Tuesday, December 7, 2010

Private Security as Business Enabler:Role, Responsibilities and Methodologies in the Next Decade

Very little is written about the nature of Private Security at work place. Public perceptions of private security attest to the assumption that security work is done by someone who lacks the requisite training and education and mainly works as deterrent.

One of the interesting observations made recently is the impact of using the word "security”. This seems to be the passion-killer. Talk about "risk" and "compliance" and "governance" and the view is that it's much easier to get business buy-in. Talk about "security" and it is considered to belong in the small security cabins or having people involved in checking passes at the main entrance.

The Range of Security Duties

The nature of private security involves more than patrol and guard duties. Activities include establishing perimeter security through such elements as guard services, signs and notices, fence design criteria, protective barriers, locks, alarms, and protective lighting. While most of these responsibilities are tied to asset protection, these activities are also designed to prevent insiders and outsiders from committing crimes. Employee theft is a major concern for all workplace organizations and to have cordial relations with its employees. Measures are designed to prevent other detrimental activities such as workplace violence, drugs in the workplace, and white-collar crime.

Security work also sometimes includes fire protection (if fire department is not in place) with attention focused on the causes of fire, fire brigades, fire control surveys, fire alarm technology, and fire protection plans. Security Departments are also concerned with electronic surveillance, camera surveillance and access control issues, including swipe cards and badge systems, personnel movement, automated access systems, degrees of restriction, and other classification systems that support access control.

Personnel security is another feature of security departments. Some of the tasks included within this area include employee crime, employee suitability, pre-employment screening, executive protection, and other evaluation programs relating to personnel. A well placed Personnel security also brings confidence to its Top Management, show of status and confidence to its investors.
Security managers are also concerned with computer crime and information security. One of the major tasks for large corporations is securing proprietary information from unwanted disclosures. Other functions include legal and liability issues.

Security at blue-print stage

It is not uncommon for security departments to be involved in the planning stages of developing business environments. Security analysts interface with architects to ensure security features, such as electronic surveillance equipment, in the design stage itself. This will help in placing an effective Security Department itself, uplift the moral of Security Personnel’s and will also align its security personnel in business development. This cannot be quantified in money at once.

Management of Risks, Emergencies & Disasters

Risk management is coming up in a big way now days. The major function of most security departments is risk management, disaster management, and emergency preparedness. Some of these tasks include risk identification, risk analysis, risk reduction, and program evaluation. Risk management includes defining vulnerabilities, and planning and conducting security surveys. Emergency planning and the management of both natural and human-induced disasters constitute the core of a security department's functions. Within this framework of risk, insurance plays an important role for security managers, who must consider the application of varieties of insurance such as bonds, federal crime insurance, kidnap and ransom insurance, fire insurance, and liability insurance.

Security’s strategic alliances within the organization

Security managers have to be concerned with developing strategic alliances and relationships within the organization to maintain security effectiveness. In addition, security managers have to develop relations with the media, public law enforcement, fire departments, and other security organizations. This can only happen if Security Department is independent and pro in countering security threats.

Is security really a business enabler?

You can’t go far in the security profession these days without hearing about it. From the meeting rooms of security conventions to almost every issue of the popular magazines; it is everywhere. Do a Google search for “security as a business enabler” and see for yourself!

This idea appears to some as nothing more than the “concept de jour.” It is said that in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition it would require the use of security as a competitive differentiator for the production line or a business activity. Organizations that fall into these brackets are definitely in the minority so far. But, it is heartening to note that numbers are increasing!

If security is considered a business enabler as much as every other function within an organization is a business enabler; security just seems to qualify. Security is more enabling than if compared with a healthy, clean work environment as a productivity issue. It is not to be taken as if it was created as a sales tool by security product vendors, large consultancies, security research firms, or the large security magazines. This approach is designed to feed the undying need to provide security with a tangible evidence of its importance.

To Art Coviello, president of EMC's RSA Security Division, “Security is inextricably linked to innovation in the business world. Innovation requires understanding risk, and for security initiatives to support business.”

“So it's our job as security professionals, to make security as painless as possible. Painless in terms of how it works; it only gets invoked when an anomaly is detected, otherwise people are allowed to get on with their business. [Security should be] done in a fashion [so] that people have confidence that they can take a risk, and the way to do that is to understand the risk of any initiative … in the context of what the vulnerability might be [caused].”

So it's about understanding the vulnerability up front, but it's also about understanding the probability that that vulnerability will be somehow exploited, and we need to mitigate it and then look at the reality of what the consequence might be. So it's just a different way of thinking about security where you have a problem, you react and you fix it. It just causes a spiraling effect, and you're always attempting to solve yesterday's problem. So if you get ahead of it, you understand the risk up front and you can take that risk with a lot more confidence because you've done things to mitigate it.

Most companies today continue to think that the role of security is primarily to protect against threats, not to help facilitate business and stimulate growth. Simply put, companies continue to think of security initiatives as "how to keep out the bad guys" rather than "how to let in the good guys." But the good guys must be allowed in for any business to thrive.

Because the threat philosophy is deep seeded, security is often viewed as a burden. In fact, industry analyst commented that:

“There is a change from security being viewed as a nuisance to being viewed as an enabler. Those companies that do security well will be the organizations people choose to do business with.”
John Leyden, “Security Software Sales Soar,” vnunet.com, April 20, 2000

The dictionary definition of "Enabler" (dictionary.reference.com) is:

Ø to make able; give power, means, competence, or ability to; authorize: (This document will enable him to pass through the enemy lines unmolested.)
Ø to make possible or easy:(Aeronautics enables us to overcome great distances.)
Ø to make ready; equip (often used in combination): (Web-enabled cell phones.)
Ii is appropriate that we take the second part of the second definition (to make easy) as our definition of enabler. Given the proper definition of enabler it is clear that security is a business enabler because it makes possible many aspect of business.

One may take a deliberately provocative stance, making a point that security is not there to enable the business, it’s there to mitigate risk. That is not the same thing: its cost, expense, and time and we only do it because we have to.

This may produce the counter-argument, especially from those present from the financial services industry that many of their services would not be publicly acceptable or acceptable to their regulators without solid built-in security and so in their case it's an enabler.

Doing something because you have to is not the same thing as doing something because you want to. The approach of financial services industry is the same as other industries, in that, profit is the driving force and if they could get away without the additional cost and expense of designing stronger and better security then they probably would!

There is nothing wrong in admitting that we "do security" because we have to. The trick is in the way the work gets done within the business. Too often security professionals try to justify costs by presenting vague ROI figures or metrics. The problem with this is that the finance director will laugh your ROI data out of his office! If you want to convince your management then you have to cut out the techie chat.

The key points are that we need to -

Ø Take a risk based approach
Ø Focus on business needs
Ø Talk the language of the business
Ø Don’t make wild statement about cost savings and ROI
Ø Work to reduce costs
Ø Put risk assessments into context
Ø Present a decent set of meaningful security metrics
I would say that we 'do security' to make functionality possible inline with our compliance requirements and to reduce risk to an acceptable level, thereby 'enabling' the business units to do business in a more controlled fashion.

***

No comments: