Security management is "described in some quarters as a function of risk management," (Bulletin 2, Part 2). Although there is some crossover with public sector security functions, such as policing, security management is generally considered a private sector domain. "Whilst private security has a predominantly commercial basis, it should not be forgotten that it does interact with the public to a considerable degree," (Bulletin 2, Part 2). Security management is closely linked with other roles, and there may be some crossover with risk management. Usually, risk managers "need appropriate specialist advice at the corporate level and other managers need to apply risk management principles in their own areas," (Bulletin 4, Part 1). Security managers often play a role in advising senior management and providing guidance to departmental managers.
The main day-to-day functions of security managers will vary depending on the nature of the organization and the types of risk it faces. Security management in general is a diverse field that can include everything from crime prevention to prison management. It involves managing both external and internal threats and managing the responses to those threats. Security management also plays a role in responses to damage and disaster. The role applies to any sector: government, private, and public. However, the primary definition of security management tends to focus on the corporate sector.
To define security management properly, it may be necessary to first define security. "Most definitions of security (in its largest sense) indicate that it provides protection against loss and identify that loss as existing within a strictly commercial framework," (Bulletin 2, Part 2). Within the general security field, there has been a substantial shift over the past several years away from specialist positions toward "more management oriented titles," (Bulletin 3, Part 1). Thus, Chief Security Officer has become Security Manager or Security Director. Changes in the marketplace and the operating environment have instigated these changes.
Moreover, the role of private insurance has diminished over the past several years. This has also made the role of the security manager more important within any organization. Insurance has become cost prohibitive or inefficient in dealing with many of the biggest risks and disasters companies face. A security manager mitigates risk, focusing on both prevention and proactive measures to maintain company integrity. Security managers work closely with risk managers, and often the line between the two roles is blurred.
Assessing risk and making appropriate decisions according to situational constraints is the core of the security manager position. "At the tactical operating level, the security manager must assess the level of risk from fire, natural disasters, theft, criminal damage and industrial espionage, within the context of prevailing social, technical, environmental and political conditions," (Bulletin 4, Part 7). Any threats to the organization "must be kept constantly under review in order to react quickly to changes," (Bulletin 4, Part 7).
The multidisciplinary nature of security management has made it possible for industry specialization. For example, there is a clear and pressing need for information systems security management. "The role of security management has widened in scope to cover areas such as health & safety, IT risks, continuity planning, facilities management. This trend is likely to continue," (Bulletin 4, Section 7.2). Security management can be concerned with financial, property, and human loss. Moreover, public relations and communications are increasingly part of security management as companies need to maintain brand integrity and reputation.
Assessment is one of the foremost roles of the security manager. The manager must therefore be intimately familiar with not just the organization but the entire industry and its operational and regulatory climate. A security manager cannot be effective or efficient without knowledge of what kinds of risk might face the organization. Risk and threat assessment require prior knowledge of what to look for, and how best to respond. Therefore, security managers work at the corporate level and consult frequently with senior management.
To maximize the investment of security management, and to take full advantage of the position, senior management must consider security as part of the overall strategic objectives of the company. Security management features need to be built into operating procedures and communications strategies and linked to human resources development. Security management must be integrated with each and every department within an organization if it is to be effective. The security manager cannot do his or her job without a flow of information and communications within the organization.
However, internal threats are as common and potentially harmful as external threats. Security managers working in industries with sensitive data are expected to protect that data and minimize loss by ensuring that the company has adequate policies and procedures in place to prevent employee leaks. Thus, a security manager also occupies a tricky position of monitoring internal activities that might impact the integrity, productivity, or profitability of the organization. Security managers might in some cases need to work with attorneys to achieve their goals. In general, loss management applies equally as much to internal as to external threats.
The role of the security manager is contingent on the budget and resource constraints of the organization. Issues like resource management and organizational philosophy delimit the tasks and goals of security management. The statement 'security measures must be commensurate with the threat' in part applies to the need to assess resources before implementing a security management plan. Even the very job description of the security manager will change according to the resource and budgetary constraints of the organization. Tasks and goals are both defined by how those tasks can be undertaken, and how goals can be met. If there are insufficient resources to accomplish a given security task, the security manager must consult with senior management to provide a quantitative outline of costs and benefits of increasing investment in security.
Security measures must be commensurate with the threat is an adage that prevents over-budgeting for security measures related to minimal losses. An analogy is helpful in this case. A person would not put a $10,000 alarm system on a shed that contains nothing but a $50 used bicycle. The same applies to large organizations. The security measures used to protect property, information, or anything else must be in proportion to the actual threats that are faced, plus the potential losses incurred. This is why quantitative analyses can be useful when designing security management strategies. In an enterprise context, the security manager should not be spending too much time, energy, resources, and money on preventing threats that would lead to small damages or preventing small-scale threats.
Security managers need to be keenly aware of the organization's tolerance for risk, and the tolerance of risk expressed by senior management. This information is critical to the job of security manager. "By considering the likelihood of the materialisation of a threat, the security manager can decide whether to accept the risk or to apply security measures to bring it within an acceptable limit," (Bulletin 4, Section 7.2). There are some calculated risks involved with the very act of security management, and sometimes mistakes will be made. The key is to ensure that the worst-case scenario does not outweigh the potential losses. "The principal consideration here is that the cost of security must not exceed the value of the assets or processes it protects. (Bulletin 4, Section 7.2).
Security managers play a role in overall organizational development. Security issues are an integral part of organizational development strategies and organizational change strategies. Linked closely with risk management, security management ensures the protection of material and human resources, taking a largely preventative and proactive approach. Security management prevents loss by focusing on the risks most commonly faced by the organization. Situational constraints and variables make the security management position a dynamic and multifaceted one. The security manager does not have a static role with…