The Importance of Security & Security Management

Risks from terrorism, energy availability, failed states and other sources are growing the timing (Bracken, Bremmer and Gordon, 2008). Everyone around the world takes risks, considered and unconsidered it in their daily life (Carson and Bain, 2008). In this case, security has become a major issue in public, political agenda and academic enquiry (Button, 2008). For surviving in the current competitive marketplace, besides develop their owe market, organizations have to conserve themselves as well. The physical security of the employees and installations, as well as the security of their software and databases are all inevitable to organizations today. This paper is going to describe security and security management at first. In addition, the author is aiming at explore the importance of contemporary management theory in security management based on a deep understanding of information security management. With an explanation of an information security framework, the role of security managers will be revealed.

Security and Security Management

What is security and security management is an essential issue for organizations’ management. According to Oxford Advance Learner’s Dictionary (2004), security is the action involved in protecting against something bad that might happen in the future. Group 4 (1992) identified that professional security is a part of risk management and aiming at reduce the chance by lose prevention. Wilson and Slator (1990) assert that security refers to the effective cost for against theft, fraud, fire criminal damage, and terrorist acts and keep the conservation of assets, personnel and even the profitability of the organizations. Meanwhile, Ramsden (2008) claimed security is freedom from anxiety, exposure to danger. In this case, security virtually consisted into both subjective and objective issues. For objective issues, security is a part of risk management which is relevant to the safe situation and conservation of existing entities. The subjective aspect is concerned on the perceptions of safe and certainty without worries of danger and anxiety. Furthermore, the subjective perception of security is based on the objective security environment. It can also describe security as a protecting tangible and intangible asserts against loss from negative influences (Barefoot and Maxwell, 1987). In addition, risk management which designed to manage potential events that may affect the objective of an organization is present in every branch of the organization and permeates the whole process of it (Ward, 2004). Security which focuses on the negative impacts is virtually the main body of risk management. This means, security is an essential capability of an organization to maintain a state of well being and prevent bad consequences (Paine, 1972). Due to the complicated of security which relevant to historical, psychological, sociological, functional organizational, normative, structural, descriptive issues (Post and Kingsbury, 1991), security management is an academic issue which is inevitable for organizations. This means, organizations have to depend on specialized professional experts to measure and run security management based on appropriate principle or theory and effective corporation (Davidson, 1989). Security managers must have the ability to set both short and long term goals; make and perform plans based on the help, support, input, and communication of the organization (Barefoot and Maxwell, 1987).

Based on the theory of Barefoot and Maxwell (1987), both tangible and intangible securities are existing and interacting with each other in an entity. Information security which virtually exists in both tangible and intangible securities is the most essential issue faces security managers.

Information Security

Information security which is the most relevant factor influence security management should be noticed by organizations at first. The frequent mergers, takeovers, and buy-outs nowadays are making a diverse corporate world (Barefoot and Maxwell, 1987). Security managers must have the ability to set both short and long term goals; make and perform plans with the help, support, input and communication of the whole organization (Barefoot and Maxwell, 1987). According to Wynne (1992), uncertainty, influenced by the organizational action (Hough and White, 2004) which is based on information it gathered from the environment and the way they interpreted the information (Daft and Weick, 1984) becomes the sources of risk. Meanwhile, security management which focuses on manages negative influence impacts over an organization is the main body of risk management. What is more, Hoven (1999) and Zhao (2004) are asserted that information could help organizations make products and services more efficient with effective costs. This means, information virtually is the core of uncertainty, risk and security management. Therefore, information security has been a key element in contemporary management (Chang and Ho, 2006).

Information implicates in every individual and branch both internal and external sources of an organization. For external aspect, information can be viewed to be inherent in the organization and their internal environment (Chang and Ho, 2006). Security managers must receive and analyze information from the policy of government, their suppliers, customers and competitors. With the analysis of information, security managers assist management to implement necessary performance across the organization and monitor the approaches and process which to a large extent will conduct the whole management of the organization (Barefoot and Maxwell, 1987). How security managers get accurate and timely information from external part of an organization is the basic demand of security management. In addition, for internal aspect of information security, security managers should collect employees’ information such as religions, educational backgrounds and family states. Meanwhile, the communication between different departments of an organization is aiming at sharing of information. Due to even a tiny mistake of transmission or understanding of information could directly or indirectly leads to destructive consequences of an organization, information security must based on confidentiality, integrity and availability in this aspect.

