printer friendly version

The future of the security manager

Two experts offer their view of the future role of security managers.

At the recent ASIS conference in Cape Town, Hi-Tech Security Solutions spoke to two of the conference speakers about how they perceived the changing role of the security manager.

Eduard Emde (CPP), keynote speaker and president of ASIS International, believes that security only exists because business needs it. By association, the security manager is often a grudge ‘purchase’ and he or she therefore needs to change with the constant changes taking place within the complex business environment.

Eduard Emde

“The business world is volatile and ambiguous, and technology is constantly changing. The risks and risk levels are also constantly in flux. IT and cyber technology in particular have become very important and the question its popularity poses is: ‘How do we deal with these circumstances and how do we equip our teams to best deal with the current and future challenges in a proactive way?’ ” says Emde.

He says that with the advent of cyber risk, one sees attacks on SCADA (supervisory control and data acquisition) systems and accelerated cyber warfare. “Businesses are increasingly asking the security manager how he or she can halt the real and potential onslaught of attacks on sensitive IT systems.”

Benedict Weaver (CPP), managing partner at Zero Foundation, believes that the role of the security manager has remained relatively static over the past four decades. “In essence, this role encompassed managing a protection strategy for property, people, resources and reputation. However, the business environment is changing and is currently strongly affected by five global forces. These are demographics, natural resource demand, globalisation, climate change and technology.

Benedict Weaver

“Smart businesses therefore need to develop a corporate security department that will allow them to adapt to the changing global environment, as well as provide a competitive advantage.”

Weaver highlighted the massive population boom in the past 212 years. “This explosion in the number of humans inhabiting our planet means that more businesses are required to service the needs of this larger consumer base. There is already a war on talent and skills to cater for this growing customer base. As a result, the role of the security manager has become critical and should now be a part of global corporate risk management.

“As the demand for natural resources increases, businesses will come under greater pressure to perform and secure market share. This will, of necessity affect the security of the businesses competing against one another. Likewise, climate change impacts on those companies that are not compliant with green legislation. This results in a higher risk profile, which then becomes a function of the risk/security manager,” says Weaver.

Increasing globalisation will see governments deregulating industry to encourage direct foreign investment. “By moving the wealth around, shareholders and stakeholders will be presented with different responsibilities in terms of compliance with country-specific laws. This will result in greater risk exposure.

“With the rapid development of technology, the demands on intellectual property will increase. The protection of this intellectual property will become a function of security and risk management. However, since data can be delivered from anywhere in the world, technology also creates opportunities to manage this risk.”

Keep it simple

Emde says that it is advisable to keep things simple, yet smart. “The security or risk manager is primarily in place to serve the business efficiently and effectively, so he should not be overburdened with a plethora of solutions. The management and technical systems should be designed with a clear goal in mind and allow the security manager to understand the process. Approaches also need to be future proof and provide the business with cost effectiveness.”

As businesses become more hi-tech, the role of the security manager often seems to overlap with that of the IT and information security functions. “The degree of overlap depends very much on each individual business. In all instances, however, both parties need to respect one another’s expertise, open the lines of communication and consider the possibility of pooling resources and knowledge to provide a comprehensive solution.”

Emde insists that there will remain a role for a separate security function within companies, but that the operational aspects may in the future fall under the IT umbrella and other functions. “Businesses require internal expertise at a very high level. The risk manager will need to have connections within the business environment and have a larger degree of technological and business expertise than previously required.

“However, the functions that will remain within the parameters of the security manager’s portfolio include incident monitoring and response, together with investigation of these incidents or events. He or she will also need to work together with others within the enterprise to shape proactive, intelligence-led security,” adds Emde.

“With the increasing focus on corporate mobile communications, the security manager is being forced to perform out of his comfort zone. Data integrity and information assurance are now vital to the reputation of companies. This is where we will continue to see a convergence between the functionality of IT and security,” says Weaver.

He says that it should not be the responsibility of the security or risk department to monitor data on the cloud or on servers. “They typically do not have the necessary skills to undertake this function and should rather be involved in the security of communications within the organisation. This responsibility includes technical surveillance countermeasures, RF jamming and encryption systems for high-security communications.”

Emde believes that the risk/security manager will have to increase their understanding of the business in terms of its profitability drivers and markets. “In addition, it will be expected that security/risk managers will have a comprehensive understanding of relevant security standards as they apply to the business. This will be complemented by the relevant procedures applicable to human resources and legal issues pertaining to the business environment.

“Increasingly, the security/risk manager will fulfil a consulting and advisory role within the business. This will entail supporting the business in decision-taking and finding sustainable ways of reducing risks. Security, crisis and continuity management must now fit within the overall risk management strategy of an organisation as well as within the business strategies,” Emde says.

With regard to the instilling of basic security standards in employees, Emde feels that the security/risk manager will play a subtle, but strategic, role. “However, it is crucial that management participates in the transference and adoption of these basic skills and knowledge for the overall benefit of the business.”

Adapt or die

“It is common knowledge that many of the people previously appointed as security managers were drawn from the military or police forces. More recently, there has been a strategic move away from this trend. The new profile fulfilled by the security or risk manager requires a keen interest in organisational strategies in order to encapsulate the demands of the increasingly competitive business environment. Interestingly, more women, with their inherent attention to detail, are becoming involved in driving the benefits of a corporate security department,” says Weaver.

He is adamant that the traditional security manager needs to mimic the company’s philosophies and intent if he wishes to maintain his own survival and growth. “In essence, security managers will become responsible for re-engineering their own job profile. There needs to be a move away from security being viewed as a cost centre in the company to becoming a profit centre in the business. This can be achieved by aligning security with the company’s business objectives and finding creative ways of charging fees for services rendered, that is, vetting, risk assessments, technical countermeasures and competitive intelligence.”

Share this article:

Further reading: