The Effective Security Manager - Essay Example

The Effective Security Manager “Without a knowledge and understanding of financial management and accounting, it is unlikely that a security manager can operate effectively and successfully in terms of both internal and external organisational environments” The above statement apparently demeans the capability of a traditional security manager to handle security issues in an organization effectively without financial management and accounting skills. However, there must be a valid reason why such statement was made and therefore it is only fair that we should methodically analyze it. The discussion on this paper will initially focus on the minimum requirements necessary to become a security manager and its typical role in both internal and external organization security management. Next will be an analysis of security issues in an organization followed by symmetrical discussion on the validity of the argument presented. The paper will then conclude with the final assessment of the facts and its overall conclusion. Primarily, as the resident expert on information security issues, a security manager must be qualified and equipped to manage an organization security program. An average security manager according to Boyce and Jennings (2002) is not only knowledgeable with the technical aspects of the system but also confident enough to ask the right question when additional information is required. He should demonstrate the ability to translate technical security requirements into an understandable language for management and general users. His knowledge should not be limited to textbook specifications but rather extend to real world applications of security directives, regulations, standards, and policies. In the same way, he should not restrict himself to the institutional knowledge of an organization but should possess an in-depth understanding of the organization’s mission, objectives, strategic goals, and business processes to ensure the effectiveness of security policies and procedures (98). He must be meticulously familiar with all techniques and technologies inherent in his functions (Fischer and Janoski 2000, p. 140). In other words, he should know the organization’s history, products, business environment, competition, long and short-range plans, cost of business and product value (Boyce and Jennings 2002, p.98; Fay 1993, p.187). Combining the business view with the technical view is requisite to moving security to a strategic role (Wylder 2004, p.7). More importantly, a security manager must set the tone for the entire security operation across the organization particularly in a large multinational corporation as strong leadership is essential and requires a significant effort on his part (Fay 1993, p.187). In the real world, technology is fast becoming more complex and specialized thus security managers should be an expert in many different areas. Furthermore, security guidance often is too confusing to implement and therefore he may be required to write applicable policy for local business processes. At the minimum and varies from one organization to another, he should posses an undergraduate degree in a technical discipline or a certification from a reputable security management authority. However, there is no guarantee that such credentials is more qualified to be an effective security manager and it is more advisable to look for references and employment history than base a decision solely on the basis of education level or professionalized status. The reason is not to downplay the importance of education but flexibility since it would be a shame to eliminate a well-qualified candidate with years of real-world experience solely on the grounds of insufficient formal training (Boyce and Jennings 2002, p.98). On the other hand, Fay (2003) and Wylder (2004) states that traditional security management education that is mostly focus on security and safety courses is no longer the trend (248;19). The traditional role of security managers “has changed and will continue to change” (Fischer and Janoski 2000 p.20). Although they will remain as a major focus of security education programs, security managers of the 21st century requires extensive knowledge of other areas that includes but not limited to law and business management if they are to be successful (Fay 2003, p.258; Wylder 2004, p.19). It is a shift to “generalist knowledge” contrary to expertise in only few areas of security (Fischer and Janoski 2000, p.20). In addition, Fischer and Green (1998) states that security leaders of our time should be also flexible and able to predict and manage change. Moreover, businesses will continue to stress the benefits of cost management thus profit margins must be improved and security will be expected to put forward its fair share. In this situation, the security manager will become a security program educator and a sales person thus; he must also learn to sell security like any other product (511). Sharing the same view, a security manager cannot linger as merely “security expert” or a technician with high degree of experimental or practical information to be eligible for a certain basic preventive and investigative tasks. In this regard, an organization that recognizes the importance of security as an organic part of its enterprise should start creating new organizational function. Security is therefore is as important as marketing, production, finance, and personnel and as a result, security manager’s role is far beyond the time-honoured position of principal in-charge of burglar alarms and package inspections. He must then learn to develop additional skills such as planning, motivation techniques, public speaking, personnel management, and budgeting. Security managers now become “jack of all trades” (Fischer and Janoski 2000, p.24). These qualities will not only prepare him for the future but it will certainly make him effective in his current job (Fisher and Green 1998, p.113). In view of financial management skills as stated in the central argument, a security manager according to Boyce and Jennings (2002) is selected more likely for technical comprehension and management skills. However, since people relation skills contribute to effective people management, it also comparatively necessary to incorporate financial management skills because security managers do play a vital role in the organization’s budget in order to plan and execute a security program. In addition, a security manager may need to do some budgeting of his staff’s training and travel expenses. Subsequently, he must learn them from the budget and finance personnel regarding all available sources of income and look for monies and allocations specifically for security initiatives. More importantly, he must be aware of the Operations and Maintenance Cost and understand the terms under which the money maybe obligated (102). For instance, a security manager maybe asked to analyze an operation spending and he should present the probable outcomes of operating at different cost levels. This will consequently force him to seek other alternatives and at the same time give management an option in reducing or eliminating an activity. The budgeting process is an extensive task and he must be aware of this, since he will play an important role in the organization’s spending policy and cost management development (Fay 1993, p.93). “A security manager who reports to the chief executive officer is more likely to succeed than one who reports to the personnel manager” (Fischer and Janoski 2000, p.3). Therefore, a security manager should learn to face the reality that in any organization, security spending is an overhead. He may need to spend more time justifying his budget than actually doing security, as many managers are not aware of the value of their organization’s information and reputation or the relationship of security to their organization’s