With the identified importance of information security, information security management has become a necessary issue of daily life, and organizations need to make sure they have safeguard to defend their own. Information security frame works is aiming at help organizations assess their security controls with privacy and information security regulation based on comply with governance requirement (Germain, 2005). To defend organizations from theft of trade secrets and loss of information, information security frameworks help organizations keep or get commercial advantage and tackle dangers.

ISO/IEC 17799 Framework

ISO/IEC 17799 Framework provides the most comprehensive approach to information security management which is the only practice framework that helps organizations obtain security certification from third party organization (Germain, 2005). With the third party organization involves in information security management, controls of implementation to a large extent could be assured to meet information security requirements. It could also monitor organizations to comply with security audits from financial institutions and insurance companies which could directly or indirectly increase the reputation from the customers (Germain, 2005). According to Germain (2005), there are ten security domains are including in the ISO/IEC 17799 Framework:

1. Security policy requires security managers to demonstrate management commitment to and support for information security. This requires the security manager to have the ability of understanding and analysing the internal and external environment of the organization;
2. Organizational security request security managers to develop a management framework for cooperate and allocate information security responsibility. This requires the security managers to fully understand the flow path and management theory of the organization;
3. Asset classification and control ask security managers maintain an appropriate level of protection for all critical or sensitive assets which exists in the organization. To achieve this need, the security manager need to have a fully understanding of the natural and additional value of every assets that belongs to the organization.
4. Personnel security is for security managers to reduce the danger of error, theft, fraud, misuse of computer resources and make sure the awareness of relevant risks or threats information. This requires the security manager to understand the demands of computer resources needed for different roles in the organization and make sure the staffs have the adaptive technical skill for their job.
5. Physical and Environmental Security require security managers monitor the access to information equipments and prevent damage to information and site for business operation. For this, the security manager needs to have the knowledge of staff and device requirement of sensitive areas of the organization.
6. Communication and Operation Management is used by security managers to appropriately and securely dealing with information process to reduce risk of failure and its consequences which need the security manager to have certain technical knowledge.
7. Access Control asked security managers control access to information to ensure the protection of networked systems and the detection of activities which are not permit by the organization. These also need the security manager to have a very high and full-scale technical knowledge as well as a fully understanding of information demands for each role in the organization.
8. Systems Development and Maintenance request security managers prevent the loss, modification, or misuse of information in operating systems and application software.
9. Business Continuity Management requires security managers develop the organization’s capacity to react rapidly to the interruption of critical activities which resulting from failure, incidents, natural disasters or catastrophes.
10. Compliance asks security managers ensure that all laws and regulations are respected and that existing policies comply with the security policy in order to ensure that the objectives laid out by senior management are met.

The above listed ten core issues are the guideline that the security manager needs to take into consideration in this framework. It is not hard to see that it would not just requires the basic knowledge of security and protection theory but also need a very comprehensive and profound understanding of management theory and skills. Security management stated here would not just be building thicker walls, higher fence or stronger safe. It would be more like to have the knowledge of what, why and how to protect the assets of the organization. The management needs to be operated by highly skilled management experts with updated informatics knowledge for this framework. As the widely use of information technology across industries. This would be more like to be the requirement of security management everywhere.

Conclusion

To conclude, security is not only a state but also the perception of safe. Security could be divided into tangible and intangible aspects. Based on the distinction of security, security managers should focus on both tangible and intangible security. Information security which is a specific element of an organization today could be seen as both tangible and intangible. In this case, it is worth for managers to understand specific work security managers do based on the ISO/IEC 17799 Framework. Besides deep understanding ISO/IEC 17799 Framework, the ISO/IEC 17799 Framework itself is a deep knowledge of contemporary management theory. Therefore, a deep knowledge of contemporary management theory is vital to become a successful security manager.