Isn’t it time that we stopped apologising for security?
We are often asked “how would you convince a CEO that security is not just a drain on the bottom line?” and our answers differ from the convincing to mere clutching at straws. But is this the right question to be asking? Security costs, that’s a fact. But so do assets, intellectual property, reputation, and people. Security doesn’t directly add to the bottom line, not often anyway, but does it need to?It all boils down to education, communication, and corporate responsibility. There are some legislative drivers around data protection, occupier’s liability, and health and safety law; however, the simple fact is that security is a necessary evil. How much security is perhaps the more appropriate question we should be asking, and rather than apologising for its existence and trying to find financial justification, we should be articulating the value of a well-informed security solution.
Security touches every single aspect of modern business, from the traditional protection of assets, to the less mature protection of intellectual property and reputation. Security offers investors confidence that an organisation can effectively manage risk and increases employee productivity through increased organisational engagement.
Security can improve life-safety functions such as fire detection and evacuation, and not just through using security guards. Security can improve efficiency, and provide a better understanding of clients and their needs. Security also forms a critical part of organisational resilience and crisis management. In professional circles, we’re really good at talking about security as a risk based discipline, but when we talk to non-security professionals we try to make excuses for it by demonstrating a return on investment or offering security as a business enabler.
But, as a risk based discipline, it should be placed in the same categories as other risk functions, which are equally considered a ‘grudge purchase’, but perhaps with more acceptance and understanding. If security risk is properly communicated, that CEO decision changes from being purely financial, to one of exposure to risk, or liability. If that risk is unacceptable, the decision is not ‘how can security add to the bottom line?’ or ‘where is the return on investment?’ but now ‘what do we need to do to lower that risk?’
Risk is a product or threat, vulnerability, and consequence. Risk can therefore be controlled in a number of ways, and the most effective security solutions will consider each factor individually and interdependently, to understand how they will affect the business of the organisation. If a risk is intolerable, a simple solution may be to cease a specific activity; however, the effect of this may be prejudicial to effective business efficacy.
Similarly, to address the vulnerability, the realm of physical security, may require so much investment that the solution becomes disproportionate to the risk. Consequence can be addressed in a number of ways, but predominantly it can be achieved by devaluing the asset should it be lost, stolen, damaged, or destroyed.
To be able to understand and manage the ‘business’ role of each of the security risk factors, the security risk manager needs access to, and decision making authority within, all areas of business. To achieve this, that person needs to sit at the highest level within an organisation, or at least have top level support.
Put simply, security is not confined to that dark room in the basement where the CCTV monitors exist, nor is it confined to the men and women standing in the entrance foyer in their suits. Security impacts on and is impacted by every single aspect of modern business and as such, every successful part of a business should be viewed as the ‘driver’ for security, or the return on investment.
There are, sometimes, opportunities to show how security is an enabler, or provides a return on investment, especially with the advances in intelligent buildings and building management systems; however, these should perhaps be seen as a bonus to the real function of security, that being to reduce organisational risk and improve organisational resilience. Well founded, risk proportionate advice, needs no apology, it is justification in itself.
Head of Security Engineering
LLB Hon’s MSyI