One Manager, Two Jobs

I believe that every security manager has two jobs.  Their first is to take care of the day-to-day activities that come with running their security department.  Their second is to consider and plan for the long term with the outcome of ensuring the ongoing success of the organization while focusing on protecting the organization’s assets.  

Every security program should consist of four stages.  The first and foundational stage is conducting the risk assessment.  The second, once the results of the risk assessment are in, should include designing the security countermeasures and overall program. Stage three involves the installation of said countermeasures, and stage four is the ongoing maintenance of the entire security program.  However, the reality is that unless a supervisor/manager/director/CSO is tasked with developing a security program from nothing, these four stages will constantly overlap one another.  Annual or component risk assessments, upgrading the access control or video surveillance system, designing the installation of a new system or implementing a new training program, and keeping everything running smoothly are all requirements.    

The other issue to consider is that a security program consists of two types of countermeasures: countermeasures you have and countermeasures you want.  Managing the existing program is often enough to keep the average security manager busy but planning an expansion of the security program adds an entirely new level of complexity to the manager’s duties.   

This is where the concept of the two jobs comes into effect.  Managerial day-to-day activities include verifying staff activities, responding to senior management and/or client queries whether it is investigating complaints, managing emergencies, signing off on reports, signing off on human resource documents, conducting potential new hire interviews all take up a considerable amount of time.  I have seen many managers lose sight of the big picture and exclusively focus on the day-to-day.  It takes discipline to look at what needs to be accomplished next week, next month, next year and beyond.  

In order to maintain focus on ensuring the long-term strategic focus is not lost, the security manager should consider how much of their day-to-day activities can be handed off to subordinates.  This load sharing does at least three things.  First, it provides on-the-job training for junior employees to learn more advanced departmental responsibilities.  Second, it teaches trust between co-workers.   Third, it empowers employees and helps them see how they contribute to the overall success of the department and organization.  

One principle I have always practiced is “in order to gain power, you have to give it away”.  In this case, power is responsibility.  Old school management is hanging onto power as tightly as possible, not sharing it in any way with subordinates.  This management style is for small minded and petty people.  Empowering your employees, particularly in the security department with its high number of personnel is a great way to increase departmental effectiveness. 

Preparing staff for enhanced responsibilities is one of several actions to be taken.  Others include the planned installation of various security countermeasures either to replace existing worn out equipment or the installation of the new.  This process should start with the completion of the risk assessment and is also part of the long-term capital management plan.  Developing this plan is relatively easy.  Step 1 is simply a matter of identifying all existing physical countermeasures be they cameras, access control, locks and keys, various communication systems, visitor management software, fire alarm system or others.  Step 2 consists of identifying their installation date, contemplated replacement date, ballpark cost and all associated costs.  Step 3 requires this information to go a spreadsheet and planning book.  Step 4 is to identify proposed countermeasures along with any potential engineering studies, identification of any necessary training materials and potential changes in standard operating procedures.  Step 5 is to align this information with the organization’s capital management process. Step 6 is to keep this information up to date when changes in the organization’s risk profile identify new risks.

As it pertains to asset protection and budgeting, the underlying premise is that purchases need to be cost effective and a return on investment is expected.  This can be difficult as security is one of those areas where a direct financial ROI is not often evident.  However, one must consider that there are other ways to measure ROI such as with reduced employee turnover, increased customer satisfaction, reduced criminal activity and reduced organizational risk.  As the security manager becomes more accomplished and confident, he or she needs to give considerable thought to how to measure departmental effectiveness.  This is where business training would likely benefit the individual.

The security manager needs to also become familiar with the appropriate legislation pertaining to their industry.  Legislation can be the security manager’s best friend as these are requirements that the organization must adhere to.  These are the security related requirements that must be budgeted for and can be seen as minimum standards to meet.  For example, many jurisdictions have security guard training requirements that must be adhered to.  

Managing a modern security department can be very challenging.  Identifying the organizational risk profile, designing the security program, installing the various countermeasures and then maintaining it all within the confines of cost and compliance while at the same time not alienating clients, employees and customers and protecting the organization requires a constant balancing act.  However, it is these very challenges that make the job so intriguing.