Tuesday, October 26, 2010

The Conundrum of Security

Here is a question for the ages: Why is it that – by and large – security has not been as widely accepted and embraced into corporate culture as virtually every other business operation discipline?

If this question could be answered, businesses would be much more secure, their assets would be better protected, and profits would necessarily grow commensurately. But we as individual practitioners and as an industry have failed to convince the C-Suite of this fundamental reality. Why??

While usually not analyzed as I will try to do, there is really very little difference between the security function and other operational disciplines. Consider:

· Security is generally considered a pure cost center. But isn’t protecting and retaining assets and profit (i.e., avoiding loss and liability) just as important to the bottom line as growing assets and profit?

· If money is spent ($ cost) to protect an asset and the asset is preserved, the full value of the asset is realized ($ retained + $ profit gained).

· If no money is spent ($ savings) to protect an asset and the asset is lost ($ value loss + $ profit loss) the asset needs to be replaced ($ cost), and then security will probably be added ($ cost) to protect the asset so it is not lost again.

So doesn’t providing proactive security actually save money in the long run and allow the setting by which profit can be gained?

Security is generally considered (at best) a “necessary evil” because it serves to protect against problems that may never occur. But isn’t that also a function of many other operational components that are considered integral to business functioning:

· Doesn’t Environmental Services clean spills so that someone doesn’t slip and fall (which may never happen even if the floor remains wet)?

· Doesn’t Maintenance make sure that machines keep on running properly so that production isn’t halted (which may never happen even if the machine isn’t maintained)?

· Doesn’t marketing develop ad campaigns so that products or services sell (even though products or services may sell even if the ads weren’t run)?

· Doesn’t Human Resources develop policies for issues like workplace violence and sexual harassment (even though workplace violence and sexual harassment may never occur)?

· Doesn’t Accounting have an outside auditor come in periodically to check the books (even though no mistakes or irregularities may be found)?

So why is security, which provides a secure environment so the business of the business can be conducted properly, not considered as important as those other functions? When – or if – this question is answered, the business world will be a better and safer place.