolve, businesses must constantly re-evaluate vulnerabilities and mitigation. Consider automobile manufacturers: They used to focus on securing transactions across the supply chain, but now each car is a moving point of presence that is vulnerable to attack and in need of protection. Understanding how your risk changes as sectors and technologies evolve is essential. 

In considering the risks of a big purchasing decision, it is important to determine the Total Cost of Ownership (TCO) of the investment. Strategic buyers who adopt a TCO mindset understand the importance of looking closely at the long-term commitment and costs associated with procuring, deploying, and operating a system throughout its lifetime versus only focusing on the upfront investment price. In taking the time to evaluate TCO, buyers are better positioned to make informed decisions when comparing and ultimately purchasing systems. TCO takes into account many factors, including risk management considerations, the probability of various scenarios, and potential negative impacts. It also allows buyers the opportunity to understand a manufacturer’s level of expertise and how they will operate as a strategic partner to aid in overall success. This upfront due diligence uncovers and mitigates the cost of unforeseen risks so strategic buyers can feel confident in their purchasing decisions. 

Buyers are constantly trying to balance risk mitigation and the cost of new or enhanced systems. Most often, risk and managing perceived risk is what drives buyers’ decisions; however, they often find themselves having to weigh the most pressing security threat to determine which systems to purchase given the overall cost. When budgets are tighter, security teams need to strategically pick what security systems to invest in. Cloud-based integrated security systems especially those that integrate multiple products and solutions into a single platform are increasingly becoming the go-to solutions for companies who are looking to do the most with the budgets available to them.

The concept of risk plays a crucial role in buying decisions within the security market. Insecurity, the perceived or actual risk of harm or loss, drives organisations and individuals to invest in security measures to mitigate potential threats. Risk assessment is highly subjective on both the buyer's and seller's part, which is why risk management is so important. Buyers assess the risk landscape and consider their assets' value and vulnerability, such as property, data, and human safety. They then evaluate which security systems and solutions best meet their needs while within budget constraints. On the other hand, security vendors must consider risk when marketing their products and services. They need to understand their clients' priorities and concerns and use effective communication to explain how their solutions can mitigate risk and protect their assets. Overall, the concept of risk is a driving force within the security market, influencing buying decisions and shaping the industry's direction.

Risk always drives buying decisions, but the concept of risk varies greatly depending on the business and experience of those involved in system design. As an example, for retail and restaurants, it’s common to want to install the cheapest system available, because it’s considered a checkbox expense. Security system installed. Risk mitigated. Check. But that short-sightedness can come back to haunt them should they need to protect themselves from a slip-and-fall lawsuit if the business is found liable. A cheap video system that lacks sufficient resolution to identify the persons involved won’t stand up in court. A higher-quality AI-based video surveillance system could pay for itself often if the event and the “inebriated” defendant are visible. It’s important for businesses to not just consider the classic after-hours risk, but also what happens when customers, parking lots, and common areas are busy with customers. 

The avoidance of risk is a primary theme in today’s complicated market. Companies are sending increasingly complicated vendor risk management questionnaires as part of the evaluation of security solutions. Unfortunately, these are often sent blindly by the purchaser without a thoughtful examination of the risks associated with how a given vendor will be storing, processing, or transmitting the organisation’s data. This behavior is converging with a buzzword bingo of requesting proof of third-party certifications like ISO 2700, SOC 2, and FedRAMP, but again, this is often treated as a check-the-box exercise. Smart organisations know how to consider the exposure of their data to a vendor as well as requesting copies of the auditor’s reports to effectively assess the risk of doing business qualitatively with a given vendor before starting contractual negotiations.