Introduction
Security management is a broad field of management that involves a wide range of asset management activities, the physical security as well as functions that relate to the security and well being of organizational human resources. Just like all the other functions of business management (risk management, marketing management, financial management among others), risk and security management is equally complex, diverse and multifaceted (Karim, 2007:17). As a result, risk and management calls for absolute knowledge and skills on the part of the security manager, if at all the latter is going to be efficient and effective in the achievement of security management goals and objectives. Ideally, security management is a management function just like all the other management functions and which requires the same level of seriousness. For instance, security managers in any one organization (in the endeavor to carry out the security management function) are involved in the actual identification and the development of the organizational information assets, formulating, documenting and implementing policies, standards and procedures as well as acting in accordance with the established guidelines.
In network management, according to Harold & Tipton (2007:7), for instance, security management involves a series of activities that protects organizational information resources and communication networks from access, tampering with or influenced by unauthorized persons. According to the latter, this function involve a complex series of functions aimed at exercising absolute control on the organizations information resources through creation, deletion and absolute control of the organizational security services and systems. In addition, security management involves distribution of security related information, identification and reporting of security related occurrences, and being in charge of creation cum distribution of security oriented materials. It also involves granting authorization for access to the subscribers as well as specifying subscriber’s rights and privileges.
In undertaking the role of security management, security managers utilizes such management tools as information classification skills, risk assessment expertise and risk analysis methodologies that are particularly essential for threats identification and forecasting, assets categorization and the level of systems susceptibility to security risk so as to effectively install appropriate control measures (Erik, 2002). As a result, security management is an art that requires professionalism, skills and a host of experience on the part of the manager for optimal efficiency and effectiveness. The complexity of the environment in which the organization operates presents a great challenge to security managers’ roles and responsibilities, because the security strategy must be sufficiently dynamic to keep pace with the rate of organizational, environmental and technical change. Ideally, security management must support the organization’s quest to be secure, flexible and adaptive to its environment and must be able to make a measurable contribution to the organization’s bottom-line and long-term resiliency. However, this has presented a bigger challenge to most business organizations, a thing that has negatively affected productivity in the affected firms.
Both security management skills and security expertise are undoubtedly essential conditions for ultimate efficiency and effectiveness in security management. However, debate or rather controversy has ensued as to whether security management qualities are more essential than security management expertise, as far as security manager’s effectiveness is concerned. As a matter of fact, both the security management qualities and absolute expertise are essential for success achievement. However, the order of the two aspects in importance has been a subject of debate over the years. While others indicate that being a security manager precedes being a security specialist others have insisted on the opposite case all together. This paper therefore discusses the assertion that in security management, being a security manager must always precede the being a security specialist for ultimate success.
The Controversy (Discussion)
According to Vince (2002), good technical knowledge in security affairs is not adequate compensation for an individual’s poor management skills as a security manager. Instead, management skills are more important in this case than mere technical expertise. Being a security specialist may be useless if an individual has deficiency in security and overall business management skills. According to Vince (2002), individuals who have very high levels of intelligence, highly inquisitive and in possession of both absolute management skills and technical expertise in security matters were the best and the most successful security managers. As a matter of facts though, individual with a mixture of such qualities are difficult to come by. Consequently, good managerial skills and qualities, which Vince (2005) believe are most essential in security management form a very strong foundation of successful security managers since expertise will only arise out of continued undertaking of security management functions.
According to John (2005:13), being a security expert is one of the many qualities that an effective security manager should have. Ideally therefore, while security management is the universal set, security expertise is only a subset of the qualities that makes up effective security managers. Being a good security manager can lead to a person becoming a security specialist whereas a security specialist may not transform to efficiency in security management if an individual lacks appropriate risks and security management skills. To be a good manager therefore, one should have the many other qualities outside being a mere security specialist (Harold & Micki, 2007:14). According to the aforementioned, management expertise and skills must always precede security expertise since this is a necessary, but purely insufficient, condition for absolute security management efficiency. To be an effective manager, an individual must have both the skills to control, coordinate, formulate policies and procedures, design strategies as well as effectively appraise the whole process in an endeavor to ascertain the achievements of the set goals and objectives. Ideally, effectiveness in management therefore would call for the manager to have fully knowledge of the organization, all its aspects and good account of all the constituents of the organization that requires security concerns (Mullin1998:234). While a security specialists posses only the technical knowledge on security matters, such knowledge alone cannot amount to effectiveness in security management. Effectiveness necessitates that an individual be fully equipped with multivariate skills, leave alone being a security specialist (John 2005:16). According to the author, security management skills must precede technical knowledge for optimal efficiency and effectiveness in security management.
