Focusing on the core business

The security management profession is at a pivotal stage in its development. With the relentless trend towards outsourcing, business activities which are seen as non-core are being contracted-out to external service providers. Some of those in the business arena believe security management functions fall into the non-core category.

The challenge for current security professionals, then, is to reverse this perception. They need the determination and vision – and, above all, the ability – to convince company managers and directors that the management of security operations is every bit as much a central business activity as marketing, finance and human resources.

For security operations management to survive as a core business activity – not to mention develop in scope, efficacy and value for money – security managers must view themselves less on the basis of their own individual skills, backgrounds and experiences and more on the specific requirements of the end user business.

Importantly, the in-house security professional must be able to demonstrate – by way of standard business tools – that his or her operation is indeed delivering a quantifiable return on investment.

It’s hugely important that the security manager strives to become a key corporate player, rather than simply being the corporate ‘umpire’. This inevitably means that there’s a considerable learning curve to be overcome, not just in the acquisition of modern business management skills but also in becoming intimately conversant with their own business processes, products, markets and short and longer term strategic goals.

The nature of security operations varies from organisation to organisation, from sector to sector and country to country. Whereas in some operations the remit may focus specifically on physical security management, in others there may be a Health and Safety or information security role. Elsewhere, the emphasis may be on investigations and crime prevention. In many UK-based enterprises it’s normal for the emphasis to be on the prevention of crimes perpetrated by both employees and outsiders. Here, fraud is probably the greatest risk to be addressed.

Overseas, the emphasis may be very different. In Nigeria, for example, the major operational headache for security managers is local invasion, premises occupation and (sometimes) hostage taking by groups of violent youths. In Russia it will be networks of corruption at the highest level within enterprises, whereas in Pakistan the key operational management issue may be simply to steer an enterprise through a very risk-prone ‘security soup’ of social and civil unrest, terrorism, kidnapping and extortion.

Proactive and reactive tasks

Security operations may be broken down into both proactive and reactive tasks. Typical proactive tasks include the creation and operation of a formal programme of security risk analysis, intelligence gathering, risk forecasting, a formal programme for risk treatment (accept, reduce, transfer, eliminate etc), security surveys and audits, creating integrated security systems, producing procedures and post orders, liaison and networking (internal and external), pre-employment screening and due diligence, business continuity planning and crisis management planning and co-ordination.

If security is to function at its most effective, it has to be fully integrated into the host business. In this regard, it’s important that senior security executives create the vision that security is a core business activity, not merely an internal police and guarding service

Other proactive tasks for the security manager would include contingency planning, the application of crime prevention measures and target hardening, the establishment of an incident reporting system and incident collation and analysis. Budget planning is another important role.

A crucial first stage in the establishment of an effective security operations management programme is the formation of a security policy endorsed at Board level. A typical policy statement might read: “It is the duty of all employees and contractors to contribute towards the maintenance of an environment in which the operations of this company are not exposed to unnecessary risk, threat or interruption. This will be achieved by special means to protect people, assets and information, and the full adherence of all staff to security procedures.”

Security policies tell employees and contractors what’s required of them. How they achieve the organisation’s security objectives should be communicated through written protocols and procedures. The specific tasks of the Security Department, the routines and emergency procedures ought to be guided by detailed written assignment instructions. These provide for accountability, measurability and consistency.

Security managers must not only be fit for their role but also suitably qualified. In the UK, the most popular security management qualification is the ASIS International CPP (Certified Protection Professional) (‘Why should you become a CPP?’, SMT, March 2004, p51). In early November, over 20 UK-based managers (the highest number ever) sat the gruelling 200-question CPP examination.

The emphasis in security operations management should be on the creation of business integrated security. If security is to function at its most effective, it has to be fully integrated into the host business. In this regard, it’s important that senior security executives create the vision that security is a core business activity, not merely an internal police and guarding service.

The security manager must ‘plug in’ at the highest possible level. For example, the head of security at an oil refinery should report directly to that refinery’s general manager, or at the very least to some other member of the Board. In relaying his or her vision of the business, the security manager should also create a mission statement for the Security Department.

Such a statement might read: “We will work with employees and contractors to achieve a stable and safe environment in which the business, its individuals and groups may pursue their legitimate aims and objectives without disruption or harm and without fear of loss or injury. Together, we will strive to ensure that the business is able to continue its normal activities without disruption.”

Tact, diplomacy… and compromise

To be effective as a security operations manager, a security professional must be a modest, undemonstrative, resourceful, self-sufficient and extremely well-organised individual with an innate ability to ‘gel’ with others and a healthy appetite for personal development

In order to function effectively, it’s important for the security manager to develop a good relationship with ‘internal customers’. With this in mind, a great deal of tact, diplomacy and, on occasion, compromise is required. For example, the Human Resources Department will naturally consider itself the ‘lead agency’ on matters concerning personal discipline. After all, these are the individuals who ultimately issue suspensions. With the notable exception of the retail sector, very few security managers have the personal authority to suspend an employee, even if he or she is suspected of having been involved in some kind of serious offence.

Information Technology (IT), too, is a discipline with which the security manager must liaise. While it’s the IT specialists who are knowledgeable about specific IT threats and countermeasures, their activities should be part of an overall security strategy. A strategy to which the security manager must have a central – and vital – input.

Internal relationship issues are particularly sensitive and totally dependent on the corporate culture and structure. Particularly in the early stages of a relationship, direct attempts by security managers to circumvent ‘the system’ will lead to frustration of the manager’s efforts. In the longer term, this is nothing but counter-productive.

Security is very much a risk management discipline in its own right, and not a subset of administrative services, Human Resources, facilities management or Health and Safety. While the discipline of security may well rest comfortably alongside these areas, in those situations where it has been subordinate to any of them, the effectiveness of creating a fully-integrated security operation is highly likely to be lessened.

Quietly influencing management

To be effective as a security operations manager, a security professional must be a modest, undemonstrative, resourceful, self-sufficient and extremely well-organised individual with an innate ability to ‘gel’ with others and a healthy appetite for personal development. He or she should be goal-led, and ought to be adept at managing time.

Perhaps most important of all is the ability to communicate at all levels and to quietly influence management. The head of security for one major regional oil and gas operation openly admits that his company recruits on the basis of the so-called ‘softer skills’ (‘Developing the softer skills’, Career Development, SMT, September 2004, p59), commenting that the ‘technical’ (ie pure security) skills may be added later. Typical effective leadership traits – such as integrity, vision, loyalty to the group and sound motivational techniques – are all essential qualities that every security manager should strive to embrace.

Finally, an effective security operations manager will demonstrate his or her ability to truly balance their own specialist needs with those of the organisation they serve.