Key Dimensions of
Organisational Security
Issue 2
Organisational
Security
1
Research overview
Organisations are becoming increasingly
sophisticated in the way in which they
organise security. An international study
by researchers Briggs and Edwards (2006),
conducted with corporate heads of security
in the UK, India, South Africa and the US,
identified how the profile of security within
organisations is growing, and the portfolio of
security departments is widening. Prior to the
new millennium, it typically centred on the
physical security of sites and buildings, people,
equipment and products but 9/11, they found,
proved to be an important turning point in the
way organisational security was conceived at
the board level. Today, as the authors highlight,
the responsibilities of senior security managers
may extend to responses to the risks associated
with employee dishonesty, fraud, corruption and
money laundering, as well as responsibilities
for information security, business continuity
planning and the management of crises including
natural and man-made disasters.
The widening scope of security risk is requiring
security departments to become more aligned
with the primary organisational objectives, a
shift that is also about how to move successfully
from “security as a cost” to “creating value
from security”’ (ASIS International, 2010:5).
This, along with the broader imperative for
organisations to manage their risks more
holistically, as set out in Issue 1: Enterprise
Risk Management requires the security function
to be better integrated with other core business
functions. In this issue, the term ‘organisational
security’ is employed, rather than the commonly
used synonym ‘corporate security’, to emphasise
that the considerations discussed apply to public
and third sector organisations as well as private
sector corporations.
Policy and practice overview
Such alignment has important implications for
the way in which security is organised, its
strategic approach, and the areas of
responsibility falling within the security
department. These topics are discussed in turn.
Security within the organisational structure
Effectively organised security, according to
Briggs and Edwards (2006), allows for a clear
2
philosophy of security linked to the
organisation’s wider goals to be established and
promoted upwards to the board, across the
business functions, and downwards to staff
members throughout the organisation. It is
likely to include heads of security sitting on
cross-departmental risk management
committees and working groups in order to link
to other areas of the organisation.
The authors provide no single model as to
where security should be placed within the
organisational structure. Based on their
research, however, they argue that the most
successful security departments have found a
good ‘fit’ within the organisation so that
security is seen as something that adds to its
success rather than holding it back. In these
instances, ‘business imperatives drive security,
rather than the other way round’ (p.21). In such
cases, Briggs and Edwards assert, security
departments have the ear of the board and
senior management team. This means that their
leadership needs to be placed fairly high up
within the organisational structure.
Developing a security strategy
A security strategy, approved by the board, is
essential in order to demonstrate how the
security function contributes to the broader
aims of the organisation. As observed by
Perpetuity Consultancy (2010), an effective
security strategy helps to ensure good security
management throughout the organisation and
indeed is an important part of its corporate
governance. A security strategy that is directly
related to the wider organisational strategy is
necessary in order to give a sense of direction to
the security functions (including, for example,
physical and personnel security), establish
priorities, guide security activities, and
document how security adds value to the
organisation. Notably, in the research that
informed their Security Strategy Toolkit,
Perpetuity Consultancy found that only a third
of the organisations in their study had a security
strategy that had been approved by the board.
This highlights the considerable room for
improvement in the delivery of security that is,
in practice, present in most organisations.
The development of an organisational security
strategy involves an approach that is no
different to other forms of decision-making at
Phase 1: strategic analysis
Phase 2: strategic design
• Strategic analysis
• Threat assessment
• Vulnerability assessment
•
•
•
•
Phase 3: strategic implementation
Phase 4: strategic review
• Implementation plan
• Communication strategy
• Regular performance monitoring
• Strategic review
Defining the rationale
Defining the strategic objectives
Establishing performance requirements
Outlining the security strategy
Table 1: Phases in an organisational security strategy
initial threat assessment and vulnerability
analysis to identify the risks, a security
audit encompassing an extensive review of
the security function, and the analysis of
the political, economic, social,
technological, environmental and legal
factors that will affect the security
strategy’s success (known as PESTEL
analysis). This is covered in more detail in
Issue 4: Security Risk Management.
the strategic level of an organisation. It begins
with an initial analysis/assessment phase,
followed by subsequent stages of design,
implementation and review. The primary
elements of such an approach, exemplified in
the methodologies published by Perpetuity
Consultancy (2010) and the European
Commission (2010), are summarised in Table 1
above and described in more detail below.