As observed by Vince (2005:2), to be a security specialist or a technical expatriate in security matters is a precondition for efficiency in security management, which can be obtained through extended experience in security management practices. As a result, both security management skills and security expertise must be exhibited in an individual for efficient and effective achievements of an organization’s security management objectives. Being a security manager would mean that the manager has the interest of the company’s security matters in his heart; a factor that will arise only when the individual is a security manager. While being a security specialist is important, management skills are imperative for a professional security manager. To be a professional manager of a complex management function such as security management, an individual must first be well equipped with security management skills. A security manager therefore is a security specialist as a result of being a security manager. However, Starr, Newfrock & Delure (2003:253) argues that irrespective of an individuals’ skillfulness in security management one ought to be a specialist in security matters since a person cannot manage what he/she is not well acquainted about.
The responsibilities of a manager are clearly outlined in his roles and responsibilities. Such includes planning, organizing, staffing, coordinating and controlling all the matters allied to operations of the organization. Security managers are no exception (Mullin, 1996:296). It would be impracticable as noted by Mullin (1996:97) to expect that an individual will succeed in undertaking the above mentioned roles if he fall short of security expertise or if he himself is not a security specialist notwithstanding how good he or she may be in management. For instance, for an individual to effectively plan the security matters of an organization he ought to be an expert as far as security affairs of the company are concerned. Specifically, the person must have adequate knowledge to carry out comprehensive analysis on the company’s risks susceptibility, the absolute security needs of the organization as well as the security objectives so as to effectively plan, allocate, coordinate and organize or mobilize the organizational resources towards the achievement of the company’s security goals and objectives. Charles (2009:2) asserts that expertise in security matters is an essential precondition and requirement of an effective security manager.
However, Robert and Gion (2001:12) points out that both security management skills and security expertise must coexist at all time for optimal effectiveness in security management. According to the authors, a security expatriate lacking absolute management skill is more likely to be ineffective. On the other hand, an individual who is a skilled security manager but fall short of technical knowledge concerning security matter is likely to fail in his or her roles since he lacks a clear conceptualization of the organizational security requirements and the essential expert knowledge of how to effectively mobilize the organizational resources towards the achievement of the company’s security objectives. The argument put forward by the author is that an individual concerned with the risk and security management in one organization must posses both skills in security management and security expertise.
Robert and Gion (2001) posit that a security manager’s musts have both the technical aptitudes (or rather have the required levels of security expertise) and the optimal business management skills. This is indeed greatly stressed by the International Information System Security Certification Consortium that asserts that, for an individual to get any certification from the consortium, he or she must demonstrate not only proven expertise in risk and security management matters, but also demonstrate business and security management skills. The importance of the two aspects in a security manager is particularly stressed by the proponent of the consortium, arguing that the latter has offered a viable solution to job stagnation among many security managers. In fact, the certification from the consortium is a proof that the holder is not only a certified security specialist but also a person who posses a host of business security management skills essential for the overall effectiveness of the organization. In addition, the certification shows that the holder has adequate and relevant experience in security management and overall handling of organizational security affairs. Certification by the consortium also requires that individual posses an impressive record as a security manager both in terms of security management skills and demonstrated ability as a security specialist (Erick, 2002). As Geoff (2003:78) observes, irrespective of the order in which security management ability and security matters expertise will be acquired by an individual, both are crucial for effective security management and a reason why they are both preconditions for certification by the security consortium (Erick,2002).
Security and risk management is a broad and complex field of management that involves multivariate functions such as business risk analysis, identification of the business security needs, setting up business security goals and objectives, designing and overseeing the implementation of the business security plans and related activities, developing access control systems and methodologies, coming up with organizational security applications and systems development, development of the overall business continuity planning, designing of cryptography, dealing with legal matters, investigation and promotion of ethical standards in relation to organizational security issues, managing the company’s operations and physical security, coming up with appropriate security architectural models, taking up the overall organizational security management practices and management of telecommunication, network designing and management as well as ensuring information safeguard via maximum internet security within the reorganization (Mullin,1996).
To be effective in the above functions and responsibility (for example, business management, security and risks management as well as absolute technical knowledge on organizational) security becomes a matter of concern and therefore rendered imperative. For instance, a security manager who lacks technical knowledge on security architecture and models is more likely to be ineffective in security management practices. Similarly, a security specialist who has knowledge on how to design and come up with information access control systems and security design methodologies but fall short of skills in business security and continuity planning cannot make a successful security manager. The indication of this argument is that for effectiveness in risk and security management, both security management skills and security affairs expertise must virtually coexist and support each other for ultimate success.
Security management success greatly relies on the security expertise component of the manager. As a result, being a specialist is more important that being a security manager, a proposition that contradicts the assertion (Charles (2009:17). According to Geoff (2003:2), security specialists possesses adequate bank of knowledge and experience, hence can offer varied solutions to different security problems arising within and without the organization. In fact, a security specialist has a high degree of confidence and can communicate his ideas effectively to the other members of the organizational security team thus bringing in the highest degree of efficiency and effectiveness in the organization’s security docket/department. Moreover, a security specialist has advanced security application skills and technical know-how on how various security applications and systems in the organization works, the varying security protocols within the organization and the modes and paths of organizational information flow hence he or she can come up with plans to ensure the highest level of information securities. Furthermore, Charles (2009:17) argues that it is only a security specialist who is able to comprehend and effectively use network properties such as ARP, ICMP and TCP/IP. As such, he or she can identify areas of network susceptibility hence can effectively take measures to avert any information security breach risk.
A security specialist, according to Charles (2009) will be able to identify and use the security management tools and applications which are viable as well as avoid those which have low applicability in fostering organizational security management effectiveness. This is specifically important for effective risk analysis and identification of area of vulnerability within the company’s security systems (identification of potential attackers and targets) thus being in a position to take appropriate precautions for maximum organizational security. This requires a proven security specialist. Moreover, it calls for a person to be a security specialist in order to comprehend the information flow and use in the organization; including the daily information usage patterns. As a result, the individual is in a position to know when information within the organization is used in the wrong ways, or identify cases of unauthorized persons either having accessed the information or attempted to illegally access it; which culminates to a breach of information security.
Network engineering skills and expertise is very important for security management effectiveness. In relation to this, an individual has to know the various network components, the workability functioning of each and every part to enhance overall security management effectiveness. For an individual to be well acquainted with the latter and be able translate his understanding to effective security management, he or she ought to be a security specialist. (Charles, 2009:17).
Furthermore, a security specialist will be in a position to interpret the results of the IDS and IPS systems that are present in the networks, so as to be able to get more information about the data put forth from the systems. For instance, it is not essential and it’s rather time wasting for an individual to revolve in the entire department for a false positive which can be avoided by mere knowledge of the workability and limitations of IDS/IPS systems. To understand all these and save the organization from such predicaments, an individual ought to be an information security specialist, leave alone being a skilled security manager. Also, security expertise on the part of a security manager is imperative if the latter is to understand all aspects of systems administration such that if an individual is given a series of computers with crucial information security needs one is in a position to safely secure them while allowing all its application to run efficiently. In addition it is more likely that a security specialist will have the best risk management know-how a factor that gives him all the qualities of a security manager.
