Last month I suggested that trends such as the expanding need for risk management and greater use of sophisticated technology and work methods have all enhanced the professional role of security management in the last few years. The major shift from protecting or guarding the perimeter of the business to managing the risk of the business in a proactive manner has helped this image, as has more business emphasis on security demonstrating how it adds value to the organisation.
I have emphasised two main themes in writing about the positioning of security management in organisations. These are that the security managers' strategic responsibility should move from a department focus to one of looking at enterprise risk management. The second is that when the security manager can define his or her position in terms of its impact on the rest of the organisation, it is much easier to justify an executive function. I have suggested some actions below that security managers can consider in defining their role in these areas.
Position security as a strategic executive concern
Establish and maintain a full organisational risk profile generated by the security manager and other specialists (eg internal audit, IS). This can cover external threats, departmental risk areas, and also examine interdepartmental business processes.
Make ownership of risk management an executive function rather than a security function, with multidisciplinary teams accountable for the security of the product and production process.
Get risk management principles incorporated into the enterprise business plan, process and strategy. Security managers should facilitate this process as experts rather than managing security as a 'bolt on' function that is imposed after everybody else has made their decisions.
Integrate security strategy with organisational strategy
Get involved in business discussions as much as possible.
Review and update security strategy on an ongoing basis to ensure that the protection of product, personnel, property and information is consistent with the organisation's strategic and business needs. This should ultimately result in security principles being integrated into operational strategy and business processes of all departments.
Embrace different disciplines
Technology has catapulted security into the organisational mainstream but the discipline itself has a shortfall of skills to deal with this. Business auditing skills are an area of potential improvement while legal resources could also be addressed in more depth. By pulling people from other disciplines into security, you enhance the security expertise base and credibility, and give yourself more opportunity to impact on different aspects of the business. Your business is risk management and you should be able to apply that to all aspects of the organisation.
Get away from being seen as a physical security provider only to a knowledge and risk assessment based service.
Look for opportunities to contribute to business efficiency
Look at ways that you can enhance business processes by initiating proactive actions by security. This may involve such things as asking for defined work standards, benchmarking these and then building them into the production system that gets reviewed using the security system. The 'rules-based' systems used within De Beers is an example of this where the security standard is the expected business standard. In this way, security can become a major contributor to quality management practices. Further, the workflow efficiency of many business processes can be measured or monitored using the security information systems. This takes the security manager into mainstream discussions on the production process and organisational performance.
Quantify risk and savings
Security is typically seen as an overhead. If the security manager can demonstrate the cost benefits that are accruing from security relative to the expenditure, it is far more likely to be accepted. This could include potential scenarios if security provisions were not in place. If you can show security benefits and savings from improvements that are made in business practices, this is a huge advantage.
Place major projects in the context of a business plan, capital costing and approval, installation and commissioning, and evaluation of business impact.
Get involved early in projects
Embed security principles in the way the organisation operates as soon as possible. You should be doing this as a core design team member, not merely as someone who gets consulted along the way. Define your role as providing appropriate input and risk analysis of new work processes by all departments so that security provisions are incorporated within those processes. This would include defining security needs/design principles which need to be adhered to within projects.
Use technology strategically
Define the direction and purpose of the technology system in a strategic context, including the potential application areas, design and functional requirements, interface with security and mine systems, and future technological direction.
While technology is a major factor in the security department's positioning, consider its application carefully. Determine the best ways to integrate technology strategy with parallel development of technology in other departments. This may at times differ from having the 'best' security system in the traditional sense. The best system is the one that covers security most effectively from an organisational standpoint. You should be asking the question, how does it add value?
Provide integrated systems/solutions
Risk management covers a range of areas. In many cases, there are small sections or even individuals from different departments with different orientations covering these. Hendrik du Plessis in a recent e-mail to me provided a useful guideline where he included functions such as safety, health, environment, security (physical and information), legal liability, civil liability, fire (prevention and combating), emergency planning and computer security as areas of concern in risk management. You may emphasise a different configuration for your security operation, but the more you can provide as an integrated service, the more consistent will be the experience of security.
Have an accepted plan ready
Develop scenarios around crime developments and trends, legislation and resource developments and formulate plans to deal with these various scenarios. Formulate security and disaster contingency plans and perform ongoing reviews of the operational feasibility and preparedness of all parties for the implementation of these. Involve other departmental heads closely in the development and testing of these.
Don't be too control centred
Security's biggest public relations problem is that people see it as restraining to what they are trying to accomplish. The longer they have to wait for clearance, the more forms they have to fill in, the greater the detail required and the more inconvenience they endure, the more disenchanted they are with security and the more they see it as an obstacle.
Get departments to be accountable for their own security provisions where possible, subject to auditing and risk evaluation. Use nonintrusive methods where possible.
Make security reception a model of public relations efficiency rather than a obstacle course.
Despite many instances of people without degrees who have made good in business and even in established disciplines, the typical company culture equates qualifications with professionalism and abilities. Academic qualifications in many instances is an issue for security managers. There have not been many channels to gain suitable security tertiary qualifications in the past. However, these are opening up locally. Also, consider looking beyond security - a business qualification like a BCom or a BSc may even be more advantageous in an executive context. There are also MBA degrees or which do not necessarily require previous university degrees.
Similarly, the MSc in Security or MSc in Risk Management from the Scarman Centre at the University of Leicester can in some cases be done without previous qualifications. Subordinates also need to be encouraged to study. Qualifications give you credibility, and the more qualifications there are in your discipline, the better your discipline appears.
The responsibilities of running a department can be substantial and the expertise that security managers require as part of their contributions to organisations can be considerable. Departmental strategy, infrastructure, sourcing staffing requirements and the calibre of personnel are all important in promoting the role of a professional manager.
To impact on the executive function, however, requires a move to a business philosophy in combination with security, an increased focus on managing risk throughout the corporation, and a process of recognition at top decision making levels which does not necessarily occur overnight.
It's a challenging but exciting time to be part of a professional security discipline.
For details contact Craig Donald on tel: (011) 787 7811, fax: (011) 886 6815 or e-mail: firstname.lastname@example.org, or visit www.leaderware.com
© Technews Publishing (Pty) Ltd | All Rights Reserved