VALUE ADDING THE SECURITY FUNCTION IN ORGANISATIONS

By A K Moorthy, CPP, FSyI, FISM Principal Security Consultant S M Security Solutions Pte Ltd

INTRODUCTION In the current global security climate, businesses world wide are incurring rising costs in meeting the threats to security posed by the risks of terrorist attacks, criminal acts, attacks on information systems, natural and man-made disasters and pandemic flu etc. It was estimated that the costs arising from value losses, hefty increases in security spending and insurance premiums, and a spate of new government security regulations and requirements amounted to more than US $ 12.5 billion (Hulme, 2004). Security is emerging as a critical success factor to not only ensure the protection of organisational assets (i.e., people, property and information) but also to facilitate business continuity. Security is not only influenced by the dynamics of the internal environment within an organisation but also the pervasive influence of its external environment, i.e., the political, economic, social and technological environments. These external forces will have a strong impact on business processes, strategies and the security of organisations. This is further compounded by the effects of globalization which create mutual interdependence of the world's economy. Under such

circumstances, organisations can expect tremendous opportunities on the one hand and yet find themselves exposed to new risks on the other. Such a scenario demands that risks be identified, mitigated, and managed so as not to impede the organisation's pursuit of its mission and goals.

THE ORGANISATION AS A BENEFICIARY OF SECURITY Security's role and how it fits into an organisation's structure will depend on its parent organisation's needs and strategic drivers, i.e., the corporate mission, goals, objectives, and critical success factors. Organisations employ their internal structures, core assets and business and operating processes primarily to accomplish their mission and provide benefits to stakeholders. Anything that impedes assets and processes from their productive use will potentially undermine the organisation's ability to be successful. From this perspective, ensuring that assets and processes remain productive is the real benefit and focus of the organisation's investment in security. Hence, the ultimate beneficiary of the security functions that an organisation undertakes will be the organisation itself. Managing security in the context of the organisation's strategic drivers creates advantages as well as conflict. On the one hand, this approach ensures that the goals of security management are forged from and aligned with the higher-level goals of the organisation. On the other hand, the strategic drivers and needs of the organisation are often in conflict with the actions required to ensure that assets and processes remain productive. In addition, as the organisation is exposed to more complexity and uncertainty (because of the dynamic environment in which it is operating and the uncertainty of risks occurring), ensuring that security functions and strategic drivers are aligned becomes increasingly complex. In the final analysis, striking the right balance between protecting the organisation's core assets and processes and employing them profitably becomes a challenge for security management and a significant barrier to effectiveness. THE SCOPE OF SECURITY MANAGEMENT

Security as it is traditionally defined in organisations is one of the most pervasive problems that an organisation must address. Rarely has there been an organisational issue, problem, or challenge that requires the mobilization of the entire organisation to resolve it. The sheer expanse of a security problem can transcend the entire organisation and pose many management challenges. Firstly, the most important areas of the organisation must be identified and targeted. This requires the organisation to make an inventory of what needs to be protected and why. In a large, complex organisation, this can result in the identification of hundreds of assets that are important to strategic drivers. Secondly, to secure this collection of organisational assets many skills and resources that are typically scattered throughout the organisation have to be mobilised. As security concerns the whole organisation, it simply is no longer effective or acceptable to manage it solely from the Security Department. Security managers have one of the most difficult jobs in executive level management because their success depends on optimizing the use of many of the organisation's capabilities and resources. In effect, security managers must mobilise many disparate parts of the organisation to work together and to expand their core responsibilities to keep pace with the pace of changes. On balance, security management must support the organisation's efforts to be sensitive, flexible, and adaptive to its environment and must be able to make a measurable contribution to the organisation's bottom-line and long-term resiliency.

Organisational resilience is the ability of the organisation to withstand interruptions or disruptions and adapt to new risk environments. SECURITY AS AN INVESTMENT Dealing with a complex operating environment is costly and it can significantly

affect an organisation's profitability. Protecting the financial health and stability of an organisation is one of the most important issues for management. The resulting pressures from managing to the bottom line pose challenges for many activities throughout an organisation, especially for security management. Expenditures receive much of the focus in organisations because they affect the organisation's bottom line directly. Prudent financial managers scrutinise all expenses and make implicit, if not direct, risk versus reward decisions. Security management is no exception it is often an expense driven activity that can directly affect an organisation's profitability. It is no wonder then that organisations are reluctant to view security as an investment that can generate benefits to the bottom line. The perception of security as an overhead is an unfortunate phenomenon caused by the lack of quantification and metrics as essential elements of security management. Most organisations generally do not normally require a return on investment calculations for investment in security, nor do they attempt to measure or gather metrics on the performance of security investments. In the absence of a set of established and accepted metrics for measuring security return on investments (ROI) there is little an organisation can do on its own in this area other than perform measurement in the context of incident avoidance or impact of a realised risk (i.e., the impact costs less than the control, and therefore provides a return). Organisations are also faced with another problem, i.e., which security investments should be measured? Security technology, procedural controls, security personnel or security managers? The difficulty of using quantitative metrics to measure the effectiveness or contributions of security to the ROI, is a problem faced by the security community. Compounded by the absence of specific guidance, organisations have become quite

