Printer Friendly

Answering the question - what is security?

Many people in security have been confronted with the statement, "The company is paying for security, but it is not getting it." This statement is usually made after a significant loss has occurred and the organization's senior management is looking for an explanation. Woe to the security manager who does not have an acceptable reason.

The basic problem with this statement is that security, like beauty, is in the eye of the beholder. Just what is the company paying for when it pays for security? Does security mean no losses of company equipment or money? Does security mean everyone is safe while on company property? Does security mean every risk has been identified and reduced to the lowest level?

If senior management contemplates these questions, it will have already begun to answer the question, What is security? Only when security has been defined can a security manager begin to develop a security program that will satisfy company requirements.

Is security utopia possible? The answer is yes, for a price. It is possible, but it may not be practical or even desirable. The degree of protection provided by a security program has a direct correlation to the cost of the program.

A case could be made for an individual who lived in total isolation as enjoying security utopia but nothing else. Obviously places like Fort Knox, the White House, and nuclear storage facilities enjoy near-perfect security, but how many organizations can afford the elaborate measures required to maintain such degrees of security?

The economic realities of any organization have a direct impact on the amount of security it enjoys. Therefore, when the organization's senior management makes a decision on the amount of security it requires, it must also make a decision that answers the question, How much is the company willing to pay for such security?

The motivator for most security programs is a perception that the organization has an unacceptably high level of risk and that actions must be taken to counter the perceived risk.

Generally, a short-term solution is developed to counter a perceived level of risk. As time goes on, other levels of risk are identified by senior management and the security program is expanded to reduce the perceived levels of risk to acceptable levels. Conversely, economic restraints may require the security program be reduced even though the perceived level of risk is high.

The dilemma for senior management is how to balance the security requirements of the organization against the resources available.

Demands for resources are infinite, yet resources are finite. Therefore, senior management must define the minimum level of security that is acceptable, with the variable being the amount of risk it is willing to take.

Once this level has been determined, senior management need only provide basic guidance to the security manager. This guidance must outline the level of security required and the resources that are to be allocated to obtain the minimum acceptable level of security.

The answer to the dilemma of reality versus utopia is to design a security program to fit senior management's terms in a measurable way. One such system is represented in the accompanying chart.

The security program depicted in this chart was developed to answer the security requirements of an urban hospital complex of multiple buildings and decentralized operations.

The first step in designing this security program was to determine the hospital's current level of security. Once this was identified, it was necessary to determine if that level of security was acceptable.

When senior management indicated it was satisfied with the current level of security, the next step was for the security manager to make a detailed assessment of that level of security.

The areas of security interest follow:

* physical areas

* vehicle movement and parking

* lighting

* locking controls

* alarm systems

* security staff and controls

* employee and visitor controls

* property controls

* money controls

* personnel security

The next step in designing the security program shown in the chart was to identify the various sources of information available to the security manager. The sources of information include:

* staff reports

* patient reports

* visitor reports

* security officers' observations and incident reports

* local police reports

* newspapers

The risk assessment told the security manager the level the hospital security program had been at in the past. The sources of information indicated to the security manager the current status of the security program. The next step was to determine the program's future.

In the chart, how the security program was evolving is depicted as the security manager's analysis. The security manager reviewed historical files and noted the number and type of security incidents that had been recorded over the years. From this listing the security manager defined several generic incident groups and recorded the number of times each incident occurred. The incident groups used in this security program include information on the following:

* accidents (motor vehicle)

* assaults

* criminal trespasses

* bomb threats

* harassment

* property (lost or recovered)

* sex offenses

* weapons

* suspicious persons or activities

* fires

* violent patients

The data compiled from the records allowed the security manager to develop a report listing the frequency of each incident by month or quarter. Armed with this information, the security manager could statistically show the hospital's senior management the status of the security program at any point in time.

This information gave senior management a rough indication of how successful - or unsuccessful - the security program had been in the past. Senior management could then use this information to set a standard for the future.

The statistical information was voluminous and meaningless when presented without comparison. Therefore, a method of presentation that provided a meaningful comparison of the present security level to past security levels was required. The method of presentation needed to be easy to comprehend and not overload senior management with information.

A graphical presentation was the most effective method to use in the short period. A graph can present the number of security-related incidents reported throughout a given period.

A graphical presentation of the data allowed senior management to set realistic standards for the security program. The graph also allowed the security manager to demonstrate accurately the current level of security for the hospital. This information answers the question, What is security?

Now the security manager needs to determine the level of security desired and the cost to obtain those standards. After these two factors are known, an action plan can be developed to obtain the standards approved by the organization's senior management.

The quarterly report should list the minimum acceptable standard established by senior management. In the chart, the quarterly report was sent to three administrative units: quality assurance, safety, and hospital administration. These three units collectively set the minimum acceptable standards that are provided to the security manager for guidance. The security manager then must meet the revised standards.

It is important for the security manager to influence the setting of acceptable standards to guard against others setting unobtainable standards. However, the final standards must be acceptable to the organization's senior management.

The security system in the chart is a dynamic system, that is, the input to the system via reports and risk assessment is constantly changing as the security environment changes.

The organization's management team continues to monitor the security program and influence the outcome by setting the standards and allocating resources.

The answer to, What is security? is multifaceted. Security is what we believe it to be. The answer to the question, Where is the security we are paying for? must be provided, in part, by senior management.

It is essential that the security manager develop a security program that is measurable in senior management's terms. Once that task has been accomplished, the security manager has the tools to answer the question, What is security?

Garrell E. Sutherland, CPP, is security manager for Eden Hospital Medical Center in Castro Valley, CA. He is a member of ASIS.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Sutherland, Garrell
Publication:Security Management
Date:Jul 1, 1992
Previous Article:Out of the showroom and into the manufacturing plant.
Next Article:Taking training to the T.

Related Articles
Management's neglected tool.
This is real jeopardy!
This is real Jeopardy!
NY: plaintiff's attorneys undermine discovery: plaintiff's discovery 'stayed' pending change.
PCAOB releases guidance for attest engagements regarding XBRL.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters