Security

What Makes a Good Security Manager

In this post, I will explore the core competencies, responsibilities, and the importance of each of these attributes being included in managing a security operation; with this, I will provide my thoughts on the subject, what operational competencies are required and what are merely beneficial, as well as describe the benefits or negative aspects of having or missing a specific skill in the overall goal of assessing, creating, and maintaining the complete protection of an organization in the digital and physical realm. Finally, I will highlight how understanding core competencies are valuable for both hiring and security managers, as well as provide a general understanding of what exactly drives and motivates security operations. 

As businesses and organizations have grown to surpass the size, profit, and influence of many small countries, the science of protecting the assets of these massive entities has expanded into new territories, requiring high-skilled professionals to adapt to new technologies and business practices. At the frontlines of the war against those with malicious intent, security managers are charged with assessing, developing, crafting, and maintaining the many layers of a security operation to thwart interference and asset theft. To better understand the role and responsibilities of a security manager, outlining the core competencies for managing a security operation on both the physical and digital front offers a unique perspective into the world of organizational defense.

To effectively manage a sophisticated security operation, one must possess several core competencies relating to several areas of expertise. A security operation’s manager must gain and keep current a robust knowledge of physical security hardware and processes, confidence with cybersecurity technology and best practices, enhanced project management skills, and above all, contrary to many positions in the general IT field, well-defined social and leadership skills.

While the manager of a security operation might not be involved in many of the everyday tasks of implementing and updating the many protective measures of the system, they will most likely have worked in the field for several years, touching every aspect of each layer of the security operation. Having the experience, a security leader must utilize it in a managerial method, using top-down views of the entire system, working with third-party vendors and organizational leaders regarding budgets and time restraints, hiring and training industry-leading professionals, and fueling a passion for increasing the performance of both themselves, as well as the security operation.

While many situations involving closing gaps in security can be unoriginal and repetitive, such as updating an outdated CCTV system with a newer, more advanced model, a security operations manager needs to be able to think outside of the box when it comes to researching and creating new ideas for reducing risk, increasing fault tolerance, knowing when to save money and when to spend it, as well as understand that the most essential tool in any security manager’s toolbox is the personnel they supervise. Regardless of the level of sophistication a security system (cyber, physical) has, without the continuous researching, testing, and updating of each facet of the protection system, the entire operation will undoubtedly fail; this is due to the always-changing environment of an organization’s location, personnel, assets, and with the introduction of new risks and potential attackers.

The core competencies of a security manager, in my opinion, are vital to each phase of the security operation process, from performing a VA (vulnerability assessment) to designing and building each protective layer of an organization. Without the knowledge of what can happen, what will happen, and what it will take to achieve the desired effect regarding understanding both risk and countermeasures, a security manager will not be equipped to handle the rather demanding list of responsibilities included with supervising an organization’s security.

I believe the most vital core competency is communicating effectively between senior executives, directors, local law enforcement agencies, and each security team member. Communication is critical in any industry; however, in security, maintaining an open stream of concerns, ideas, and suggestions enable security professionals, as well as those who directly rely on them to safeguard their assets, to stay ahead of the curve when it comes to emerging technologies, cyberattacks, and penetration methods. Additionally, proper social skills and the ability to work well under pressure dramatically impact the ability to address security incidents and ethical issues calmly. For example, when it comes to criminal investigations, it is the responsibility of security management to facilitate the actions of discerning what happened, gathering evidence, deciding on what disciplinary or precautionary steps to take in terminating an employee, removing a threat, and ensuring that in the future, the event is prevented from happening again. Having solid business and interpersonal skills is what separates a manager from a leader.

While the list of operational competencies involved in the security manager position is quite extensive, there are a select few that are considered ‘core.’ Core competencies are the defining characteristic in which create the security manager’s position; in other words, they are the list of ingredients required in building an individual who is capable of supervising the entire security operation of an organization, including personnel (hiring, training, managing), cybersecurity, physical defense, balancing budgets, and disaster recovery protocols.

Not every skill or ability of a security manager is considered ‘core,’ yet it may still hold significant value to the organization. For example, being that the role of a security manager is more strategic than tactical oriented (ASIS, 2004), while they would most likely have already learned the skill earlier in their career, they wouldn’t necessarily have to maintain a highly-detailed knowledge of the programming language, Python, in regards to their cybersecurity division; although, they should hold a general understanding of any areas they manage, as a leader without knowledge in a subject can’t be as effective as one who does.