business processes. Moreover, security managers themselves are having difficulty evaluating substitute security designs and mitigating security technology investments because the technology benefits are too complicated to estimate (Butler 2002, p.1). He must therefore try his best to convince the organization’s upper management that security comes with a price tag and elucidate the merits of any resources invested in the cause of security (Boyce and Jennings 2002, p.102). “Educate” his peers and superiors (Fischer and Janoski 2000, p.4). Moreover, because most CEO thinks in terms of profit, a good security manager must find ways of selling security as a cost-effective investment (Fischer and Green 1998, p.511). This is exactly what Fay (1993) considers as an effective security manager, a person who shares the same characteristics or who at least recognizes the effect they have on the organization and is able to adjust (374). He will have to present a well research answers supported by sufficient documentations every time he has to ask the upper management for a budget. These justifications can be in the form of cost-benefit approach and loss prevention strategies but he should not fall into a trap of over-emphasizing the results since this may send a wrong message that the current preventive control is a failure (93). He must realize that organizations make profit in two ways; they either increase sales or reduce cost. It is also important to know that cutting cost is more than cutting positions and he must be able to argue that short-term cost cutting in the loss prevention area may jeopardize profit in the end. In the future, according to some experts, the way security managers will protect a facility will not be based on the seriousness of the threat alone but with cost introduced into the equation (Fischer and Janosky 2000, p.160:275). The argument that security managers should possess financial and accounting skills to be effective is in a way true considering the modern trends in security management and business requirements. However, one must realize that this is not a common practice yet, as traditional security management still prevails, and adoption of this approach varies from one organization to another. More importantly, effectiveness is not possible if some significant factors surrounding the security manager’s initiatives are absent. According to Sheppard (2007, p.1), in theory, security awareness process is straightforward and painless but in the real life, this can be a gruesome headache for security managers. Furthermore and as we said earlier, a security manager must know the elements of their particular industry because security measure varies tremendously from one organization to another. For instance, security policies for financial institutions would be entirely different from a construction company. Although being well versed on corporate goals, initiatives, and policies is an asset of a security manager, understanding the employee universe-size, makeup, management style, and culture is another challenge he should endure. More importantly, in the absence of visible corporate backing, employee participation in any security program will be less fruitful particularly in an understaffed organization where training for security programs is seen as a valuable trade-off. It is therefore essential to have a visible executive stewardship otherwise; security manager’s initiatives are doomed to fail. The reality that a security manager can only work within the parameters of what is acceptable to the organization he protects and within an acceptable cost, no matter how good is his initiatives are; they are still subject one way or another to certain restrictions (Fischer and Green 1998, p.295). In general, a security manager with a financial management and accounting skills is no doubt an advantage that can boost effectiveness. However, we cannot readily assume that traditional techniques plus these skills is a complete equation of security manager’s effectiveness as there are other factors involved. Therefore, we can only agree that such additional skills are essential and constructive and security managers should adopt them. Moreover, we cannot deny the fact that in the real world, businesses seeks cost effective security measures and apparently, this is not achievable if a security manager’s knowledge is restricted to technical and safety processes. He has to be involved in financial management and accounting to help the organization get the most of its security investments. He should play an active role, participate in the organizations business strategies, and align his security budget with the changing business circumstances. Security is apparently an expense and therefore subject to budget limitations and management scrutiny thus a well-versed business oriented security manager can successfully push his agenda and get his security budget approved. In sum, although the minimum requirements for an average security manager is sufficient knowledge of the technical aspects of the system and the ability to apply security directives, regulations, standard, and policies in the real world, he should not remain and restrict himself from other important aspects of his job. He should at the minimum, learn and understand his organization’s mission, objectives, strategic goals, and business processes. More importantly, he should combine business view with technical view and set the tone for the entire security operations across the organization. Strong leadership is indispensable particularly in large multinational corporations and he should devote significant effort to attain it. Undoubtedly, traditional security management is no longer viable and even if they remain a major part of security programs, extensive knowledge of other areas of business is undeniably crucial. Security leaders of the 21st century should be flexible and prepared to predict and manage change as security is equally important as marketing, production, finance, and personnel in any business. The reality that security managers who do not participate in an organization’s budget planning and cost-saving programs are worthless and unproductive; financial management and accounting skills is ostensibly sensible and advantageous considering the impact of security operation spending in the organizations financial circumstances. Furthermore, the fact that many managers considers security spending as an overhead, a security manager with financial management and accounting skills is more likely to convince the management of the merits of any resources invested in the cause of security. More importantly, he can think in terms of profit like most CEO and can sell security as a cost-effective investment. Finally, since the future of security management will be mostly cost-cutting and profitable investments, an effective security manager will probably present his security agenda with the combination of cost analysis and threat assessments. Bibliography Boyce Joseph George and Jennings Dan Wesley, 2002, Information Assurance: Managing Organizational IT Security Risks, Published 2002 Elsevier, ISBN 0750673273 Butler Shawn, 2002, Security Attribute Evaluation Method: A Cost-Benefit Approach, Computer Science Department, Carnegie Mellon University, Pittsburgh, PA 15213 Fay John, 1993, Encyclopedia of Security Management: Techniques and Technology, Published 1993 Elsevier, ISBN 0750696605 Fischer Robert and Janoski Richard, 2000, Loss Prevention and Security Procedures, Published 2000 Elsevier, ISBN 0750696281 Fischer Robert and Green Gion, 1998, Introduction to Security, Published 1998 Elsevier, ISBN 0750698608 Sheppard Colin, 2007, How to Reach Decision Makers: Success Strategies for Security Awareness, online, last access: 10/03/07, available at http://articles.techrepublic.com Wylder John, 2004, Strategic Information Security, Published 2004 CRC Press, ISBN 0849320410 Read More