A security specialist is at a higher stead to fully understand and apply the concept of risks management, while being careful to align his understanding with the overall company’s security objectives. This ability, coupled with high levels of creativity ability characteristic to security specialists, compliments the security management skills as a precondition for effective and efficient security management (Richard & William, 2003:22). The above argument therefore lean more against the assertion that management skills should precede security expertise. As the business environment becomes more complex, competitive and multifaceted, organizational security needs are increasing every other day. As a result, business specialist have pointed out the need of separating the organizational security functions from the IT department; a factor that has necessitated having security specialist in the organization rather than mere IT managers purporting to manage organizational security (Richard & William, 2003:27). The aforementioned author argues that as the security risk factor in the organization continues to increase, security threats are becoming more and more sophisticated hence necessitating new and more approaches to security management graced by the highest level of professionalism, security expertise and advanced security management skills. Thus, security affairs in the company must not be left in the hand of just security or information technology manager but should rather be handled by professionals and highly experienced IT specialist.
Security specialists with advanced experience on security matters are in a position to handle even the strategic security management (Charles, 2009). However, effectiveness in the matter of risk assessment which forms the foundation of effective security management program and strategic security management requires an individual to be a security manager i.e. on top of the absolute security expertise. Strategic management skills in this case enables the security specialist in carrying out effective and comprehensive analysis of the organization susceptibility to security risk and presents a viable methodology of identifying the convergence of assets, security fears and absolute susceptibility that offers reliable signs of security threats in the business. Management skills on the part of decision makers also help them prioritize the risks depending on their intensity and dangers posed to the organization and appropriately recommend approaches or rather strategies to transfer, avoid the risk, accept it or mitigate its potential effect on the organization depending on such organizations security (Richard & William, 2003:25).
Conclusion
Security management is one of the most important yet complex and challenging business management functions. Security management as a function is concerned with all matters relating to organizational security, ranging from information resources security to the physical security. As such, security managers responsibilities involve planning, organizing, coordination and controlling issues that relate to all aspects of organizational security. Consequently, it is imperative that the security managers have adequate and relevant security management skills and expertise to acquire optimal effectiveness. Whether security management prowess is the most crucial or it is being a security specialist, none of the two can be downplayed if at all effectiveness of security management is to be achieved. While some individuals argue that security management skills are more important than security matters expertise, others claim that the vice versa. A security manager with deficiency in technical knowledge on issues of security cannot be effective in undertaking his roles. On the other hand, a security specialist who lacks critical security, management skills is bound to be ineffective. The assertion that an individual should be a manager first and security specialist second could be misleading because irrespective of the manner in which they come, both qualities must initially be present in an individual if he is to be effective as a security manager. Conclusively therefore the assertion is just but a fallacious statement.
Reference
Berinato, S. 2003. After the Storm, Reform CIO Magazine, 2009. Web.
Charles, A., 2009. Effective security management. New York, Macmillan.
Erik, E., 2002. Build Your Skills: CISSP Tests More Than Systems Security Expertise. New York: OUP.
Geoff, C., 2003. High Rise Security and Fire Life Safety (2nd edition) An Auerbach publication: Taylor and Francis group.
Harold, F. Tipton., Micki, K., 2007. Information Security Management. London: Cambridge University Press.
John, F., 2005. The Encyclopedia of Security Management.
Karim, H., 2007. Strategic security management: a risk assessment guide for decision makers Business & Economics. New York: Wiley & sons.
Michael, S., 2002. Measuring Security RO. 2009. Web.
Mullins, J., 1996. Management and Organizational Behavior, 8th Edition. New York: Prentice Hall Publishing.
Richard, A. Caralli., William, R. Wilson., 2003. The Challenges of Security management. New York, Software Engineering Institute.
Robert, J. Fischer., Gion, G., 2001. Introduction to Security 6th Edition. Chichester: John Wiley.
Starr, R., Newfrock, J., Delurey, M., 2003. Enterprise Resilience: Managing Risk in the Networked Economy. Strategy & Business, 2009. Web.
Susan, S., Russ, R. 2006. Syngress IT security project management handbook. New York: Syngress publication.
Vince, K., 2002. Qualities of A Good Security Manager: Advanced Technical Expertise Cannot Compliment Poor Management Skills. Edinburgh: Campion.