The statement that security measures must be commensurate with the threat implies that too much in the way of security procedures will be as ineffective as too little security, as it will be unsustainable in the long term. Further, “…security measures must be acceptable in both nature and degree because otherwise security will not have the support of those who have to operate the system and cooperate with it.” (The principles of security) So, striking the right balance of how much security is appropriate in an organization is one of the fundamental challenges of security management. This paper provides a review of best practices in this area, discovering that business acumen is more important than security skills in determining security priorities.
According to the research source Security management stage 1 (core skills), a security manager must understand business management in addition to respective site operations, processes and products. Briggs and Edwards, place a great emphasis on this business management aspect, stating that, “As the function comes of age, the corporate security community has been trying to understand how to align security with the business, so that doing business and doing security go hand in hand.” Therefore, effective security managers, according to Briggs and Edwards:
• Understand that security is achieved through the everyday actions of employees across the company.
• Recognize the limitations of command and control approaches to change management.
• Realize that their role is to help the company to take risks rather than eliminate them, and to have contingencies in place to minimize damage when things go wrong.
• Embrace and contribute towards their company’s key business concerns, and as a result expand the security portfolio significantly to facilitate resilience.
• Make a clear distinction between the strategic and operational aspects of security management, relying on operational work to be carried out by business...