The strategic analysis phase involves a
substantial intelligence gathering exercise,
based on the analysis of the following elements
of the organisation:
•
Its reason for existing, expressed in terms
of its values, vision and/or mission, and
main objectives, based on, for example, a
review of documentation and stakeholder
interviews to illuminate both the business
strategy and the risk appetite of the
organisation;
•
Its internal strengths and weaknesses, as
well as the external opportunities and
threats in the environment in which it
operates (based on, for example, a SWOT
analysis);
•
Its resources (financial, physical, human
and intangible, e.g. brand or reputation),
competencies (strategic, functional and
technical) and capabilities (organisational,
human, social and customer capital) to
perform effectively; and
•
The security risks and threats it faces. Such
a process needs to be based on a systematic
risk assessment exercise, beginning with an
3
The next phase is strategic design, comprising
the following steps:
•
Defining the rationale underpinning the
strategy, including mission and vision
statements that summarise its overall
approach and the aspirations underpinning
it, to ensure that all stakeholders will have a
clear understanding of the underlying aims;
•
Defining the strategic objectives or specific
goals underpinning the strategy, including
generic goals to protect the company’s
people, property, assets and processes, and
delivery objectives such as improving the
integration of security in the business
processes;
•
Establishing the performance requirements
of the security strategy and its components
(such as physical or personnel security) and
ways of monitoring performance, discussed
more fully in Issue 5: Security Metrics.
Examples might include achieving a
demonstrable reduction in the number of
security incidents, based on rigorous
reporting and recording of all incidents, and
demonstrating employee satisfaction with
security education and training processes
measured through administration of a
survey; and
•
Outlining the security strategy in a
comprehensive document tailored to a lay
audience, including the key assumptions on
which it is based, the main dimensions of
the strategy (again, such as physical or
personnel security) and related objectives,
and the key human, financial and technical
resources required to achieve its delivery.
The strategic implementation phase involves
setting out a clear implementation plan for the
security strategy. This should include the start
and end dates for the plan, the key objectives,
priorities and the actions required to meet each
one, the resources provided, and a robust
performance specification, incorporating the
key performance criteria established in the
previous phase.
Implementing the strategy will include
communicating it across the company which, as
Perpetuity Consultancy (2010) observes, may
require the development of a communication
strategy and plan if the organisation is large in
size. This might begin with engaging
representatives of key audiences (for example
the board, managers, union representatives and
staff members) at an early stage, and
considering the range of different options for
disseminating the strategy, ranging from the
company intranet, to newsletters, workshops,
staff handbooks and nominating individuals in
key roles within the organisation to act as
champions of the strategy.
The final strategic review phase is important to
ensure that the strategy is working as expected.
This requires the comprehensive performance
monitoring based on the approaches set out in
the design phase to take place. It also involves
subjecting the security strategy to on-going
review to ensure that the assumptions on which
it is based, the objectives and the mission
remain relevant and appropriate.
Security areas of responsibility
A comprehensive organisational security
strategy will reflect a number of principal
functions, with separate objectives, plans,
4
policies and procedures including specific
performance measurement approaches. The
research by Briggs and Edwards (2006)
illustrated how, in practice, the portfolios of
corporate heads of security vary considerably
and can be broad in scope or more narrowly
concentrated around physical security
(protective security of property, processes,
equipment and people).
Other dimensions may include personnel
security (associated with insider threats from
employees or contractors), information security,
business continuity, investigations, counterfraud and security education and awareness
training. Two public sector models usefully
elaborate on some of these functions, the
Security Policy Framework of the Cabinet
Office of the UK Government (2012) and the
Protective Security Policy Framework of the
Australian Government Attorney General’s
Office (2012).
Physical security
Physical security involves the use of physical
controls to protect business premises from
unauthorised access and loss, harm or
destruction of property. It can be considered in
terms of physical ‘layers’, the external layer
protecting the approach routes, perimeter,
estate and buildings of an organisational
premises by such means as fences, walls, gates
and lighting, as well as engineering and
technological measures.
These can include intruder alarms, closed
circuit television systems, security barriers to
control traffic or protect against serious threats
such as ram-raiding or terrorist attack, and
blast resistant glazing. The internal layer
comprises access control systems such as
secured entrance lobbies and swipe card entry
systems, postal screening, and secure storage
areas, such as strong rooms and safes. Other
controls such as guards and identification
badges support the general delivery of
physical security in an organisation.
Personnel security
The overall purpose of personnel security,
according to the UK’s Security Policy
Framework (Cabinet Office, 2012:13), is ‘to
provide a level of assurance as to the
trustworthiness, integrity and reliability of
employees, contractors and temporary staff’.
Its delivery needs to incorporate effective risk
assessment, screening of personnel
(beginning, for example, with verification of
identity, employment history and right to work
in the country), secure contracting (ensuring
that contractors also have measures in place
that are satisfactory to the organisation) and
on-going control measures. Such on-going
measures may include monitoring employee
access, and managers being alert to signs of
vulnerability among their staff to third party
influence or opportunistic criminality, such as
depression, excessive alcohol consumption,
emotional instability and financial difficulty.
Information security
Organisational information security strategies
are needed to ensure that access to information
assets within an organisation is correctly
managed and safeguarded to an agreed and
proportionate level, as well as being compliant
with data protection requirements. They apply
to all stages in the information lifecycle:
creation, storage, transmission and, as
appropriate, destruction (Cabinet Office,
2012).
The necessary policies and procedures cover
two dimensions, the first being technical
security measures such as firewalls, data
encryption and antivirus software, which fall
primarily within the remit of organisations’
information technology departments.
The second dimension, in which security
departments play a greater part, is
administrative security, including user account
management, change management and
physical and logical access control. The
benefits of converging organisational security
and IT responsibilities in some aspects of the
delivery of information security are discussed
in Issue 3: Converged Security Management.
Security education and awareness training
Once other security functions have been
implemented, employees need to understand
their responsibilities in contributing to the
protection of organisational assets. This should
involve establishing the audience requiring
training, the topics in which they need to be
trained, the learning objectives for the training
and the methods of delivery, and then designing
5
the training materials. Implementation of the
training may include devising an overall plan
for delivering the training, some initial piloting
of the programmes developed, the modification
of training materials as required and the
delivery of the programmes. Finally, there is a
need to assess that learning objectives are being
effectively met, and that staff members are
satisfied with the training programmes.
Investigations
Objectives underpinning a workplace
investigation, as summarised by Gill and
Darroch-Warren (2010), include identifying
dishonest employees, applying internal
disciplinary measures or justifying dismissals,
facilitating civil litigation or criminal
prosecution, and initiating revision of policies
and procedures.
They describe investigations, when properly
conducted, as a critical part of an organisation’s
risk management strategy, although they note
how conflicting imperatives can create
uncertainty as to what is the best outcome. On
the one hand, a willingness to investigate and
sanction employees concerning such incidents
as cases of theft or fraud may reassure honest
staff members, as well as communicating a
strong message to those who may themselves
be tempted to commit dishonest acts.
Yet on the other, investigations can be costly, or
can lead to other adverse outcomes such as
negative publicity or employee claims against
the company. Such conflicting needs must be
balanced against each other before it is decided
whether or not to proceed with an investigation.
Investigations share a common, phased
approach which, as Gill and Darroch-Warren
argue, needs to be ‘systematic, thorough and
legally compliant’, as well as ‘proportionate to
the matter at hand’ (p.14).
Business continuity
Business continuity management (BCM) is a
critical aspect of the risk management of an
organisation in which security departments are
becoming increasingly involved. It
encompasses identifying potential threats to an
organisation and how these could impact on
business operations, as well as providing a
framework for establishing organisational
resilience against these threats and their impact.
Business continuity solutions include crisis
management measures and a disaster recovery
strategy, relating to the recovery or continuation
of an organisation’s technology infrastructure.
Counter fraud
Counter fraud is an inter-departmental
responsibility, since it involves control systems
being built into the operations of the
organisation, needs to be underpinned by
effective personnel and information security,
and relies on a comprehensive internal audit
process. Threats derive from both insiders and
outsiders to an organisation, and can take a
wide variety of forms depending on the nature
of the organisation. Examples include benefit
fraud, credit card fraud, expenses fraud, health
care fraud, insurance fraud and welfare fraud.
Security departments often have responsibility
for preventing, investigating and applying
sanctions against fraud in their organisations.
of other departments, in order to achieve such
alignment, as well as reviewing the security
operations in the context of the overall strategy.
Further reading
•
ASIS International (2010) Enterprise
Security Risk Management: How
Great Risks Lead to Great Deeds: A
Benchmarking Survey and White Paper.
Alexandria, VA: ASIS International.
•
Australian Government Attorney General’s
Office (2012) Protective Security Policy
Framework, Canberra: Australian
Government Attorney General’s Office,
available at http://www.protectivesecurity.
gov.au/Pages/default.aspx (accessed
13/06/14).
•
Briggs, R. and Edwards, C. (2006) The
Business of Resilience: Corporate Security
for the 21st Century. London: Demos,
available at: http://www.demos.co.uk/
publications/thebusinessofresilience
(accessed 13/06/14).
•
Cabinet Office (2012:13) HMG Security
Policy Framework. London: Cabinet
Office, available at: http://www.
cabinetoffice.gov.uk/resource-library/
security-policy-framework (accessed
13/06/14).
•
Cavanagh, T.E. (2005) Corporate Security
Measures and Practices: An Overview of
Security Management Since 9/11. New
York: The Conference Board, available at:
http://www.conferenceboard.ca/documents.
aspx?did=1205 (accessed 13/06/14).
•
European Commission (2010) A Reference
Security Management Plan for Energy
Infrastructure. Brussels: European
Commission, available at http://ec.europa.
eu/energy/infrastructure/critical_en.htm.
(accessed 13/06/14).
•
Gill, M., Burns-Howell, T., Keats, G. and
Taylor, E. (2007) Demonstrating the Value
of Security, Leicester: Perpetuity Research.
Free copies can be requested from http://
www.perpetuityresearch.com/publications.
html.
Evaluation
Since security departments are so varied in
their scope, there is no definitive model of
organisational security. However, security risks
need to be taken as seriously as other risks to an
organisation, and therefore should be a concern
of the board and senior management team, with
the organisational head of security reporting
into those upper tiers of an organisation.
As recognised by Briggs and Edwards (2006),
physical security has been the traditional
emphasis of organisational security but this
narrow focus is coming to be seen as old
fashioned, especially in large, multi-functional
organisations, due to growing recognition of
the inter-connectivity of different types of
organisational risk.
An effective security strategy will be closely
aligned with an organisation’s primary business
objectives, adopting a holistic and organisationcentred approach to the management of security
risks in line with an enterprise risk management
strategy for the organisation as a whole. Much
of the day-to-day work of the head of security is
therefore likely to involve communicating with
senior members of the organisation and heads
6
•
Gill, M., Taylor, E., Bourne, T. and Keats,
G. (2008) Organisational Perspectives on
the Value of Security, Leicester: Perpetuity
Research. Free copies can be requested
from http://www.perpetuityresearch.com/
publications.html.
•
Perpetuity Consultancy (2010) Security
Strategy Toolkit. Leicester: Perpetuity
Research. Free copies can be requested
from http://www.perpetuityresearch.com/
publications.html.
7