The convergence of corporate security means the connection between previously separate security functions. The 1 July Security Management articles by Teresa Anderson (Uncertainty is Wisdom in Motion) and Claire Meyer (Into the Spotlight: Bill Tenney Moves from CSO to ASIS CEO) and the 22 July article by Scott Briscoe (How to Make Security Less Tactical and More Strategic? Start with a New Description) are the basis for expanding the topic. CSOs must remember to implement convergence in order to rationalize, develop and improve corporate security.
The need for change
Understanding security only as physical and technical protection, such as control of employees and visitors at the entrance/exit, has long been outdated. Technological development has resulted in new security activities: IT security, cybersecurity, project protection, technology protection, identity protection, internal investigations, emergency and crisis situations, de-escalation of violence at work, security checks of employees and business partners, data protection with partners, establishment of specialized teams (CMT, TVRA, ERSM), continuous education, and more.
Security jobs
The need to unify security activities in the company is unquestionable. The most responsible for enforcement, as a rule, is the CSO. For a large number of CSOs, this will mean an increase in workload and responsibilities. The result will be a new positioning of corporate security in the management of the organization. The organization and work of corporate security depends on the specific needs of the organization's activities as well as the environment. Below we list some jobs that should be "covered" by unified corporate security.
Handling of information
- Information handling protocol (external and internal)
- Information from the public - when to initiate the procedure (triage of information)
- Evaluation of the reliability of information sources
Internal activity
- Security organization, job description, operational management, rules of conduct and work guidelines
- Contact with employees, guarantee of protection (easy access to information, triage, etc.)
- Availability of security (phone, e-mail, mail, in person) and whistleblower protection
- Intranet and internet - access, use, protection, restrictions, risks,
- Live and online identification security - employees, business partners, users
External activity
- Evaluation and external contacts (police, emergency services, public, etc.)
- Cooperation with the intelligence community and the police
- Monitoring of public information and social networks
Specialized teams
- CMT - Crisis Management Team (authorities, composition, procedure protocol, etc.)
- TVRA - Threat, Vulnerability, and Risk Assessment team (procedure protocols, strategies, recommendations, etc.) The continuous work of TVRA is essential for preserving and improving security.
- ESRM – Enterprise Security Risk Management Team. Scott Briscoe writes: “One of the real innovations of the ESRM approach is that it calls for security to work with other business units to understand the assets they oversee and the value they represent. Together they assess vulnerabilities those assets have and design security solutions to protect the assets. Crucially, the asset owner – not the security director – is ultimately responsible for the risk management of the asset.”
Security checks
- Pre-employment check
- Verification of business partners (even before the contract)
Risks
- Access to data (preparation of projects, offers, databases, etc.)
- Top users (access, who else, access to the public network, etc.)
- Risks of cyber security (who will be responsible for the omissions of contractual partners of IT services - software, hardware protection, data protection, (un)timely reaction, etc.)
- Risks of bribery (procurement of goods and services, especially investments, new projects and IT services)
Personnel and education
- Continuous staff education is extremely important (new risks)
- Encouraging external education and obtaining certificates
- Education for internal de-escalation of violence
- Table-top practice exercises
- ASIS Standards and Guidelines
Final
"The world is a dangerous place and it's not getting any less risky," says Tenney. “So I think there is a recognition among business leaders that corporate security and security professionals in general have a ton to bring to the table to make businesses more resilient, to make communities safer, and to make countries and economies work better. We are part of a noble profession, and I think that ASIS is really a leader in the corporate security space.”
"The security professional’s role is not to own the security risk, but to guide asset owners through the security risk management decision-making process," the ASIS Enterprise Security Risk Management (ESRM) Guideline said.
My recommendation is for everyone who works in security, especially leaders, to use ASIS Standards and guidelines in their work. He will find many solutions there.
Corporate security should be a partner in business management.
Violation of security is the way to chaos!
For those interested in joining the CSO Center, you can find more information here. Use code “24CSO150” to save $150 off CSO Center membership. Valid until 31 December 2024, for new members only.
Ivica Zvonko Miljak, is a member of ASIS International and the CSO Center. He has participated and presented at ASIS annual conferences (now GSX). Last and this year, he was a reviewer for GSX. This year, he serves as an ASIS Community Administrator and member of the CSO Center Content Committee. He is a permanent contributor to the leading security magazine in the region (5 countries).
