Shared Publication

Feature Security Management Best Practice Read more online at www.securitymattersmagazine.com 46 risk with some trepidation, be cause rather like defining terrorism, it’s a task subject to personal interpret ation. I tend to define risk as the likelihood of a negative occurrence, while at the same time being very cognisant of the fact that risk can also have a p ositive effect on the business. For their part, banks would not sur vive without taking risks. My issue with risk management, or indeed security risk management, is that, historically, it has been ignored by secur ity managers as risk in general has been the purview of other departments, such as audit or compliance. Within this section of the book, I describe t he importance of risk perception and acceptance, making t he point that human beings tend to perceive risk individually. Of cours e, that makes risk acceptance – or identification of the risk appetite – a somew hat difficult task. The knock-on effe ct of this is that, if the security manager is confused with the risk management position of the organisation, it’s very difficult for him or her to make robust and effective risk treatment options available to the risk owner, which is normally the business itself. In this area, I determine to emphasise the importance of the security manager fully understanding the process of risk communication, arguing that, in my opinion, communication in general is poor within the sector, with risk communication often lacking when it comes to overall credibility. Business resilience Another extremely imp ortant area in which the sec urity manager must involve him or herself is business resilience. This area can be divided into four sub-sections: risk management, crisis management, disaster recover y and business continuity. It can also be prefaced by a celebrated quote from none other than Charles D arwin: “It is not the biggest, the If the crisis management strategy practised by a given company is somewhat lacking in robustness, it’s likely that the incident in play will develop into a full-blown disaster which could cost lives and realise business disruption brightest or the best that will survive, but rather those that adapt the quickest.” To my mind, it’s extremely logical to categorise business resilience by combining the four elements referenced. Risk management has already been covered here, but an understanding of the relationship between risk management and crisis management is crucial, because as is often said, a crisis can be defined as a poorly managed risk. In terms of resilience, it’s absolutely critical for an organisation to have in place a robust and tested crisis management plan that’s positively supported by Executive Board governance and, in tandem, a flexible and responsive crisis management team. If the crisis management strategy practised by a company is somewhat lacking in robustness, it’s likely that the incident in play will develop into a full-blown disaster which could cost lives and business disruption. I would argue that the term ‘disaster management’ is inappropriate as critical damage has been caused. The only option for the organisation is disaster recovery. The final piece of the business resilience jigsaw is business continuity. Whether the company has a credible crisis management and/or disaster recovery plan in place or not, if it doesn’t have a business continuity strategy and plan, business will be disrupted to the point where financial losses are unrecoverable and, inevitably, customer confidence will swiftly disappear. The remainder of the third section covers Crime Prevention Through Environmental Design, situational crime prevention, physical and electronic security systems and Defence in Depth, the security survey and the security audit, the role of the Chief Security Officer and the Chief Information Security Officer, cyber crime and the cyber threat, Critical National Infrastructure and terrorism and counter-terrorism as well as aviation and maritime security management. There’s also due consideration of supply chain security management, hostile environment awareness, strategic business awareness, fraud (and fraud investigations), retail loss (in addition to retail loss prevention methods), workplace investigations and the all-important topic of ongoing academic and vocational qualifications. Continuing Professional Development is vital for today’s practitioners. Vital asset ‘Professional Security Management: A Strategic Guide’ is aimed at everyone in the security sector who’s interested in the future of our industry and believes that it’s inhabited by true security professionals who are vital assets to any organisation. Not merely because we look after critical posts and Control Rooms on a 24/7 basis, but also because we understand what business requires of us: security risk management and tangible business operations support. In today’s world, security practitioners assist their colleagues and peers in sustaining and growing the business through effective professional security management. To those practitioners one and all let me say “Good luck” and keep on striving diligently to do all that you can to stay safe in these uncertain times. Charlie Swanson MSc PG Dip CSyP is Principal Trainer at PerpetuityARC Training (part of the Linx International Group) (www.perpetuityarc.com) ‘Professional Security Management: A Strategic Guide’ is published by Routledge (ISBN 9780367339616) /www.securitymattersmagazine.com /(www.perpetuityarc.com)