Security Management the Role of a Security

Security Management

The role of a security manager varies widely according to the particular organization and its needs, but despite this variety, there remain certain best practices and policies that can help maintain security and stability. This is nowhere more true than in the case of organizational loss, because while loss can mean widely different things depending on the field, the underlying theoretical concepts which inform attempts to minimize loss are broadly applicable. By comparing and contrasting different kinds of organizational loss and the demands they place on security managers, one is able to better understand which responses and policies, both general and specific, will be most effective in responding to organizational loss. As will be seen, while the specific options available might vary wildly according to organization, the underlying theoretical justifications for those options apply nearly across the board, because they are based on the same shared concepts that define the role of a security manager regardless of context: surveillance, communication, symbiosis, and directed autonomy.

To begin it is necessary to define organizational loss both generally and specifically, because it is both a highly specific issue in practice that nevertheless affects every organization, whether it be a small school, a government agency, or a multinational corporation (Fox & Harding 2005, Newmann 2002, Comfort 2002). In the broadest sense, organizational loss is precisely what the term sounds like; that is to say, it refers to any loss suffered by the organization in question, whether financial, material, or immaterial. At first glance this might not appear to be a particularly useful term due to its broad definition, but when considering a security manager's responsibilities regarding organizational loss, it soon becomes clear that the same underlying concepts apply across the board, to the point that the broad category of organizational loss becomes a meaningful and useful classification.

Some of these losses are within the control of the security manager, while others are beyond the control of anyone within the organization. For example, while a security manager would undoubtedly be responsible for securing the sensitive internal communications of an information technology company, there is fairly little anyone could do to prevent the property losses associated with natural disasters such as earthquakes or hurricanes (Werlinger, Hawkey, & Beznosov 2009, Cristy 1963). Even in the latter case, however, one could probably identify some preventative measures to minimize that loss, such insurance, backup databases, and employee counseling and emergency communication services.

Having defined organizational loss in general, it will now be helpful to define and describe it as it relates to a variety of different organizations, in order to better understand the concept as a whole as demonstrate how the underlying theoretical basis of security management and planning can inform responses to a variety of situations. Perhaps the easiest field in which to begin discussing organizational loss is retail sales, because the kind of organizational loss most frequently suffered by retail organizations is fairly simple to understand and respond to. This is, of course, referring to theft, whether it be shoplifting perpetrated by individuals outside the organization or the theft of goods or revenue by employees themselves. In both instances the role and activities of the security manager will be largely the same.

Shoplifting is one of the most prevalent kinds of theft, likely because it is frequently easy and there is little perceived risk. In fact, as of 2008, data suggests that "one in 11 people has shoplifted during his or her lifetime," and roughly "$13 billion worth of goods are stolen from retailers in the United States each year" (Blanco et. al. 2008, p. 905). Although specific responses to this kind of organizational loss will be discussed later, for now it suffices to acknowledge that direct losses such as those produced by retail theft are frequently the easiest to manage, due to the fact that they occur in relatively monitored environments and do not involve the kind of complexity or nuance that can make security management especially difficult. In turn, discussing the relatively straightforward approaches to shoplifting and employee theft will provide a simple demonstration of the theoretical concepts under discussion, before applying them to more complex situations.

In addition to the more straightforward losses created by theft and shoplifting, organizations are also at risk of more subtle, but no less insidious, forms of theft that do not target merchandise or cash, but rather proprietary or sensitive information, or else do target financial assets but through more subtle, frequently electronic means. This form of organizational loss has become especially relevant in recent years, as more and more organizations of all types have become increasingly dependent on information and communication technologies for their day-to-day functioning, even as a string of high-profile breaches and data losses have affected companies as notable as Apple and Sony (Werlinger, Hawkey, & Beznosov 2008, p. 5). In fact, digital theft and security breaches are rapidly becoming the most pressing issue facing security managers, as more and more individuals connect to their respective organizations via digital communication technologies rather than in-person interactions.

