The security director looks at system design as a process. For the implementation to be relevant and effective, it must address the needs of the organization and be tempered with a complete understanding of constraints. The needs are identified by determining
- the assets at risk, including people, processes, property (intellectual and physical), production and infrastructure (power, environmental conditioning, voice/data communications);
- the threats to those assets (theft, vandalism, sabotage, terrorism);
- the likelihood that the threats will occur; and
- the effects on the organization if the threats do occur.
The constraints to an organization’s security program come in many flavors. They may be organizational, operational or cultural. They may have to do with equipment compatibility or commonality, public perception, codes, standards, or available funding.
Only when we understand the security needs thoroughly can we reach into the security manager’s toolbox and apply the most appropriate solutions to deter, detect, deny access to and apprehend perpetrators. Traditionally, the security director has relied on this basic model to determine the best solutions for a given site, but the model is now evolving.
The New Business View
Businesses now ask that security managers no longer consider security as the main objective, but instead design their programs with a business-centric mind-set. Today’s senior management is less interested in protecting the building, its structure and its physical and human component, than with protecting the business—the organizational entity without which the physical components have little meaning. The security department’s goals must now be aligned with the objectives and mission of the business; security’s vision must match the corporate vision. In this new world, security becomes risk management, whose reason for being is to ensure business continuity through contingency planning and crisis management.
The security practitioner’s toolbox has not changed—access control and video systems, security operations and investigations remain as valuable as they were. It is the rationale and justification for their application and implementation that is evolving. To put the change of mind-set into perspective, consider a company with corporate headquarters in an urban high-rise and a manufacturing facility in a rural campus that takes advantage of less expensive labor. Traditional security thinking regards the corporate HQ, with its mahogany-row executives, high-level support functions and corporate art as the highest-value asset. However, in true business terms, it is the manufacturing facility that creates the cash flow and corporate wealth. Many corporations now give priority to the protection of the manufacturing facility, and plans and procedures to quickly implement production at alternate facilities in the event of a disaster are at the top of the list.
One of the catalysts that has triggered this change in thinking is the globalization of corporations. However, when we start to look at one of the major security system solutions, access control, we see that many of the operational, design and implementation elements also need to be rethought.
Operational and Design Considerations
Access control systems support operations over a number of areas, including cardholder record design, photo ID badge design, data entry, database management, definition of security zones and alarm descriptions, alarm monitoring and alarm response. The development of corporate-wide standards for these areas is relatively easy for organizations spread only within the borders of a single country, but when there are multiple languages, customs, and even different legal ramifications of the manipulation of personnel data, the task becomes more complex.