The role of a Security Manager is not clearly defined, and they are often either under-worked or over-worked. Sometimes the position only exists to fulfil a mandatory criteria. This might look good on paper, but without clear responsibility, authority and management level affiliation, the duty of business security manager is nothing more than a job badge with no substance behind it.
We can start with establishing the obvious: The CEO is ultimately responsible for the security. A responsibility that cannot be delegated. The tasks related to security management, however, should be delegated. First and foremost because the work requires specific competencies, but also because of the heavy workload.
Security work is a continuous process that every employee has to solve at his or hers level. The security manager is a facilitator and auditor, who coordinates, manages and verifies this work on behalf of the management team. However, this is impossible if the security manager lacks the necessary authority to change processes and assign tasks.
I like to say that our work is about creating a secure business, not business security. When this is not a part of the organisation’s culture, the security leader is often excluded and left working on something not related to the core business.
From alibi to leader
Is the security manager a part of the management or is this role assigned to a person further down the company hierarchy? Including this role in the executive management group has multiple benefits:
- It demonstrates and promotes security as a vital part of business management. All implementation should, after all, start at the top, so management can lead by example.
- The security leader must also be involved in and understand the network of relations and processes affecting the business to be able to identify and analyse relevant threats and risks. A security leader who is excluded or excludes himself from the management team will lose the overall perspective and relations necessary to do the required work.
- The security manager has to be able to communicate directly with the management team, particularly with the business manager. When communication has to go through one or more intermediaries, important messages can get delayed and in worst case distorted.
A demanding role
The security management’s role must be strictly defined from a business strategy perspective. This means that the manager must be able to see how the business can be run efficiently, and also how to use security as a business advantage.
Some other vital prerequisites for success are:
- Excellent maneuverability and a heavy enough influence to navigate between ever- changing trends and the organisation’s long term goals
- Solid professional integrity and ability to cope with pressure both from within the organisation and from external factors
- Excellent analytical skills and solid experience of setting and achieving goals
- Ability to build teams and coach employees
- Experience of strategic planning and policy development at a management level
You should, in other words, not look for an employee who can step in as a security manager on top of existing tasks and responsibilities.
The threat and risk situation is currently increasing in complexity, for both public and private businesses. As a result, the overall understanding of the fundamental needs every business has for solid and efficient security management is growing. Many businesses have therefore created a security management role. My ultimate advice is that you never underestimate the professional knowledge, resources and dedication this position requires.