As will be seen, preventing and managing this kind of organizational loss requires a kind of spacial reimagining of the security landscape, because points of potential breach or loss are no longer confined to the physical boundaries of the organization. Nevertheless, this shift in perspective need not be viewed as an entirely novel or unprecedented response, because the same basic concepts that inform the security of physical boundaries can inform the securing of digital boundaries as well. This is because despite changes in technology, organizations still ultimately depend on human beings, and human beings present the same security risks everywhere, albeit in modified forms.

It is important to point out that organizational loss need not come in the form of theft. In fact, some of the most influential and difficult-to-manage organizational loss has nothing to do with theft, but rather with the natural comings and goings of an organization. As an organization expands or shrinks, it may need to hire new employees, fire existing employees, or reorganize employees into new hierarchies and groups. Every one of these actions creates the potential for loss, whether it be the loss of employees themselves, the loss of the experience or specific knowledge they retain, or even a loss in productivity from those employees who may have seen their friends and co-workers let go.

There is a reason much of the academic literature regarding layoffs and downsizing refers to those remaining employees as "survivors;" although the employees who have been let go are not actually dead, in terms of the organization as a whole, those employees that remain are forced to deal with their now-absent co-workers in much the same way that a family might deal with the loss of a loved one, while at the same time attempting to maintain the same level of efficiency and productivity (Milligan 2003, p. 115, Samuel 2010, p. 120). Though this might sound dramatic, it has very practical consequences for organizations attempting to maintain their level of productivity, and the security manager's role in surveillance and communication becomes crucial in this effort. In a sense, the security manager becomes the organization's internal eyes and ears, looking out for warning signs that employees are suffering.

This kind of organizational loss can extend even beyond employees and their connections with each other to actual physical spaces and properties, because if a particular building or property is closely associated with the organization's identity, the loss of that property, whether through disaster or simply a change of address, can negatively affect the organization in the same way that the loss of employees might (Milligan 2003, p. 115). This is because organizations, like individuals, establish their identity through a combination of physical and non-physical attributes, and because organizations are made up of individuals, this identity-formation is a two-way street; the organization contributes to the individual's identity, and the individual's identification with the organization ultimately generates the organization's identity as a whole (Hatch & Schultz 2002, p. 990).

While at first glance "employee nostalgia for the old site" might not seem like a particularly pressing or important phenomenon for a security manager to consider when confronting organizational loss, in fact it is precisely this kind of subtle, seemingly unimportant organizational attitude that can negatively affect organizations to the tune of billions of dollars in lost productivity, not to mention employee loyalty (which can itself affect the amount of internal theft or security breaches) (Milligan 2003, p. 120-121). Furthermore, if the property switch was precipitated by destruction or damage to the old site, then this attitude will only serve to compound the direct financial and material losses already suffered by the organization. In situations such as this, the security manager has the dual role of predicting risk while responding to the aftermath of those risks which were not sufficiently mitigated.

Before discussing potential responses to these different varieties of organizational loss, it is necessary to outline one final variety, namely, the kind of loss that occurs as a result of doing business, such as market variation, shifting consumer confidence, and fluctuations in supply and demand. Obviously, this kind of organizational loss affects corporations most directly, but even governmental and non-governmental organizations ultimately feel the effects of this kind of loss, whether though reduced tax revenues or increased purchasing and supply costs. In addition, while these kinds of losses are more frequently viewed as the purview of regular management, rather than the security manager, the fact remains that the security manager is in fact responsible for certain elements of organizational security and risk management related to this kind of financial or market loss.

Having outlined the various kinds of organizational loss that might fall under the purview of a security manager, it will now be possible to discuss best practices and responses for dealing with organizational loss, with the further goal of demonstrating that the theoretical underpinnings of security management are fairly uniform across the board, even if particular practices vary according to context and necessity. This theoretical continuity stems from the fact that despite obvious differences between organizations, in the end they are all made up of a group of people (hopefully) working in tandem and functioning as something larger than the sum of its parts. To see how important this understanding of organizations is, one may note that organization and organism both contain the same root, and in fact organizations may be thought of as essentially super-organisms, with structures and functions analogous to actual organisms. In this context, one can imagine the security manager as a kind of liaison between the immune system and the rest of the body, working to prevent illness while responding to any potential injuries or attacks, whatever they may be.

