The Illusion of Security
It would seem axiomatic that if threats and hazards remain unidentified, vulnerabilities unacknowledged, incidents unrecorded and risk unqualified, that security must fail. In reality, however, it often succeeds, albeit more by good fortune than sound, strategic planning. It succeeds at one specific level, in that the most common threats can be guarded by the most common defences, in other words, those defences provided by physical security assets. There is, therefore, an illusion created, both objectively and subjectively that security is visible, (CCTV cameras and access controls) working, and is effective; objective in the sense that a seeming strong physical feature is a defence against all vulnerabilities and subjective in the sense that the resultant complacency becomes a by-product of the ‘visual.’
The illusion of security at work satisfies a variety of demanding issues; corporate management’s requirement to discharge, (mistakenly, as it often transpires), best practice, deterrence by means of the visual existence of security assets, and the comfort and morale of staff. Security manpower provision, with the hours of deployment of staff inherited, unquestionably from contractor to contractor, and a by-product of stultified tender processes, may further enhance the deterrence factor sometimes in a positive way, but more often further compounding the illusion that security is working. The test of manpower’s efficacy is the extent to which deployed security officer’s duties morph into pseudo-security and facilities management. The more non-core duties that security personnel adopt, the more obvious it is that security is failing.
The question as to whether security fails is not absolute, as whilst it may fail the test, of a value sensitive, risk driven and strategically thought out process, it often succeeds, albeit as we have said, against the most common threats. Security, as practiced by the many organisations, works against what may be considered, seemingly, the most common denominators of threats and hazards – break-ins and fire.
The conclusion, drawn from our many years of experience, is that security does fail the test of value and nowhere is this more obvious, from the businesses surveyed, than in the provision of security manpower. Inherited hours of manpower deployment are often accompanied by the narrowest of inherited site assignment instructions, predicated and mandated in ignorance of the wide range of potential security weaknesses that, in the absence of risk analysis and assessment, remain unexposed. Investigation also reveals that the tasks and duties of the manpower equation of the overall security jigsaw, operates at one speed, taking no cognisance of the rise and fall of the macro-environmental, national risk. When the nation’s threat level increases, it can be observed form the assignment instructions that the tasks and aims of security personnel will invariably remain unaffected and not mirror the necessity for increased vigilance and tasks appropriate to reflect the heightened risk.
Technology solutions fare little better in the ‘value test’ and whilst the acknowledgement by corporate management that an apparent solution to manpower costs may well be the application of sophisticated security systems, most substitutions are driven by the suppliers sales efforts, with the emphasis on equipment complexity, not operational functionality, or even necessity. The absence of an Operational Requirement (OR), carried out to assess the operational needs and functionality of security systems prior to instalment, be they CCTV, access management or alarms and signalling, further ‘tilts a lance’ at the ‘value test’ in terms of success or failure of the security operation.
Enterprise risk management is now an established element of the body corporate, driven in the main, especially within those ‘main board’ listed companies, by the need to comply with the risk specified issues outlined in the Combined Code of Corporate Governance, or qualify their annual accounts accordingly and face the potential ire of the markets. There is an evident, disconnect, or ‘firebreak’ passed which, in most investigated organisations, that the enterprise risk matrix stops and that is at the door of the ‘downside’ risks from security threats of man and the hazards of the environment. The ‘Code’ it should be said, however, makes no distinction and expects a company to approach risk in a ‘top to toe’ manner, not distinguishing between the potential upside risks of the companies enterprises and the downside risks of security threats.
There is consistent evidence of what can be termed ‘management snobbery’ when compiling what may be a very sophisticated enterprise wide risk register, leading to a tendency to ignore those singularly ‘downside security issues perceived as ‘below the waterline.’ This disconnect is often subjective, not simply a function of the fact that systems are not in place within the security division to produce their threat narrative, rather it is symptomatic of the role in which security, as a corporate department is perceived. The ‘man on the gate’ and the ‘camera on the wall’ become a visual metaphor for how unsophisticated in its operation, senior management perceive the role of security.
The objective of security to protect against criminal and malicious acts can become secondary to the imperative for it to be able to face the day-to-day challenges of operating within what can be termed the organisational culture. Entities operating within certain industries, where ideas and the flow of information are key, can develop a culture, one consequence of which is to labour under the mistaken impression that locking a door, managing strict access and access to sensitive information, all restrict the intellectual flow of information, thereby becoming an impediment to core, business processes. Where a higher than average staff intellect is added to the mix, then resistance to these apparent and inconvenient restrictions on the ‘individual,’ even for the benefit of the many is likely to further challenge even the simplest of security practices and procedures. The security department will be continuously dealing with a variety of arguments against its mandated procedures, however specious the argument may be.
Risk Management can be defined as “a systematic way of protecting the resources and income of a business against losses, so that the aims of the organisation can be reached without interruption.” No security programme can be effective unless it is based on a clear understanding of the actual risks it is designed to control and the value of the programme depends on its appropriateness and the relevance of resources. In other words, cost justification means not spending more than the benefits derived are worth.
Our range of consultancy services include;
- Threat, Risk and Vulnerability Assessments
- Socio-Political Risk Analysis
- Security Audits
- Strategic Reviews of Organisational Security Infrastructure
- Preparation of Security Policy, Strategy and Procedures
- Integrated System Design
- Incident, Crisis and Contingency Planning
- Business Continuity Management Systems – Impact Analysis and Design
- Developing Operational Requirements (OR) for both systems and manpower