accustomed to classifying expenditure on security activities as an expense item on their balance sheets. In much the same way as investments in information technology are now being capitalised commonly, the challenge for security managers is to convince the top management of the organisation to move security in the same direction. The change of mindset to characterise security as an organisational investment can help project the view that security can, at a minimum, preserve an organisation's bottom line, if not improve it. An organisation that has successfully adopted security as an investment and enhanced its capabilities to secure its critical assets and processes and improve its resilience can increase its overall value in the marketplace. This increased value will be reflected as "goodwill" in its balance sheet. An organisation that can keep its core assets and processes in service in the face of an attack, accident, or failure (and actually improve their ability to adapt to future events) may be worth more than one that cannot. It also gives it a competitive advantage over its competitors. The continued perception of top management in organisations of security as a necessary burden will impede security managements ability to do its job effectively at the organisational level. SECURITY AS AN INTEGRATED FUNCTION Security is a business or organisational problem that must be acknowledged and resolved in the context of the organisation's strategic drivers. The emergence of a risk-based paradigm for security demands a mission-centric approach to security (i.e., based on strategic drivers) for the total security of an organisation to secure its critical assets and processes. Total security will and must exploit the

full capabilities of all security elements and employ the security resources in an integrated fashion. The perception of security as a financial burden on the organisation is often a consequence of the tendency of many organisations to consider security as mainly a personnel and procedures driven activity. The security industry itself contributes greatly to this incorrect perception. An imbalance of and over reliance on a particular means that fails to integrate personnel, procedures and technological security elements in the right proportions is a recipe for failure. Security management's ignorance of technological developments and their value as force multipliers in enhancing the capabilities of the security function to deter, detect, delay and respond to threats is one of the causes for this mis-perception. Security managers must strive to remove the stigma that security is a function that is dominated entirely by personnel and procedures. Security management must have the professional knowledge, expertise and capability to articulate the value add and ROI that security technology can bring to security operations to convince organisational management to invest more in deriving a truly integrated security function that is progressive and dynamic. It is not so much a case of investment for more security but rather better security. Security managers must resist the temptation of succumbing to the lure of the expensive and ever increasing plethora of technological products and services that are purported to be able to "help" organisations get a handle on security management. Worse still, there is a propensity for some organisations to perceive security solutions in purely technical terms whilst ignoring the fundamental issues of management and operational weaknesses that are the root causes or contributing factors of poor security. The bias towards technological, procedural or personnel solutions will be detrimental to the organisation's perception of what constitutes adequate security and worse still project a false sense of security.

REGULATORY BIASES A final consideration for security management is the organisation's regulatory environment. Just as the organisation must expose itself to its environment to operate, so must it be willing to accept some of the limitations imposed on similar organisations that operate in its competitive space. This brings another level of challenges that affects the organisation's ability to be effective at security management. Regulations reflect the need for organisations in a particular industry to look critically at their protection needs and to implement corresponding security strategies and controls. While this may have a positive effect in elevating the need to focus on security, for some organisations it can also be detrimental in that regulations may become the organisation's de facto security strategy by default. Regulations can shift the organisation's focus away from organisational drivers to the compliance requirements of the moment. Complying with regulations is certainly an important activity in an organisation, but it cannot be a substitute for a mission focused and strategic security management process. Regulation is intended to improve the core industries on which it is focused, but compliance activities can give organisations a false sense of the overall effectiveness of their security programmes. For example, compliance with the Workplace Health and Safety Act (WHSA) and its regulations may improve the security of core assets that are subject to the regulations, but other assets and processes may be neglected and left unprotected. A compliance-driven approach to security may also cause costly and inefficient investments in protection mechanisms and controls to protect those assets and processes that are subject to regulation, when in fact this may not be the best use of limited resources of the organisation.

Organisation-centric approaches to security management consider the impact of risks and their effect on the organisation to determine which security activities and practices are best suited for them. In effect, this allows the organisations to focus on their true security needs. Security management that is compelled to comply excessively with regulations can detract an organisation from this strategy by diverting their attention away from what is best in their unique organisational context. SECURITY AS A CORE COMPETENCY Organisations want to focus their energy on their core competencies, i.e., those functions and activities that define the organisation's existence and its value to stakeholders. The increasing trends in outsourcing of horizontal business functions by organisations supports this claim. For various functions, such as vehicle fleet management for e.g. it may not make sense to develop a core competency in this area if an organisation cannot realise a strategic and competitive advantage by excelling at fleet management,. On the other hand, organisations may need to develop a core competency in security management on the basis of their strategic drivers. Security is so closely interwoven to the success of the organisation in accomplishing its mission and improving its resilience that it is in the organisation's best interest to be competent at securing itself. Unfortunately, the prohibitive costs and limited availability of security resources have made it difficult for some organisations to develop this competency. The questions of costs and retention of key security personnel have also discouraged executive level managers from recognising security as a legitimate long term investment in the organisation's strategic plan.

