1995 Survey of Fortune 500 and Service 500 Companies
A 1995 survey of corporate security directors of Fortune 500 and Fortune Service 500 companies has generated revealing summary information on security practices and operations. Responses were obtained from 146 companies, and there were adequate numbers of responses to make comparisons between the industry segments: utilities, diversified financial, life insurance, retailing, diversified services, commercial banking, savings institutions, transportation, chemicals, electronics/electronic equipment, and petroleum refining.

Company Characteristics
Companies participating in the study varied greatly from each other, and these differences as well as the nature of the business (for example, banking, retail, automotive) may explain differences in security activities.

Responding companies employed up to 634,000 people, averaging just under 32,000 employees. The companies carry out operations in a widely varying number of facilities or sites, ranging from just 2 to 8,000. The range in sites demonstrates the very different contexts in which security directors maintain security, with retailers, utilities, and banking institutions often operating in 1000 or more sites. Approximately 38% had fewer than 100 sites, while nearly 80% had fewer than 500. Most (92%) of responding security directors had security oversight responsibilities in all company facilities. Forty-one percent of companies operate in one country other than the U.S., 47% in between 2 and 130 countries, 38.4% in more than 10 countries, and 4% just in the U.S.

Characteristics of Security Departments
Companies spent from $77,000 to $43,400,000 per year for security budgets, and employed an average of nine security management staff members. The ratio of company employees to security staff members ranged from 175:1 to 75,000:1.

Most often, the security director reported to a senior vice president (38.7%) or vice president (26.4%), but in other cases, to the general manager, CEO, controller, chief internal auditor, or finance officer.

Over 60% of the security directors characterized their security operations as centralized.

Security Activities and Strategy
The security directors were asked to indicate if their departments had primary responsibility for each of six different areas. The largest proportion of security departments had responsibility for investigation of crimes, and the next largest for crisis management (see Figure 1). Twenty or fewer of the 146 companies locate primary responsibility in the security department for each of the following: information systems security, employee background checks, disaster preparation, emergency preparedness.

It is apparent that in most of the corporations, prevention and response to security threats are the responsibility of functions other than a security department.

The directors also rated the importance of a number of specific activities in their overall security strategy. They differ in their emphasis on each of seven general areas:

1. The individual employee/loss prevention strategy involves emphasis on work with individual employees (background checks, promotion of job satisfaction and commitment to the company), and activities related to analysis and planning as they pertain to security, for example, business impact analysis and loss prevention.Security executives who emphasize activities focused on individual employees also tended to consider loss prevention approaches as important in their security strategy.
2. Detection and response to crimes like fraud and violence, through such activities as employee awareness programs and investigations
3. Personal protection of executives and other employees, both when traveling and at other times
4. Prevention of and response to social problems, including sexual harassment and substance abuse
5. Prediction and tracking of threats to security
6. Disaster and crisis preparation and management
7. Physical security

The type of activity rated as most important in the security strategy is physical security (with an average rating of 4.4 on a scale from 1 to 5), followed by prediction and tracking of security threats (4.0) and disaster and crisis preparation and management (4.0).

Security directors also rated the importance of five additional activities in the security strategy: 1) information systems security; 2) patent enforcement; 3) protecting trade secrets; 4) protecting competitive data; and 5) guard force management. Among these activities, guard force management was rated as the most important, followed by information systems security.

It is important to recognize that many security directors emphasize more than one of the general areas in their strategies. Thus, a security executive might emphasize some combination, for example, the prediction and tracking of threats to security and preparation for and management of disasters and crises and mapping and evaluation of the security process.

Security's Integration into the Corporation
Security directors reported on the integration of security strategic plans with overall company strategic plans, and on the integration of the security department mission with the broader corporate mission. Retail, commercial banking, and savings companies reported the greatest integration of corporate and security strategic plans, and utilities the least (Figure 2). Utilities also reported the least integration of the security department mission and the corporate mission (Figure 3).

Security's Influence Within the Corporation
For several areas of decision making, security directors felt that if they had influence in one area, they had influence in all.

These areas were:

Security directors in several types of companies felt that they had quite a bit of influence on many different kinds of decisions within the corporation. However, the average ratings for amount of influence were relatively low for retail and commercial banking companies (See Figure 4).

The reported level of influence on decisions about travel protocol was not connected to reports about other decisions. The highest average reports of influence on decisions about travel protocol were found for chemical, petroleum refining, and retail companies and the lowest for life insurance and savings institutions. This finding may be a result of the frequency and the areas of travel in these industry segments (See Figure 5).

Security's Relationship In the Corporation
Security directors felt they were most closely allied with the legal departments in their corporations, but they also felt there was considerable alliance with several other departments and people, including top level management, human resources, administration, communications, health and safety, facilities management, operations management, and internal audit. They felt least allied with marketing, corporate planning, logistics, and quality functions.

Impact of Security
Figure 6 compares security director estimates of the proportion of incidents that are known as opposed to being undetected or unreported for different kinds of incidents. On the average, security directors estimate that they know about 77% of disasters and 72% of workplace violence incidents occurring in the corporation. However, the average estimate is under one-third for incidents of loss of intellectual property (29%), and negligent hiring practices (32%). They also report that they know of less than half of the incidents of telecommunications compromise and information systems compromise.

Security directors felt that security had strong positive effects on each of the four business outcomes:

However, they also say that while top corporate management sees that security has a positive effect in each area, they do not see as much effect as do the security directors (Figure 7).