Security Management
The statement that security measures must be commensurate with the threat implies that too much in the way of security procedures will be as ineffective as too little security, as it will be unsustainable in the long-term. Further, "…security measures must be acceptable in both nature and degree because otherwise security will not have the support of those who have to operate the system and cooperate with it." (the principles of security) So, striking the right balance of how much security is appropriate in an organization is one of the fundamental challenges of security management. This paper provides a review of best practices in this area, discovering that business acumen is more important than security skills in determining security priorities.
According to the research source Security management stage 1 (core skills), a security manager must understand business management in addition to respective site operations, processes and products. Briggs and Edwards, place a great emphasis on this business management aspect, stating that, "As the function comes of age, the corporate security community has been trying to understand how to align security with the business, so that doing business and doing security go hand in hand." Therefore, effective security managers, according to Briggs and Edwards:
Understand that security is achieved through the everyday actions of employees across the company.
Recognize the limitations of command and control approaches to change management.
Realize that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimize damage when things go wrong.
Embrace and contribute towards their company's key business concerns, and as a result expand the security portfolio significantly to facilitate resilience.
Make a clear distinction between the strategic and operational aspects of security management, relying on operational work to be carried out by business unites.
Abandon old assumptions about where their power and legitimacy come from and understand that business acumen, people skills management, and communications expertise is more important that knowledge of security.
Risk management and the role of security management (2009) adds the notion of understanding true business impact; in other words, what are the true business risks?. This source states that business impact comprises primary costs such as those of lost assets and secondary costs such as repairs to damaged property, the non-availability of staff due to accidents, costs of security failure, and the profit that would have resulted from the lost opportunity. The culture in a business "can influence what is regarded as risky and the perception of what is risk" (Risk management and the role of security management, 2009).
When determining the risks to which a business is exposed, the security manager needs to evaluate internal practices and procedures, physical risk to premises and external risks (the role of the security manager). Assessment of internal practices and procedures encompasses all business activities -- from the recruitment and training of employees and the receipt of trading materials, through internal processes to the disposal of what is produced and the payment for the product or service. To assess physical risks, the security manager must examine detailed property plans and perform site visits to determine all access points and if they are secure. Identification of external risks depends of the location and structure of the business premises, the type of business, its neighbors, and company-specific risks.
Security managers must also pay attention to regulatory compliance with voluntary, self-regulation, and statutory considerations (Options for the development of the security industry). Voluntary regulation is self-imposed and may include the establishment of a professional regulatory body. Self-regulation occurs where the regulated profession has a majority on the regulating body; for example, medical professionals regulating the medical industry. Legal regulation entails legal requirements that must be followed in order to practice or operate.
In Organizational resilience: Security, preparedness, and continuity management systems -- requirements with guidance for use (2009), a process approach is described for achieving effective security management. A process approach, according to this source, involves:
Understanding an organization's risk, security, preparedness, response, continuity, and recovery requirements
Establishing a policy and objectives to manage risks
Implementing and operating controls to manage an organizations' risks within the context of the organization's mission
Monitoring and reviewing the performance and effectiveness of the organizational resilience management system
Continual improvement based on objective measurement
You’re 78% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.