By John Cholewa
From the February 2019 Issue
Much of what is done in security is transaction oriented (i.e., tactical). There are photographs taken for ID cards, visitors processed, guard tours conducted, data entered into electronic access system databases, alarms monitored, incident reports taken, investigations conducted, etc. Transaction oriented activities are necessary components of a security program. If there are no major incidents, however, it is easy to fall into a comfortable routine and think the security program is running smoothly and effectively.
But a program can be running smoothly and be failing at the same time.
To be truly effective, security programs must have both tactical and strategic components. Facility managers are historically good in the tactical area—the transaction-oriented elements—because they do it everyday. Also, failure to do it properly results in immediate feedback in the form of customer complaints.
The strategic stuff is more difficult. It is not as visible within the business, and doing it poorly, or not at all, probably will not result in any feedback. The reason is that a loss due to a strategic failure frequently looks like a tactical failure. When a break-in occurs and the alarm system does not detect it, the response is to find out why the alarm system failed and to fix it. That is a tactical response to a tactical failure.
The root cause of the failure, however, may actually have been the lack of a strategic component to the security program. Would the alarm system failure have been prevented if a proper acceptance test (a strategic action) had been performed on the alarm system when it was first installed? Would it have been prevented if there had been a requirement to test the alarm system on a recurring basis (a strategic action) post installation?
As a real-world example, while conducting a vulnerability assessment (a strategic action) at a critical technical facility, my firm was assured by facility management that all exterior doors were alarmed and the alarms monitored. As part of the assessment, we propped opened an exterior door in order to determine the response time. There was no response. We found the alarm worked properly, but the alarm monitoring process was flawed, and the alarm went unnoticed. That strategic action (the vulnerability assessment) identified a major gap in the facility’s security program, and may well have prevented a serious loss at a future date.
The strategic failures are what cause security programs to fail invisibly.
When the tactical security tasks do not go well, it is a pain point for security management and maybe even for senior management. Although a loss could have been prevented by a strategic approach, it is viewed as a tactical failure by senior management.
When risks do not manifest themselves as losses, it results in organizational blindness to those risks. Why? It is the nature of senior management. Senior executives focus on two things: 1) those things that are causing them pain, and 2) those things that present opportunities for gain. Security functions are not viewed as opportunities for gain. If there are no security issues that make it to the senior executive level, they experience no pain. No pain, plus no gain equals no attention.
By default, the approach to security risks is often to ignore risks until there is a loss. How and why that happens is understandable, but it is not a responsible business strategy. Senior management has responsibility for protecting organizational assets. That means ensuring there is a complete and effective security function, with both tactical and strategic components.
A strategic approach to security ensures a culture and methodology conducive to the protection of assets. It prevents or reduces the impact of losses, and drives a more effective and efficient program. The specific elements of strategic security programs can vary from one organization to another based on type of business, but some elements are common to all organizations.
Threat/Risk Assessments. The ability to develop an effective security program is dependent upon having a clear and accurate understanding of the threats and risks facing the organization, and keeping abreast of the changing threat/risk environment. If the threats and risks facing an organization are not clearly and accurately understood, it is not possible for the security program to be tailored to mitigate them.
Critical Assets. If the security function is to be both effective and efficient in the protection of organizational assets, it needs to know which assets are most critical. Not having that knowledge results in everything being protected equally. That means some things will be over protected, which is a waste of resources, and some will be under protected, which exposes the more critical assets to unacceptable risk.
Guidance Documents. People want to do the right things, but the organization needs to tell them what the right things are. Guidance documents (e.g., policies, standards, procedures, etc.) perform that function. They set forth management’s expectations of employees regarding the protection of assets and set standards for how security is applied to protect those assets.
Vulnerability Assessments. Once employees know management’s expectations and the individuals responsible for applying security know what is to be done and how, there must be follow-up by the security function to ensure everything is going as expected. That is the purpose of vulnerability assessments. Those assessments perform a number of functions, such as: 1) auditing to ensure security standards are properly applied, 2) discovering malfunctioning security equipment, 3) identifying gaps in security procedures/processes, and 4) identifying new or changing threats/risks.
It is too easy to develop a strictly tactical security program—install a card access system, hire a few guards, install some cameras —and believe an effective program is in place. It takes more of an effort to develop a strategic program because the strategic components are not visible and resources must be allocated. The bottom line is that senior management takes a strategic approach to other areas of the business; they should also take a strategic approach to the protection of assets or risk having their program fail invisibly.
Cholewa is the owner and principal consultant of Mentor Associates, a security-consulting firm that specializes in guiding management in the protection of organizational resources. He holds a Bachelor of Science degree from the University of Maryland and a Master of Arts from Central Michigan University, is Board Certified in Security Management, and is the author of Developing and Managing Physical Security Programs: A Guide for Facilities and Human Resources Managers.
Do you have a comment? Share your thoughts in the Comments section below or send an e-mail to the Editor at firstname.lastname@example.org.