As such, it will be possible to go through the potential responses to each of the varieties of organizational loss described above and not only determine the best responses, but also demonstrate how those different responses ultimately stem from a relatively small set of theoretical concepts, such as surveillance, communication, symbiosis, and directed autonomy. Once again, it will be instructional to begin with the relatively simple phenomenon of shoplifting and employee theft of merchandise or cash, because although the responses to this particular form of loss are relatively straightforward and possibly even obvious, examining them in detail will help to reveal the theoretical concepts underlying all security management, regardless of whether the organization is a retail store, a school, a transnational corporation, or even a government itself.

In the case of shoplifting (perpetrated by non-employees), practically every preparation and response revolves around surveillance and situational awareness, and understanding how these concepts relate to shoplifting can actually help one better understand how a security manager might deal with other, less obvious forms of organizational loss. In terms of securing physical spaces, surveillance and situational awareness methods can be divided into passive and active methods. Passive methods include the use of security tags on merchandise coupled with sensors at entrances and exits, or even the presence of security cameras regardless of whether or not they are actively viewed (or even real). Active methods include the aforementioned security cameras, as well as the observations of employees, and in general a combination of active and passive methods is necessary in order to effectively survey a physical space while maintaining at least the impression of surveillance in those spaces which cannot be viewed or controlled directly.

Regardless of method, the key for a security manager is being aware of the limits of his or her surveillance and situational awareness capability, and this is true in any situation, and not just retail. However, identifying the limits of these capabilities is somewhat easier in a retail environment, because there are fairly direct, obvious means of measuring and quantifying these capabilities. For example, while security cameras themselves can function as a kind of deterrent, if they are to be used for actual surveillance, their placement is extremely important, because any blind spots will be exploited. Ensuring maximum coverage is of course a relatively simple procedure, but pointing out its necessity here will be informative later when discussing digital security, because although the spaces needing securing are vastly different, the same fundamental concept applies.

This is also true of employee awareness, because the same difficulties facing the security manager attempting to prevent shoplifting face the security manager attempting to secure a vast internal communications network. In research literature this is referred to as "information security awareness," and refers "to a state where users in an organization are aware of -- and ideally committed to -- their security mission" (Siponen 2000, p. 31). Perhaps the most frustrating part of maintaining healthy information security awareness is the fact that for most employees or individuals not directly related to the security apparatus, maintaining situational awareness simply is not part of their job description, and as a result their only investment in security is the minimum that is required of them under whatever security guidelines exist (Siponen 2000, p. 32). This brings one to the next critical concepts for security management after surveillance and awareness, namely, communication and symbiosis.

Symbiosis is a term most commonly used in biology and ecology to refer to a mutually beneficial relationship (although it can also be used in a broader sense to refer to any relationship between organisms), and it is applicable to the functioning of an organizational security when one considers how the different departments or branches of an organization work together. For example, although a retail employee may not see surveillance and security as an integral part of his or her contribution to the organization, the fact remains that the employee's own success within the organization is dependent on the security apparatus and vice-versa. Neither can survive without the other, even if their day-to-day interactions are minimal.

The difficulty comes in communicating this common dependency to individuals, because too often security guidelines and education programs do not take the individual's self-interest into account, and thus fail to communicate the individual benefit derived from maintaining organizational security (Siponen 2000, p. 31). Furthermore, research has shown that management tends to overestimate not only the security of the organization as a whole, but also the degree to which employees actually "adhere to established organization security policies" (Taylor & Brice 2012, p. 5). This is particularly true in the case of retail organizations, which frequently see high turnover at the lowest levels of the organization, which also happens to be where the organization interacts most closely with the public. Thus, it is up to the security manager to develop effective means of incorporating employees into the security operation by clearly communicating individual's own investment in the success of that operation.