STRATEGIES FOR VALUE ADDING THE SECURITY FUNCTION In the prevalent security environment, security management can be a complex problem to many organisations. Security management practices continue to evolve inside organisations, and are therefore yet to muster a fair share of attention and resources. This is partially a consequence of the organisation's inability to appreciate the value of security outside of financial considerations and regulatory compliance. Many organisations are adopting a risk based approach to security. The move to a risk based paradigm is certainly a catalyst for moving security from a narrow field of specialisation to an organisational competency. Applying a risk perspective to security is a logical step, i.e., risk management is a basic business function, and whether it is done implicitly or explicitly, it must be performed at an organisational level to be purposeful. Despite this paradigm shift, security still has significant challenges to overcome, notwithstanding the many definitions of "risk" and the somewhat negligent way in which risk is bandied about as a new buzzword in security. For example, the security industry offers many options and services for performing security "risk" assessments; however, at the core of these offerings is usually a traditional vulnerability assessment with little or relationship to the particular risk drivers of the organisation. Organisations must also be aware that a risk perspective alone is not a panacea for solving all the problems they face in enhancing security to the level of other pervasive business problems. Organisations must re-examine their corporate culture and re-engineer their business processes to view security in the right context.

The following strategies will be helpful towards this end; Establishing a comprehensive risk management framework and

process to identify and prioritise assets that need to be protected, the threats and risks to be confronted and the basis for business continuity. Aligning security goals and objectives to the organisation's business goals and objectives will help set appropriate targets for security and enable security to contribute towards the accomplishment of these goals and objectives. Investing adequately in security without undue emphasis on ROI. The goodwill, intangible benefits and value-add that can result from such an investment should be factored in. The basis for investment should be better security as opposed to more security. Exploiting the synergies that can arise by the integration of information security and physical security under a single management or the purview of an executive security committee. In the same vein, a balanced and integrated approach must be taken in the security architecture and posture adopted by the organisation. Conducting regular security audits preferably once a quarter to gauge the performance, reliability and effectiveness of security. Metrics should be developed to derive a quantitative basis to evaluate the results of the audit. Prompt reporting of security breaches to investigate and institute remedial and preventive measures.

CONCLUSION The increasing rate of crime, terrorism, natural and man-made hazards all over the world is making the protection and prevention of losses of people, property, information and other assets highly complex and costly tasks. The multiplicity, diversity, complexity and severity of the threats and their consequences impose

high expectations on security elements to "secure" the organisation in the face of these threats. The organisation's security elements must integrate personnel, procedures and technology in the right proportions to achieve balance and to provide comprehensive and cost effective risk mitigation solutions. By so doing security can be an asset as well as a force multiplier in an unpredictable risk environment. This underscores the need for highly skilled, motivated and professionally competent security personnel in the security organisation to face the dynamic security challenges and support their parent organisation to fulfill its corporate mission and goals. Aligning security to the organisations business drivers, treating security as an investment as opposed to expenditure and adopting a mission driven approach to security management are promising and prospective strategies that will enable organisations to overcome the security challenges effectively and succeed in achieving their corporate goals and mission.
ABOUT THE AUTHOR A K Moorthy, CPP, FSyI, FISM holds a BSc (Security) and Master of Security Management degrees from Edith Cowan University, Western Australia. He is Board Certified in Security Management (Certified Protection Professional) by ASIS International. He is also a Fellow of The Security Institute, United Kingdom of Great Britain and the International Institute of Security & Safety Management. He is presently a Principal Security Consultant with S M Security Solutions Pte Ltd, Singapore. He is a volunteer leader in ASIS International and is presently its Senior Regional Vice President of ASIS International Group 18 (which includes India & South East Asia). Moorthy has contributed articles to regional security publications and has also presented papers at regional security conferences. (The views expressed in this article are entirely the authors own and do not necessarily reflect that of ASIS International).

References: Hulme, G (2004). Under Attack. Information Week. July 2004 Barefoot, J. & Maxwell, D. (1987). Corporate Security Administration and Management. Stoneham, MA: Butterworth Publishers. Bilek, J., & Lefins, P., & Van Meter, C. (1977) Private Security, Standards and Goals - Private Task Force Report. USA: Anderson Publishing Co. Burstein, H. (1996) Security- A Management Perspective. New Jersey: Prentice Hall, Inc. Dalton, D. (1998). The Art of Successful Security Management. Woburn, MA: Butterworth - Heinemann. Fay, J. (1993) Encyclopedia of Security Management, Newton, MA: Butterworth Heinemann Fischer, R. & Green, G. (1998): Introduction to Security. Newton MA: Butterworth - Heinemann Post, R. & Kingsbury, A. (1991). Security Administration -An Introduction to the Protective Services. Stoneham. MA: Butterworth - Heinemann. Purpurra, P. (1991). Security and Loss Prevention - An Introduction. Stoneham, MA: Butterworth - Heinemann Robbins, P. (1991). Organisational Behaviour- Concepts, Controversies, and Applications. New Jersey: Prentice Hall Inc Sennewald, C. (1985). Effective Security Management. Newton, MA: Butterworth - Heinemann. Thiede, B. (2002, February 25). After September 11, Security Gains Added Significance. Charlotte Business Journal pp. 1-3