The Best Chief Technology Officer

The 3 W’s (Wares) in Security Management

The 3 W’s (Wares) in Security Management

1. Introduction

1.1 A reputable state-owned Security company in my country advocates the emphasis on the 3 Ms – Man, Methods and Machines, in its security management practice. In my view, another way of putting it is: the 3 Wares – (1) Hard Ware – access control system and CCTV and etc, (2) Soft Ware – the security systems and processes, the policy and procedures and the (3) People Ware, the Management, the employees, the customers and the security force. Together the three W’s form the integral whole of the security management in an organization.

2. Hard Ware -Technology in support of Security

2.1 When we discuss Hardware, we are often fascinated and dazzled by the availability of modern and state-of-art security equipment and machines offering the best in technology. Whichever the case, my view often centers on the real need for technology – not for technology sake – to support security. Below, I would try to elaborate my standpoint on the deployment of Hardware with some examples from my previous jobs as Security Manager.

2.1.1 As early as eight years ago, when I took up the post of Security Manager with a public listed company, we were exploring the subjects of integration and inter-operability of security systems and equipment.

2.1.2 Human Resource (HR) wanted the access control system to be able to support time management and payroll function. There was already study in the security market of integrating security access control system and CCTV system with HR payroll/time management, inventory control and shipping functions.

2.1.3 The problem of re-laying cables whenever we need to re-configure the access control, CCTV and alarm system forced us to look into various other options such as wireless technology, existing telephone and LAN cable systems. Also we chose vendors who were ever willing to customise their security system to make use of whatever existing workable systems to cut down cost in re-wiring and installation of hardwares.

2.1.4 My company was the first among the CD manufacturers to use walk-through metal detector complemented by hand-held scanners. We were looking into embedding RFID chips into our CD to prevent internal pilferage. The use of X-ray machines was also explored.

2.1.5 To prevent the unauthorized replication of Stampers – the master moulds for replicating CDs and DVDs; we came up with a technology to measure the amount of electricity consumed to co-relate it with the number of stampers produced. Security audited the daily submissions from the Stamper room to tally the number of stampers produced or NCMR (Non Conforming Material Rejects) with the power of electricity consumed as recorded in the meter installed at the replicating machines.

2.1.6 We were studying not only implementing the file registering keystrokes in the computers used in the Stamper room but having off-site monitoring so that the tampering of these data in the end-user site could be detected.

2.1.7 Biometrics technology was then considered as cumbersome because it was slow in control access of a large number of employees moving in and out of the restricted areas. But, it was useful in managing access to small premises such as the stamper lab, MIS and WIR storage room, and access to sensitive computer workstations.

2.1.8 To control the perennial problem of piggybacking at the central entrance/exit points, we not only use CCTV coverage but also installed turnstile with access control.

2.1.9 We used computer system with the now out-dated bar code technology to track the production and disposal/destruction of stampers, along with manual recordings.

2.1.10 We made use of the access control readers and perimeter CCTV cameras to replace the guard clocking system. Not only we cut cost on acquiring and maintaining separate clocking system but the use of motion detecting CCTV and access control readers were effective in monitoring the guards on patrol in the premises.

3. The Soft Ware -Understanding Industrial Needs:

3.1 My exploration of the subject Software is more slanted towards providing the security audit and consulting services. Neverthless, I am convinced that it is also applicable to those security practitioners who manage security within business and commercial organisations. I feel that more proactive approach and ingenuity, and the deep understanding of the industrial needs are essential ingredients if we are to succeed in this fast changing area of interfacing IT, technology and security. In this respect, it would be best if a security management company has in its stable hands-on practitioners of Security Management who are not only resourceful but also realistic and sensitive to the prevailing market needs in general and client requirements in specific. We sell only what our customers want to buy.

3.2 In the real business sense, even more reputable security management companies in my country Singapore have yet to establish a domain for itself as a provider of Total/One Stop security solutions and services. The commonplace impression of some top notched security companies is that they are organizations that supply uniformed armed and unarmed guards. I am all for the idea that there should more room to improve upon the synergy within these organizations. More often than not, there are the nagging suspicions that each internal arm of the security management companies focus more on its own sectional interest and compete against one another for the scarce internal resources, and that often the right hand does not know what the left hand is doing.

3.3 I use the example of one security Management Company which I had once served. In its set-up, there is a Security Consulting (SC) Department, which has for years labored under the stigma that it is a money losing entity. Viewed from a more refreshing perspective, why cannot SC be regarded as a door opener to other services instead? Through SC, which secures the beachheads, their customers should be made known of other security services available within its parent organisation. It is commonsensical that a Security Audit would lead to recommendation and implementation where other services are also sold. Consultants should not feel ashamed or feel that they must be impartial when it comes to selling other services provided by their own company, provided these services are also up to the competitive mark vis-à-vis other competitors in the market. Example, SC can help sell the debugging services of its investigation arm in their security consultancy work with their clients. (Vice versus, Investigation outfit in its corporate instigation assignments could also recommend to their Clients to take up security audits offered by SC).

3.4 Security Consultancy by itself should also be highly attuned to the needs of the customers, and avoid giving the impression that they are guilty of applying industrial templates. In my experience, for example, some customers – contract manufacturers – are driven by their principals to have sound and comprehensive security management programme to safeguard their products and services. Microsoft with whom I had dealing in my previous job is one such example where it has a strict set of security requirement enforced on its contract manufacturers, which are also subject to periodic pre-informed and surprised security audits. Visa, the other example, has also a highly professional set of certification programme for its vendors so much so it has become a prestige in the industry to have a VISA certification (for which a yearly fee of US$45K is chargeable by VISA). In related vein, some customers are using security as a force multiplier in selling its services – especially in the IP related fields to garner more sales from their principals. This is an additional dimension we should address instead of the traditional security preventive and protective approach that is more slanted towards counter intruders/external threats.

3.5 Another point, which Security Consultancy has to bear in mind, is the need to pay some attention to work or manufacturing processes of the customers in reviewing and recommending them security programmes. Here is where oft-used security templates are inadequate to serve the purpose. The consultants in their initial threat analysis has to critically identify, define and prioritize the security vulnerabilities of their clients’ organizations – whether they are from within or without, and recommend and design the security solutions accordingly. Most of the time, the problem comes from internal – employee thefts, sabotage and other work-related abuses but more often than not the recommendations wrongly focus on defense against intruders. And in considering the security protection of the product and services, attention must be clear as to at which point of manufacturing process the product assumes a street value and becomes vulnerable to be stolen. One example of security recommendation in relation to product cycle or manufacturing process is the introduction of traveler’s log which monitor the flow of the products from one point to the other, documenting and authenticating their proper handing and taking over at each station. The other is to give attention to the handling and disposal of NCMR – non-conformance Material Rejects or wastes.

3.6 A successful security management programme is never complete without a comprehensive set of security manual – encapsulating all the security policies and detailing the security procedures. Therefore the initial crafting of this manual is important as it is supposed to provide the continuity of the whole security management programme throughout the life span of the organization regardless of the changes in security management and personnel. Also, the manual needs to be constantly reviewed and updated to meet change and new challenges in operating environment. All decisions that affect security implementation and execution made during meetings must be clearly documented filed and wherever possible reflected as changes or amendments to the existing security manual that contain the policies and procedures. This is essence is the Software aspect of Security.

4. People Ware – The backbone of Security.

4.1 And, it is often the People Ware that causes the whole security management system to crumble, in spite of the availability of the best Hardware and Software. In my implementation of security in my previous company, to tackle the problems caused by the factor of People Ware, I placed a lot of stress on the following: –

4.1.1. Security must be fully supported by Management – meaning there is somewhat a direct line of reporting between the Security Management and the Senior Management. (I reported to the CEO in my previous jobs as Security Manager).

4.1.2. There must be a sense of ownership among the executive levels – the head of departments – when it comes to implementation of security. For example, in my previous company I put in place weekly security and ops co-ordination meeting where the Heads of Department were made to discuss security issues and endorse security procedures. (I actually piggy-backed the security portion on the weekly ops meeting by making the GM of the plant to chair it or else I would never be successful in getting all the Dept Heads together to discuss security related issues.)

4.1.3. Security awareness programmes are regularly held to disseminate them to the employees, for example in orientation and induction programmes for new employee’s security briefing is mandatory, besides regular postings of notices and security posters.

4.1.4. The Security force – be it the in-house officers or agency hirees, or a matrix comprising both – should be highly motivated and trained to enforce the security procedures and measures. There is close hand supervision of the Security force and regular dialogues with the Agency representatives to ensure that the manpower is kept at tip top condition.

4.2 In offering of security manpower services, clients are often governed by the desire to source for lowest cost initially. But with rock bottom prices, clients must be made to realize that they are not getting quality services. Then they will soon realize that they would have to bear the inconvenience of having to change security agencies every now and then when they are found lacking in their services or providing sub-standard manpower. So, we need to educate client that for a premium over the rest of the other providers they are getting value for money services – trained and trainable men, minimal disruption caused by absenteeism, and an round-the-clock open line of ground communication with management representative of the security force. Easier said than done? From my experience, having stood on both sides of the fence, as a security guard agency operator and security manager, the key figure is the middle level manager and supervisor. For, the quality of the guard force is ever predictable and limited by the supply pool across the security industry. It is the operation executive, the supervisor or the ground agency manager that make the difference – willingness to maintain a good ground relationship with their clients, responding swiftly to their needs and having good resourcefulness in motivating the guards and juggling the numbers to meet shortfall and exigencies.

4.3 So, the emphasis should rest on not frantically securing new contracts, and losing them as fast as you would catch them. Rather, the effort should be built on securing existing jobs, consolidating and improving upon them so that the customers would continue to engage the services in spite of higher price. Only then, with reputation and credibility build up, new contracts could be earned.

4.4 When I was in the States attending the AMD Security Manager workshop, the professionalism and smart turn out of the agency security force impressed me. I felt that they took pride in their jobs and identified closely with the company – AMD – that engaged them more as contract staff. The answer I found out later lied in a sound management philosophy translated into practical ground execution which they proudly called “partnership programme”. Under this programme, the guard force were treated as if they belonged to AMD – discrimination between them and regular employees were minimized and they were made to participate in sports and welfare programmes of the company. And, back in Singapore, practicing from my end as Security Manager, I tried to emulate this programme with the guard force supplied by the Agency in both form and substance. It worked to a certain extent as I managed to retain one single agency for many years and had a few loyal guards who chose to remain in their post over prolonged period. Example: when I took over I re-designated all security personnel from security guards to security officers, even renaming the guard post as security post. This was a true morale booster, and served well to embolden them to be more pro-active in checking on employees, and committed to their roles and functions.

5. Conclusion

5.1 Security is more a living art rather than a hard science because it encompasses so much variables – cutting across so many disciplines from the understanding of technology, work processes, public relation, marketing and people’s skills. It is through the effective integration of the three Ws – Hardware, Software and People Ware – that a sound and comprehensive security management programme can be put in place. So, a competence security practitioner, whichever end he represents – should not rigidly stick by the books but he should ever willing to be flexible, resourceful and sensitive to the ever-changing security landscape and market needs. Text-book knowledge in the final reckoning provides sound fundamentals for the security practitioner to discharge his duties efficiency but the willingness to learn new skills, applying them resourcefully, readily adapting to the fast changing environment and having a deep empathy for people makes him a truly professional. And, the traditional value of wisdom, which effectively means experience plus knowledge plus application, does play an important part; it is therefore not surprising to find a good security professional also a grey hair man.