Security Management and Strategy

Security Policy vs. Security Strategy

Security policy evaluates organizational influences, interests, and safety issues, considering environmental costs and logistical resources. It formulates security procedures internally and externally.

Security strategy addresses organizational problems and perceived threats from both internal and external environments. It reflects security policy to prepare a strategy that achieves goals and objectives over time, assuming a feared event won’t occur immediately.

Security Process Methodology

Knowledge is understood as a change in reality.

More security measures are applied where the risk level is higher.

Security communicates an image.

Brand protection safeguards image and reputation.

These theories and concepts require the process to start from certain premises:

  • Pre-assessment of the state of things (S0)
  • Identification of the state of things (S1)
  • Re-evaluation of S0, with reference to S1

The assessment begins by verifying if S0 is in a security context. This involves verifying the existence of the main components of the formal definition of security (V, P, A), the S0 of (V). This step identifies the decision-making environment, including criteria and constraints, and is the first step in a security process.

Assuming S0 of (V) is unsatisfactory, the next step involves deciding:

  • Responsibility
  • Payment
  • Method

Defining the problem and the level at which the solution must be resolved (e.g., qualitative or quantitative, descriptive or prescriptive model) is a consequence of the argument.

Management and Security

Security is a management activity, essential for safety management in organizations. Security measures and decisions must be conceived, planned, controlled, and directed.

Security and management are concepts and techniques useful for security professionals to implement techniques and achieve security purposes.

Organizations view security as a significant management activity that generates profit, although the security function has been accepted as an unavoidable cost.

Top managers expect the security management function to adopt modern techniques and justify its existence based on those techniques. They are partly responsible for the importance of security management concepts within the organization. This is due to two problems:

  1. Differing backgrounds and priorities.
  2. Management theories haven’t been thoroughly studied with security in mind, and most security managers lack a deep understanding of management techniques.

Security management involves not only converting business concepts like management but also finding a language, methodology, values, and criteria specific to security.

Cognition

Cognition refers to the mental processes of knowing, perceiving, and judging, enabling people to interpret the world around them. Perception is related to cognition; we cannot perceive something we haven’t seen before. Everything is interpreted based on our validation. Not everything is predictable, only what we’ve seen before. We must know what we want to protect and why, to focus our efforts effectively.

In this process, security needs arise quickly, sometimes in high-conflict phases where emotions influence decision-making.

Decision

The decision process consists of the following steps:

Qualitative and Quantitative Analysis: Measuring either the quantity or quality of each course of action is possible using qualitative and quantitative analysis techniques. Mathematical methods in Operational Research support “rational” decisions through steps like assessing protector capabilities and threats, evaluating and prioritizing goals and objectives, evaluating and prioritizing options, and comparing goals and options with existing and predictable constraints. Due to the dynamics of antagonism and the psychological and political implications of reasoning, no technique guarantees a perfect result.

Comparison and Evaluation: Derived from the previous steps, criteria are applied to each selected option.

Choosing the “Best” Course of Action: A strategic course of action combines several measures (people, systems, etc.) for a single purpose. The chosen course of action is implemented by the administration. Security is inherently selfish in its vision.

Administration

This phase has two steps:

  1. Implementation: Implementing the chosen course of action involves addressing problems like communication between decision-makers, planners, and the executive branch, as well as the political process of negotiation and compromise between different interests and visions.
  2. Evaluation: Temporarily suspending activities due to implementing new measures allows for problem assessment.