Separating core competencies from those holding less importance strengthens the hiring process and provides a structured list of skills a security manager needs to master. Seeking the ideal candidate for the position of a security manager can be quite the undertaking, as they will be solely responsible for the creation and upkeep of the entire security operation. Knowing what ideal qualities to look for in a security professional and those that would be beneficial but unnecessary can help a hiring manager quickly sort through stacks of resumes to find the perfect one. Creating well-defined core competencies can also assist a security manager in the lengthy and complicated process of becoming qualified, as well as maintaining their skills after they are hired. As we all know, IT can be a widespread subject, with material ranging from operating systems, intrusion prevention techniques, cyberattacks, to understanding how to allocate resources; because of this, it is imperative that a security manager clearly understands what is expected from them at the time of hire, as well as what qualifications and proficiencies need to be continuously polished.

Security operations have grown in necessity in recent years as more businesses ‘ infrastructure and services migrate to the Internet and cloud. With the rapid growth of the IoT (Internet of Things,) companies, now more than ever, need to devote time and resources to creating and reinforcing physical and cybersecurity policies. Growing a company’s security operations holds many benefits, including increased revenue, asset privacy (internal and external), accessibility, scalability, and higher risk mitigation. Today, we often hear about data breaches and ransomware attacks costing companies immense losses, both financial and in consumer trust. With proper security operations that transcend typical physical and digital sectors, thus creating an evolving and seamless protection layer that surrounds all business activities, organizations can reduce the threat of paying hackers for access to their own data (if stolen or encrypted), reduce the necessity of hiring technology-oriented lawyers and publicists to manage and protect the company’s image, as well as strengthen employee and customer relationships with upper-management.

Similar to financial losses due to security breaches, the threat of litigation is prevalent when an adequate security program is not created and enforced. While it will not entirely thwart a premeditated ‘slip and fall’ insurance fraud case, a state-of-the-art video surveillance system can render much of the ‘evidence’ which supports the perpetrator’s case less impactful. Ensuring that the physical design of the walkway is up to the standards enforced by building codes and safety regulations can limit the fraudulent case’s potential for success as well. Insurance companies tend to also require a certain level of security operations before they will sign a contract, thus transferring some of your risk to them.

Like insurance companies requiring security operations, depending on the type of business or the assets you deal with, there may be a legal mandate to have a specific level of security operations. For example, a hospital (publicly traded, not federal) would be subject to HIPPA (Health Insurance Portability & Accountability Act), which would require a certain level of protection and confidentiality of health information and electronic billing (HHS, 2017). Additionally, governmental mandates can require installations, such as military bases, to maintain the proper protective measures of a high-security location, including exterior sensors and armed guards. Institutions that require accreditation from governing bodies, such as some colleges, require particular degrees of security operations as well.

The phycological aspect of visible and robust security measures is often not realized; however, the reduction of fear using protective countermeasures has impressive benefits to both employees as well as when used against a would-be intruder. For staff and customers, creating an encompassing virtual ‘security blanket’ around the entire facility can increase their level of safety and broaden their trust in an organization’s product and image. On the other hand, when a possible intruder views, for example, multiple security cameras, high-security fences, armed guards, and controlled entry via RFID chips, their likelihood and motivation to perform illegal acts greatly diminishes, all without even activating the security measures.

Regardless of the situation, a carefully researched, implemented, and continuously evaluated security system, along with proper procedures and policies, can hold numerous benefits in many different sectors. In today’s day and age, the business world operates online, as do those with malicious intent. Keeping your security operations updated with the most recent advancements, highly trained personnel, and keeping a watchful eye on emerging risks and threats can significantly increase an organization’s chances of keeping up with competitors, as well as protection against the threat-filled climate in which we live.

Due to the magnitude of factors involved in an organization requiring a high-level security operation, the core competencies of a security manager need to be clearly outlined, addressed, and revised continuously; furthermore, the digital and physical protection system they supervise, needs to be meticulously researched and constructed to meet the organization’s past, current, and future needs, as well as utilize new best-practices, study emerging threats such as ransomware and various types of physical intrusion methods, maintain effective and seamless communication with upper-management, shareholders, third-party vendors, and legal mandates, and finally, provide their subordinates with an unparalleled level of management, leadership, accountability, and career progression through the use of training and motivation.

References

International, A.S.I.S. (2004). Chief Security Officer Guideline. Retrieved April 30, 2021, from https://cdn.fedweb.org/137/268/ASIS%20Chief%20Security%20Officer%20Guide-Public.pdf.

HHS Office of the Secretary, Office for Civil Rights. (2017, June 16). HIPAA for Professionals. Retrieved April 30, 2021, from https://www.hhs.gov/hipaa/for-professionals/index.html.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s