Security_Must_Be_Commensurate_to_the_Threat

The statement that security measures must be commensurate with the threat implies that too much in the way of security procedures will be as ineffective as too little security, as it will be unsustainable in the long term. Further, “…security measures must be acceptable in both nature and degree because otherwise security will not have the support of those who have to operate the system and cooperate with it.” (The principles of security) So, striking the right balance of how much security is appropriate in an organization is one of the fundamental challenges of security management. This paper provides a review of best practices in this area, discovering that business acumen is more important than security skills in determining security priorities. According to the research source Security management stage 1 (core skills), a security manager must understand business management in addition to respective site operations, processes and products. Briggs and Edwards, place a great emphasis on this business management aspect, stating that, “As the function comes of age, the corporate security community has been trying to understand how to align security with the business, so that doing business and doing security go hand in hand.” Therefore, effective security managers, according to Briggs and Edwards: • Understand that security is achieved through the everyday actions of employees across the company. • Recognize the limitations of command and control approaches to change management. • Realize that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimize damage when things go wrong. • Embrace and contribute towards their company’s key business concerns, and as a result expand the security portfolio significantly to facilitate resilience. • Make a clear distinction between the strategic and operational aspects of security management, relying on operational work to be carried out by business unites. • Abandon old assumptions about where their power and legitimacy come from and understand that business acumen, people skills management, and communications expertise is more important that knowledge of security. Risk management and the role of security management (2009) adds the notion of understanding true business impact; in other words, what are the true business risks'. This source states that business impact comprises primary costs such as those of lost assets and secondary costs such as repairs to damaged property, the non-availability of staff due to accidents, costs of security failure, and the profit that would have resulted from the lost opportunity. The culture in a business “can influence what is regarded as risky and the perception of what is risk” (Risk management and the role of security management, 2009). When determining the risks to which a business is exposed, the security manager needs to evaluate internal practices and procedures, physical risk to premises and external risks (The role of the security manager). Assessment of internal practices and procedures encompasses all business activities – from the recruitment and training of employees and the receipt of trading materials, through internal processes to the disposal of what is produced and the payment for the product or service. To assess physical risks, the security manager must examine detailed property plans and perform site visits to determine all access points and if they are secure. Identification of external risks depends of the location and structure of the business premises, the type of business, its neighbors, and company-specific risks. Security managers must also pay attention to regulatory compliance with voluntary, self-regulation, and statutory considerations (Options for the development of the security industry). Voluntary regulation is self-imposed and may include the establishment of a professional regulatory body. Self-regulation occurs where the regulated profession has a majority on the regulating body; for example, medical professionals regulating the medical industry. Legal regulation entails legal requirements that must be followed in order to practice or operate. In Organizational resilience: Security, preparedness, and continuity management systems – requirements with guidance for use (2009), a process approach is described for achieving effective security management. A process approach, according to this source, involves: • Understanding an organization’s risk, security, preparedness, response, continuity, and recovery requirements • Establishing a policy and objectives to manage risks • Implementing and operating controls to manage an organizations’ risks within the context of the organization’s mission • Monitoring and reviewing the performance and effectiveness of the organizational resilience management system • Continual improvement based on objective measurement Security managers must also be capable at invoking change when things simply aren’t working the way they should. Professional practices for security managers seeking to improve security within their organizations (2005) advises the creation of a working group to quickly initiate needed change, “one month to settle the “big picture” in a realistic way and identify a strategy to follow.” The working group should include security professionals as well as other stakeholders such as non-security employees and customers. Further, to increase uniformity and appropriateness of protection, it is useful to establish threat levels, high medium and low, based on the type of business activity, population of the facility, critical infrastructure on-site, local crime statistics and other socioeconomic factors (Professional practices for security managers seeking to improve security within their organizations, 2004). In summary, security priorities are determined by business needs, the potential business impact of security violations, and the risk associated with business activities. To succeed in appropriate identification of these factors, security managers will have to master a process approach to security assessment and implementation and will need to work in the confines of regulatory requirements. Finally, security managers will have to acquire change management skills to understand what needs to change and how to change it.