Investing in Your Security: Why the ‘soft’ costs of security systems can hit hard
In this third in our five part series of articles on investing in security systems, we look at the not-so-quantifiable ‘soft’ cost factors that you should consider when assessing Total Cost of Ownership (TCO).
In our previous article we looked at the ‘hard’ dollar costs of TCO. In this article, we introduce the difficult to quantify but no less critical ‘soft’ costs – the potential costs incurred by an organisation as a consequence of security system downtime or failure. Calculating TCO is by no means an exact science, but it’s an important one.
In addition to the hard costs there exist a host of other potential costs that are by their nature difficult to account for. These are the so-called ‘soft’ operating costs associated with system failure, downtime and repair, unanticipated inefficiencies, and early obsolescence, which are the downstream consequences of poor product selection, substandard maintenance, inadequate asset management practices, and neglect.
It’s a little ironic, as ‘soft costs’ is something of a misnomer – the more critical security is to your organisation, the more vulnerable it is to the soft costs of things going wrong. Despite being incredibly difficult to quantify, these costs can pose significant financial and disruption downsides to an organisation.
Examples of soft costs generally include the potential costs incurred as a consequence of system downtime/failure, such as asset losses (due to a system’s failure to prevent a security breach), lost productivity, additional personnel costs (such as temporary security guarding), and business disruption. Other hidden costs may include damage to staff morale, administrative – and potentially litigation – costs stemming from contractual or performance issues, and reputational damage.
While they’re difficult to quantify, the risk of incurring potential soft costs can be mitigated. Adhering to robust solution selection and procurement practices, working with reputable security partners and suppliers of quality components and solutions, strong supply chain and asset management, and proactive maintenance practices can all play a role in minimising potential soft costs.
“When calculating TCO, it’s imperative that you account not only for the anticipated hard costs but also for the extent to which a solution exposes your organisation to potential soft costs,” says Mark Lloyd. “This is essentially an exercise in downstream risk management.”
The following is our shortlist of ‘soft’ cost factors placed into corresponding categories:
Loss & Damage Costs are easy enough to account for after a breach, but the costs of potential future breaches are notoriously difficult to model (jump to the next article in this series for some ideas). Needless to say, any loss from a breach made possible due to security system failure (as opposed to a breach that occurs despite the existence of a well-operating system) is a loss that a Board or executive team really should be making the right decisions to avoid.
Disruption Costs are the consequential organisational costs that flow from a security breach, any loss of productivity and staff morale, as well as the cost of any additional work created by the failure, such as additional administrative or contract management resourcing.
The cost factor category in the above table that you may have been surprised to see is Opportunity Costs. In terms of a security system solution, opportunity cost is the unrealised value you would have derived from an alternative security solution if you hadn’t selected the one you did. It’s what you missed out on in order to get what you got.
Opportunity costs may include any unrealised value – from the financial savings you would have gained from a comparatively efficient alternative solution to the customers you would have retained if you had selected a more effective alternative solution capable of protecting you from a reputationally damaging breach.
According to UCLA Associate Professor of Marketing and Behavioural Decision-Making Stephen Spiller, “consumers should incorporate opportunity costs into every decision they make, yet behavioural research suggests that consumers consider them rarely, if at all.” Economists refer to this as ‘opportunity cost neglect’.
Opportunity cost neglect is essentially the act of making a bad purchase choice as a result of failing to consider the alternatives – a big (and often cited) procurement risk. The obvious mitigation to this risk is to ensure your procurement team actively considers multiple distinct alternative solutions (including their TCOs) as part of its approach to the market.
“Procurement processes are a golden opportunity to meaningfully survey the range of solutions that are out there,” says Mark Lloyd, “but all too often purchasing decisions are driven by professional biases, conventional wisdom and, quite frankly, a failure to link security system requirements with emerging technology trends, future security needs, and the strategic goals of the organisation beyond security.”
In our next article in this series, we’ll explore the Return on Investment (ROI) factors that can not only mitigate the cost impost of a security solution but also turn it into a business value-add. A high-performing security system that pays its way by preventing loss and harm from security breaches and also achieves business outcomes beyond its primary security remit – and does so while remaining adaptable to new technologies and emerging threats – can deliver significant value to an organisation.
In the meantime, if you’d like to find out more about how Optic Security Group can manage your security risks through solutions that tick the TCO box, please get in touch with us.