Recognizing the symbiotic relationship between the security operation and seemingly unrelated departments leads one to the final theoretical concept mentioned above, directed autonomy. Perhaps the biggest benefit and drawback of human beings is their ability to think critically and act autonomously. On the one hand, having autonomous elements of an organization means a reduction in unnecessary oversight and managerial interference, but on the other hand, too much autonomy means that "managers fail to perceive of routine employee actions that may unintentionally expose the organization to security risks" (Taylor & Brice 2012, p. 6). Thus, the concept of directed autonomy is an attempt to retain the benefits of individual autonomy while ensuring that this freedom does not result in unregulated behavior that puts the organization at risk.

In the case of retail security, this means educating employees about warning signs and their own situational awareness while giving them the freedom to make judgment calls regarding potential security risks. Obviously, entry-level retail employees should not be expected to evaluate potential security risks with the same skill as a security manager or officer, but by clearly communicating potential security risks as well as the benefits employees would see from remaining vigilant regarding those risks, security managers could retain the benefits of autonomous employees while directing their autonomous assessments towards productive ends. In turn, this would have the effect of reducing turnover somewhat, because individuals tend to feel more fulfilled when they have the impression of choosing their own responsibilities and interests.

Though the above discussion focused mainly on shoplifting, these same concepts apply almost without alteration to the matter of employee retail theft, because all of the same issues are in play. In fact, the only major difference is that employees actually have a greater vested interest in maintaining security, because a single dishonest employee has the potential to mar the reputations of everyone else, to the point that some managers simply find it easier to punish the entire staff than root out the guilty party. In this case the security manager has an extra responsibility to the staff as a whole, because he or she must be able to determine the guilty party, lest the entire organization suffer more than it already has.

Having used organizational loss in the context of retail sales as a kind of case study and demonstration, one can now take the theoretical concepts outlined above and examine how they relate to other situations. For example, though securing proprietary data and communications systems is a far more technological and complex effort than surveying a retail store, the same basic concepts apply, because the weakest link in any security operation almost always boils down to individual humans. As Lacey (2010) notes, "ever since their introduction, the security of information technology systems and platforms have been repeatedly undermined by design flaws, weak passwords, lost media, social engineering and numerous other human failings" (p. 4). In the context of this study, the most important element of securing data and communications are those elements of information technology systems that rely on human input, because although the structural security of a given program or system is obviously within the authority of a security manager, those aspects ultimately boil down to questions of internal, objective checks and technological skill; in other words, the security of a program itself, while crucial, is largely of concern to technological specialists, while the security threats posed the actual users of that program become the most pressing issue for a security manager to deal with.

As mentioned earlier, securing the boundaries of a digital space requires a kind of dimensional rethinking, because the potential for holes or breaches extends well beyond the physical confines of the organization. However, this does not mean that the theoretical concepts necessary for securing a physical space are any different from those necessary for securing a digital space; instead, one must simply adapt these concepts to fit a new context. Thus, where security cameras and tags may suffice for a retail store, surveillance a digital space, such as a database or communication system, requires systems in place to register who accesses what, and when.

This is particularly important for preventing data breaches or the theft of proprietary information, because frequently the breaches are the result of individuals with authorized access using that access to steal data (Chang & Lin 2007, p. 439). Because individuals need access to this data as part of their authorized duties, it is up to the security manager to develop methods for identifying suspicious patterns of access, something that governments have become especially interested in following certain high-profile leaks (Lacey 2010, p. 5). While there is not yet a foolproof method of identifying potential thieves or leakers prior to the act, maintaining robust surveillance of data usage and access is the first step towards securing vulnerable digital spaces.

In addition to surveillance, communication is key when it comes to securing digital spaces, because as mentioned above, routine employee behavior may open up the organization to security risks without the knowledge of the individual. This is because in almost every case the majority of users will not be trained as technology or security specialists, and thus may not realize the potential impact of seemingly minor actions, such as connecting transferable media like a flash drive into a network, or else using their work e-mail for non-work activities. Even something as simple as a weak password can mean the difference between a secure organization and millions of dollars in damages (Chang & Lin 439).