- How to Develop an Effective Organizational Security Structure
How to Develop an Effective Organizational Security Structure
Workforce optimization and security optimization are two different but closely related concepts, which can impact each other significantly.
Workforce optimization is the process of maximizing the efficiency and productivity of an organization’s workforce while minimizing costs. This includes tasks such as scheduling, training, and performance management.
Security optimization, on the other hand, involves implementing measures to protect an organization’s physical and digital assets, including data, equipment, and personnel.
As a Security Risk Management Professional who has over 40 years of operational security experience, I often find that organizations:
- Drop security in the gap between facilities and health and safety.
- They allocate security risk to human resources departments or finance.
- They place litigation exposure with legal.
- They allocate data security exclusively to IT departments.
In so doing they risk creating, uncoordinated and incommunicative silos, and the establishment of multiple disjointed agendas, a poor foundation for joined up security integrity. The reality is all of the above are intertwined and effective security workplace optimization recognizes this.
How Organizational Structure Applies to Security Operations
- First, it needs to be built around a security hub, an entity or department with a voice in its own right, not competing for scraps at the health and safety or facilities tables.
- Second, it should be built around a formal, management designed, pattern of workplace interactions and coordination.
The 3 ASIS International Organizational Security Models
In our experience we find that most organizations do not have a fully integrated security team. Successful security operations require attention to organizational structure. Below are a variety of models for successful workplace security delivery.
Vertical, Shamrock and Network – The shape of that organizational structure will be dependent on the user, available budget, facility size and type, and staffing capacity. There are three recognized models and the aforementioned factors, will determine how these would be combined for optimal impact. The ASIS International Vertical, Shamrock and Network models and their merits are discussed briefly below.
- The Vertical Model is classic in house, proprietary and hierarchical, top-down senior management, through managers or supervisors, to front line staff. It is the most cost prohibitive, but it does ensure in house security management and control. Few organizations are wholly vertical.
- The Shamrock Model as you might imagine is comprised of three parts:
- Shamrock Leaf One is more collegiate and flatter, comprising a small core of in-house professionals, managers, and skilled technicians. It has flat management decision making challenges and will normally need to look upwards for authorizations.
- Shamrock Leaf Two is third party suppliers chosen for their expertise and ability to provide quality service. Generally, a much larger security service resource pool. The ability to contract resources from uniformed guards to enhanced security to senior security managers and subject matter experts, i.e., tier 1, tier 2, and tier 3 security services as required. Selective components of the Lions Gate Organizational Security Risk Management Program have been designed to provide third party contracted security services to clients on an as needed basis. Third party would describe; uniformed security guards, enhanced security personnel, security system installers and integrators, cyber security specialists, convergence specialists, physical security installers, security consultants, intelligence analysts, to name but a few.
- Shamrock Leaf Three is a flexible work force part time and temporary workers engaged as needed. Selective components of the Lions Gate Organizational Security Risk Management Program have been designed to provide third party contracted resources also to clients on an as needed basis.
- The Network Model is comparable to a computer network. In the network model individuals and departments come together for particular tasks as needed. The network model without strong regulation and terms of reference runs the risk of network outcome requirements being hampered by individual or department agendas, which would be a poor foundation for joined up security approach leading to operational integrity. Selective components of the Lions Gate Organizational Security Risk Management Program have been designed to support network models by providing technical security guidance and direction to network members on specific tasks.
In summary, when fully implemented, security workplace optimization:
- Means both proactive preventive, and incident or event, response ready.
- Captures actionable internal data and information for analysis and is external open-source intelligence led.
- Reduces costs and ensures ‘risk measure’ proportionality.
- Focuses training, improves operational efficiency, and establishes effective management and supervisory controls.
- Increases productivity, maximizes technology investments, balances technology and human touch, and provides well conceived policies and procedures.
- Reduces litigation exposure, improves customer services, enables process automation, and reduces error.
- Too few security operations are properly optimized, leaving safety, security, and litigation exposures in a range of areas, and where under scrutiny, the organization would be unable to demonstrate reasonableness and prudence in security decision making. You will be asked, what did you know? When did you know it? And what did you do about it? If you cannot respond to all three on any security issue you may be on shaky ground.
- Provides deep dive insights into every security risk and solution corner for an organization.
- Appropriately distributes responsibilities (proprietary, contracted, third party) while retaining control.
- Although many broad terms of reference would have you believe otherwise, there is no such thing as a ‘jack of all trade’s’ security professional. Each security discipline has become so specialized, and one of the core responsibilities of organizational security management, is to define the organizational structure and distribute responsibilities. Essentially, who is going to do what? Who is licensed and qualified to do what? and whether, the responsibility will be ‘in house,’ ‘contracted,’ or with a ‘third party.’
Learn the 6 Key Steps to Increasing Security Productivity and Minimizing Costs
There is no one size fits all, so give us a call 888-212-2026 ask for Mike Franklin and we can discuss optimization that would work most efficiently for you and within your budget.
This article has been assembled in consultation with an experienced workplace optimization specialist. The fact that this specialist is my son Reece Franklin is a source of considerable pride for me. He is a Six Sigma Black Belt fully conversant with Lean Tools and Processes and credibly converges the security and optimization disciplines addressed in this article.