Responsibility is desired in the professional world because the more responsibility the more prestige, power or influence and, of course, the more salary. Most everyone wants it, especially when things are running smoothly. However no one wants to be held responsible when things go awry.
I bring this up because for the past several years there has been quite the debate over who is ultimately responsible for lapses in security. Because of the cloud and other advances in information technology, the majority of the debate has revolved around breaches in IT and who is ultimately responsible for them.
This column is about physical, boots-on-the-ground security. However I will reference several situations involving IT security because they involve circumstances that I believe can also be applied to physical security. Just so we don’t get confused, I will phrase the question this way: Who is ultimately responsible for lapses in physical security? The operative word here is ultimately.
The answer is easier than the question. The CEO is ultimately responsible for lapses in physical security. The CEO is ultimately responsible for everything, so the people you surround yourself with are of paramount importance.
Caveat emptor comes into play here, too. Let the employer beware. Know who you’re hiring to run your security operations. Do not treat security as a secondary responsibility and assign it to someone who knows little or nothing about it.
Understand security, why you need it and the assets you want protected. Delegate responsibility to your security chief but also let them educate you. No CEO likes negative surprises. Know what you are approving or denying and that decision’s impact on your overall corporate culture.
It goes without saying that good two-way communication is a key factor. Communicate regularly with your security chief, not just when there is a negative occurrence. Poor communication is a corporate malady that is not exclusive to physical security. The Michigan-based Ponemon Institute conducts independent research on consumer trust, privacy, data protection and emerging data security technologies. Researchers there released a report this past April which found that communication between the c-suite and security departments to be sorely lacking. Even though the study involved 597 IT professionals, there is a message in its findings for physical security, also.
The report, sponsored by Firemon, a Kansas-based enterprise security management company, indicated that meetings between the IT security personnel and leadership were rare with the result being that many senior executives did not have an accurate picture of the effectiveness of their IT security. Seventy-one percent said communication occurs at too low a level; 63 percent said communication occurs only after an incident; 60 percent said communications are contained in silos and not shared; and 51 percent said negative facts are filtered before being disclosed to c-suite executives.
Also, while 33 percent of the respondents said their CEO believes there organization has a very strong security posture, the report states, “This perception gap signals that security practitioners are not given an opportunity and/ or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats.”
While there is no universal panacea for all security ills, this finding can be universally applied to help address our individual security challenges.
ANY OF THIS RINGING ANY BELLS?
Concerning the non-reporting or filtering of negative incidents that are reported, security marketing consultant Steve Mierzejewski hints that many IT department managers are in a catch-22. If they report the negative incident when it happens they might be fired. If they fix the problem and then report it, they may face termination anyway for not preventing the incident in the first place.
“Wouldn’t it be better to solve the problem on your own and only tell management if you could not do so?” Mierzejewski writes. “Of course, such a confession would likely be akin to announcing your resignation. Maybe this is why the average lifespan of a (IT) security officer is six years.”
Again, even though this refers to IT breaches, it can be applied to physical security as well.
And security chiefs, don’t allow yourselves to be thrown under the bus. If you are in charge of physical security for your company, make sure you know your stuff. Learning the things you need to know to improve your job performance is actually more important than everything you know right now. Because when everything is running smoothly, the kudos roll uphill. However, when things go wrong we all know what rolls downhill.
Avoid the bus. See you next time.
For more information, visit www.blackstonesecurity.com.