The term “security” in an organizational setting refers to protecting the organization’s assets from loss, damage, or misuse. “Security” is a broad topic, covering everything from protecting people to information technology assets to intellectual property to financial assets to physical plant to organizational reputation.
In corporations, the protection of assets is a governance issue. The chief executive officer has a duty to protect the shareholders’ investment, which means protecting the corporation’s assets from loss, damage, or misuse.
This book focuses on physical security, because physical security is the basis for all organizational security and the starting point for any security program. It is an essential element in most of the disciplines that fall under the general heading of “security.” As an example, the physical protection of data centers and networks is essential to the protection of information technology assets and the information stored, processed, and transmitted by those assets. It is also an essential element in the protection of people, as well as in the protection of intellectual property as trade secrets.
The first effort businesses make to develop a security program is generally in the area of basic physical security, and, unfortunately, the results are not always as effective as they had envisioned. It is not uncommon that the wrong risks are addressed or the risks are addressed in a manner that does not provide the necessary controls. Resources can be squandered by addressing the wrong risks or by addressing them the wrong way. Sometimes businesses recognize these failures early. Sometimes they fail to recognize them at all.
How and why these efforts fail, and in some cases why they may never succeed, is normally related to insufficient effort and/or inadequate knowledge being applied to the project.
When an organization does not have a security program, at some point a security incident of sufficient import occurs that it comes to the attention of the senior executive (e.g., CEO, president, owner, etc.) of the business. That individual is sufficiently concerned to say something along the lines of, “We need to get some security around here.” What happens next is that he or she points to someone in the business (frequently the head of Facilities or Human Resources or Finance or Administration) and assigns to them the task of “getting some security.”
“Getting some security” is vague to the point that the recipients of the assignment do not actually know what it means, but it seems like a reasonable thing to do, and it is related to the incident that led to the assignment. They are, however, faced with a couple of challenges:
• With their normal responsibilities, they already have a full plate and they want to get the assignment accomplished as quickly and painlessly as possible.
• They know essentially nothing about physical security, but view it as a relatively simple matter because they see security officers, cameras, alarm systems, and electronic access control systems in their daily lives.
Given those challenges, the approach will likely be to contact a supplier of security services or products to identify the appropriate course of action, as that will appear to be the quickest and most painless way of accomplishing the task.
What do the contract security company (i.e., guard company) and security technology company think the business needs in order to “get some security?” In the case of the contract security company, it is security officers. In the case of the security technology company, it is cameras, alarm systems, etc. This should come as no surprise. They were asked for a solution, and the only solution they can provide involves the services and products they offer.
The likely result is that security officers and cameras are put in place, and the senior executive of the business is told that security is in place and everyone can get back to concentrating on the business of the business.
In reality, the business does not have “security.” It has security officers and cameras. Security officers and cameras are not security; they are security tools. They may or may not be the right tools given the security issues facing the business. And even if they are the right tools, it is possible they are not being utilized the right way. Worse yet, the business may not even be addressing the most critical risks it is facing, because they are simply reacting to one, or to the most recent, incident.
The business therefore faces a dilemma. No one knows if they have the security they need because no one knew what questions to ask or how to get the right answers. There was just a need to “get some security.”
This book will help solve that dilemma. It is designed to help non-security managers who have responsibility for a physical security program, whether they are responsible for:
• Starting a new program
• Managing a security professional responsible for an existing security program
• Evaluating recommendations from security vendors and consultants.
This book provides tips, key points, and a wealth of hard-earned knowledge necessary for avoiding pitfalls when establishing and/or managing a security program for the business. It suggests ways of thinking about security that will be useful in understanding not only what needs to be done and how it needs to be done, but also why it needs to be done.
By applying the knowledge gained from this book, the non-security manager will significantly improve the chances of implementing, managing, or overseeing a program that is both effective in managing the security risks and challenges facing the business and efficient in the use of the organization’s resources.
|