Managing operations

THE OLD CONCEPT OF A SECURITY management operation being confined to a specifically-defined site and focused on the protection of its static assets is fast giving way to a far more dynamic concept of integrated security operations management in which security risk analysis and risk mitigation are key considerations in every business process, system and activity.

In turn, this change in mindset is redefining the essential characteristics of what it is to be a security operations manager. Alongside their traditional ‘guarding’ and crime prevention roles, they must now afford equal attention to their development as business managers.

Necessary core competencies

In order to effectively exercise a security operation, managers should possess ten core competencies. They need risk management skills. The ability to analyse and quantify risk using standard methodologies, and to select an appropriate mitigating strategy. Loss prevention skills are equally important, encompassing security surveying, stock accounting, operational understanding, Health and Safety and fire safety. In terms of data collection and analysis skills, security managers must possess the necessary traits to be able to collect and analyse data, and then convert it into security intelligence.

Technical skills – ie the ability to apply cost-effective security measures that will deliver a quantifiable return on investment – are a prerequisite, so too security programme management skills (which, in line with the corporate vision, should include all key assets for dealing with information systems management and issues like staff travelling and working overseas).

Crime prevention and crisis management skills are a ‘must have’. The former encompasses an understanding of criminal motivation, methods and the practical application of main crime prevention theories, while the latter looks at crisis management co-ordination, business continuity planning and disaster recovery.

The business management skills mentioned include finance, business administration, marketing, managing change, leadership, negotiating, contract management and project management, etc. Closely linked with these are the necessary interpersonal and investigative skills, focusing on relationship building, leadership, influencing skills, negotiation, presentation and listening skills. You’d also be talking about scenes of crime administration and evidence gathering, analysis, interviewing and report writing, etc.

Dependence on IT systems

One key security vulnerability which is not well understood by many security managers is Information Technology (IT). Most businesses are now critically dependent on their IT systems. Threats to these systems have – according to IT industry sources – increased exponentially during recent years. Several companies, particularly those in the financial sector, are now addressing this deficiency by sponsoring suitable security specialists through HND studies in computing. As more and more security systems are integrated with common IT platforms, so the benefits of such training are enhanced.

Journey management is another key area of security operations management, focusing on staff who are travelling and working overseas. Failure to brief and adequately prepare employees working overseas – and who subsequently fall victim to local security threats resulting in injury or death – could lead to litigation and serious corporate reputational damage. Businesses have a statutory duty to assess all of the risks to their staff. Failure to do so could expose security managers to a charge of negligent failure to plan.

In many environments, counterfeiting and product diversion is a threat which denies businesses worldwide billions of dollars each year and damages brand reputation. Brand enforcement must be a key security operations activity and be pursued with vigour, in conjunction with experts from sales, marketing, manufacturing and legal affairs.

The old concept of a security management operation being confined to a specifically-defined site and focused on the protection of its static assets is fast giving way to a far more dynamic concept of integrated security operations management in which security risk analysis and risk mitigation are key considerations

Protecting sensitive information

The threats to a company’s information security cannot be overstated. Security operations should be designed such that, as far as is reasonably practical, sensitive information is given the protection it deserves.

Information threat sources include competitor companies, professional information brokers, contractors, employees planning to leave the company and foreign Government officials.

Protecting sensitive information is a tricky task, and requires the full participation of each and every member of staff. In a staff of several hundred, information need only have one point of leakage to be compromised. The alternative is to bury one's head in the sand. In other words, there is no alternative.

On a par with losses due to information leaks, IT threats, counterfeiting and product diversion are losses caused by fraud. Security operations should therefore be capable of supporting line management to root out this most insidious of threats.

A number of reliable estimates suggest that corporate losses due to fraud equal 5% of the bottom line. In truth, few frauds are discovered as a direct result of good security work. In this regard, security operations should be aimed at providing short fraud risk management orientation programmes for all line managers, coupled with a technically capable and credible investigative response (usually in partnership with internal audit officers).

The threat is changing

The nature of the threat posed by Al-Qaeda is unprecedented in the UK. It would be fair to say that security operations management must switch out of its ‘IRA threat’ mindset now in order to meet the challenge head on.

Security operations in sensitive locations must begin to focus on access control, on creating stand-off areas between weapons and their potential targets, on erecting barriers to impede the advance of a moving vehicle suicide IED and on emergency rescue in reaction to a no-warning detonation in a built-up area.