Security Management: The Basics
by Dr Chris Flaherty
The 2008 economic crisis has forced significant cost cutting in the UK, as elsewhere. Most, if not all, organisations, have had to critically analyse their capital and operating expenditure.
The post 9/11 period has created an environment within some organisations where security expenditure and the development of the security function has grown at a significantly faster rate than other functions within the business.
Consequently, once contraction starts the question gets asked – can the security budget be cut?
The answer depends upon an organisation’s philosophy towards the security function and where they are on the path of Security Transformation.
If an organisation operates in the old, threat assessment-based paradigm, then security expenditure will be solely for the purposes of physical asset protection (and will be driven by threat assessments). In which case, the removal of a guard from a location that results in the loss of an asset would demonstrate a direct link and justification for retaining the guard based on a very simple cost-benefit equation.
However, most organisations have security management embedded in their ongoing business continuity framework; and driven by resilience strategies these businesses are highly integrated and technology-dependant. In these types of business, security management fundamentally:
- Has a requirement to be agile and responsive to the environment, as well as sufficiently open to enable the business to adapt and grow; and
- Must also evolve and respond, as it cannot afford to remain static or constrained by overly protectionist programs.
For many organisations, their security program has evolved from a relatively simple function based on a single security task and need. Transformation has led to operational requirement, and a pervasive function covering all business elements and locations. The skills, experience and sophistication of an organisation’s security management arrangements must also evolve with this change.
Management of the security function is not only about the direct management of security operations (manpower and technology) but also the management of the way in which this program is integrated into the organisation – its relationship to enabling processes, business units and management structures, as well as all supporting functions.
Security is seen by many people as the application of security manpower (guards) to control people or protect assets. However, there is also the crucial issues of recruitment, skill level, personnel, organisational culture and fit to be considered.
The security management tool kit
The security management tool kit is equally important to understanding security management. The tool kit builds security arrangements from two directions – building security from task orientation; and from the whole of business approach. An organisation is then able to measure the effectiveness of the security arrangements on two levels:
- Task level - Do the controls in place reduce the likelihood or consequences of an event?
- Operational level - Do the arrangements assist the organisation in achieving its primary objectives/mission?
Equally important is use of security risk management principles. These assist organisations in taking the step from single task orientated security, to security as a whole-of-business function. Security risk management enables an organisation to commence an alignment process between the security program and other critical organisational requirements.
At a resilience level the security function is embedded in both the structure and operation of the organisation, and relies on the establishment of an effective security management framework which feeds into the risk management cycle. This is achieved through strong operational management, planning and integration within an organisation’s business continuity and management structure.