If you don’t want truth that may be considered harsh…don’t read this!
If I were to ask 100 business owners, or those who are ultimately responsible for them, if the security of their people and assets were important, believe it, or not, only 95 of them would answer affirmatively. Are you surprised that it’s not 100 out of 100 as we would all hope it to be? I have actually had a handful of very high-level executives tell me that security was important to them only within the confines of meeting regulations and requirements to avoid fines. It’s absurd for someone to think like that, right? Or…are they simply answering honestly? In other words, its what most think but would never openly say. Or more likely, it’s what is happening unconsciously for most.
It’s not that people don’t care…
You see, it’s not really that people don’t care, it’s more they don’t believe anything will happen and they are, therefore, willing to accept elevated levels of risk in an effort to increase profitability.
The problem is that security does not generate revenue and, therefore, to a business, outside of regulations and requirements, its little more than an expense and hassle which creates a dangerous view of – “let’s do what’s required as quickly and inexpensively as possible and move on to revenue-generating activities”.
So, if that’s truly the way that you do things and how you view security, in essence, that 95 out of 100 number may actually be far, far less.
Another Unfortunate Perspective
Now, let’s look at this another way and I want to ask you to “dig deep” for honesty as you consider these questions and the implications of your answers:
Who is responsible for ensuring the security of your people and assets? Who have you entrusted, or who do you rely upon to ensure that you are not only doing what is necessary to ensure that you meet regulations and requirements but even further, truly keep your people and assets secure?
First, does meeting regulations and requirements equate to true security and effectiveness in security? Many assume that it does however…it does not. The bigger problem is that many don’t consider it at all. You simply do what you’ve been doing, it works, so just don’t worry about it. That’s exactly why it’s become acceptable to assign such a critical responsibility to someone, or a committee of people, who know little or nothing about it and that exactly what you are likely doing because unless you are a really big company, I doubt very seriously if you have the means or can justify a full-time, professional and highly knowledgeable security professional. Note this: Professional and knowledgeable does not mean retired law enforcement or military.
So, here’s reality in your organization- You take security so seriously that you have assigned it to someone, or maybe a committee of people, none of whom no ANYTHING about securing people and assets.
Now just think about that. Does that make any sense at all?
How we make decisions on security-related matters
Next, think about how you make decisions regarding what security-related elements you will invest in and spend time on each year. This happens to be a problem whether you have a dedicated, full-time professional in the position, or not. When the person that you have tasked with the responsibility for security comes to you with a request for funding for something that they deem critical to organizational security, how is the expenditure request ultimately decided on? Does it go to a person, or possibly a board or budget committee to decide its fate? Likely. The question is, of those deciding on whether or not to do what your “security expert” is recommending, who, or how many of them, know anything at all about what they are deciding upon? First, does anyone have more knowledge or expertise than your dedicated security professional? And, what if you have assigned the responsibility to someone that you know, in advance, has little or no expertise in the critical role in which you have assigned them as a part of another job or responsibility? Why would you ever consider taking advice and spending money on the advice of someone that you know has no expertise? It a loss before you even get started and, even worse, there is a substantial cost involved in the time this person commits to the assignment vs their core competencies.
And finally…funding for security
Do you know how many businesses have told me that they just don’t have the money to put forth a higher level effort on security? Countless! My response to every single one of them? “Yes, you do”. The question is how you choose to spend it. Just look around your business and what you are spending money on. Aesthetics? Comfort? Fun? Contributing more to the bottom line? There are few, if really any things that your employees and customers would find to be higher in priority than security. Think about that.
Unfortunately, this is a sad reality of how security is handled throughout the country. The question is, just because this seems to be generally acceptable, is it what you want for your business? Again, it’s actually ok, until and unless something happens! That’s when what you have or have not done becomes center stage. That’s when you will look back and wish you would’ve done things differently.