Corporate Security (Structure, Roles, Duties)
KeywordsCorporate security Crime prevention Environmental design Ethics and compliance Workplace violence Collective bargaining agreement Electronic security systems Design basis threat Classical persuasion model – CARVER
Corporate security is responsible for overseeing the physical protection of a company’s property, personnel, data, and intellectual assets, as well as identifying, mitigating, and managing security and safety threats to the company’s resilience and continuation.
Corporate Security focuses on the application of governance practices to ensure company principles, polices, and procedures are identified and applied as designated within the organization. Two major changes in corporate security since September 11, 2001, include the types of people who serve as directors and the policies implemented (Nemeth 2018). Initially, the majority of security directors had been retired law enforcement officers who worked predominantly in inner cities, trying to reduce crime and assist the public. Corporate America’s mentality was that retired law enforcement officers would be good directors because they had the experience and expertise in dealing with security and criminal matters (Nemeth 2018). Organizations today are seeking security professionals with former military experience or law enforcement backgrounds, as well as an advanced degree in business, security, or management (McCrie 2016). These directors need to know about both public and private security notions, including: community policing, crime prevention through environmental design, electronic access control and monitoring systems, loss prevention, protection of intellectual property, how to deal with active shooters, and implementing emergency management (Nemeth 2018).
Corporate Security continues to face challenges as corporations expand and increase their profits, requiring private security to protect its assets (McCrie 2016). Many organizations are now hiring Chief Security Officers (CSO). The CSO is an organization’s most senior executive accountable for the development and oversight of policies and programs (The Hallcrest Report II). The CSO is part of the C-Suite (i.e., titles beginning with “chief”) which is usually the most senior executives in the organization (e.g., Chief Executive Officer, Chief Marketing Officer, Chief Financial Officer).
Chief Security Officer
The CSO is responsible for the protection of life and property of all those working at or visiting the company’s facilities. The main duties of the CSO is to forge interdepartmental connections (e.g., Facilities, IT, Legal, Communications, Human Resources and Procurement) and to develop policies and strategies that safeguard and protect all assets owned by the organization. It is important for the CSO to stay current regarding all internal and external security and safety related issues. The CSO must ensure the security staff are properly trained and equipped to deal with potential issues that arise and mitigate these hazards as quickly as possible (see “Personnel Security: Training” in this encyclopedia). CSOs manage all investigations and formulate strategies to respond to serious events that may impact the organization. Events, such as labor disputes, weather conditions, power disruptions, terrorism, and active shooter incidents, can impact an organization on multiple levels. Their ability to interface with external organizations, from law enforcement agencies to local community groups, is vital to their success, as is their ability to understand accounting and budgeting responsibilities. Finally, CSOs must be able to communicate their visions to the organization effectively.
Challenges for Corporate Security Department
So, what exactly are the challenges of Corporate Security department? In this section, the six challenges that corporate security departments face (i.e., Budgets, Electronic Security Systems, Workplace Violence including Active Shootings, Fire Safety, Communications and interfacing with External Agencies) are discussed.
The Chief Security Officer is first tasked with creating and maintaining a budget in efficient and effective manner (Harrison 2014). Large organizations have security in the hundreds of thousands or millions of dollars. The Corporate Security executive must interface with senior management and finance departments to ensure the security budget remains on track for the company’s calendar (i.e., January 1 to December 31) or fiscal (i.e., covering 12 consecutive months, but starting in any month) year.
Two factors that security departments take into consideration are direct labor costs and operating budgets. Direct labor costs are factored by the number of employees you have within your department and the benefits you provide for them. If employees in your organization belong to a labor union, many of the costs and pay raises are covered under the collective bargaining agreement (CBA). An operating budget is a financial document that illustrates funds needed to keep the security department operating effectively. Items can range from training, to ESS, uniforms and supplies, just to name a few.
Electronic Security Systems (ESS)
The second challenge for security departments is the understanding and utilization of Electronic Security Systems (EES) your organization employs. This can include the following: CCTV’s, Access Control Systems, Mail Room Detection Systems, Glass Break Detection, Electronic Eavesdropping Detection Equipment, and IT Monitoring Equipment. In many organizations, the IT department will have its own budget to protect the corporation’s data and electronic files. However, when a system is breached, Corporate Security may become involved in the investigatory process working alongside the IT department (see “Investigation: Criminal” in this encyclopedia). There are a few reasons for purchasing an ESS system. The first is to protect life and property. The second is to utilize the equipment with personnel to respond to incidents faster. The third is to create systems that can track and monitor internal and external movements of personnel, visitors, and guests to ensure their safety.
Three factors must be considered when a company purchases any type of Electronic Security Systems. First, the individual responsible for the purchasing of the equipment must decide how the ESS will enhance the organizations operability. The decision will be based on whether a site survey had been conducted and regulatory requirements had been reviewed as justification to add or enhance current ESS. Specifically, the company should survey to determine what advantages the ESS component will afford a company, as well as its costs. For example, an organization seeking to add another closed-circuit television system to an existing system would need to ensure that the monitor(s) is capable of adding an additional camera(s), the length of the cable or wire run to connect the device is configured appropriately, and the correct camera is selected, such as a pan-tilt-zoom (PTZ) or stationary camera, and whether it is functional in low light conditions.
Second, the company must consider the cost associated with the purchase of an ESS. The costs can vary from product to product. It is imperative that a security professional with experience in designing and installing security systems be involved. In determining which vendor to select, it is advantageous to obtain three bidders and always write the Request for Proposals (RFP) for the bidders with two necessary components in mind. Next, conduct a Request for Information (RFI) on each company selected to submit proposals on the ESS project. The RFI is a document used to obtain information about the company which can include their products, services, or suppliers. In many large organizations, the purchasing or procurement department will assist you in undertaking this task. Finally, advise the bidders that the specific camera, monitor, door alarm, panic alarm, and housings to enclose these devices must be used. This requirement will force the bidders to submit proposals using only the requested products and materials. The price difference should be in the labor costs only, which allows an organization to conduct a comparative cost analysis.
Third, the company must develop an oversite group who will be responsible for writing policies and procedures. Determine what the primary purpose would be for installing the ESS system, that is, its specific intention. A policy needs to be written outlining the functionality of the specific ESS. For example, the best performance would be to interface the CCTV’s with an alarm monitor so that when an alarm is activated, the closest CCTV(s) to that activated device should appear instantly on the alarm monitor. This allows the individual monitoring the system to observe in real time what has just happened. Procedures need to be developed instructing the operators what to do in the event of a crisis. These procedures should be reviewed after each incident or at least on a monthly basis (see “Physical Security: Exterior Application” in this encyclopedia).
Workplace Violence and Active Shooters
The third challenge is workplace violence (e.g., hostile workplace, bulling or cyber bulling, stalking, sexual harassment), with emphasis placed on active shooter training (see “Workplace Violence: Preparing, Mitigating, Responding, and Recovering From Active Shooter/Terrorist Threats” in this encyclopedia). In 2016, there were 500 homicides in the workplace and 394 of those victims were intentionally shot and killed (Strom et al. 2010). Additionally, a total of 792 injuries were intentionally inflicted on workers, an increase from 646 the year before in 2015 (Caine 2018; see “Workplace Violence: Assault” in this encyclopedia). Corporate Security departments have become involved in mitigating various incidents, especially when it involves co-workers (Lindell et al. 2015). In most incidents, there is a three-pronged approach to these investigations. Usually Human Resources receives the complaint and investigates it themselves or involves Corporate Security and/or Legal (Sylves 2015). Depending what the corporate policy is, the investigation can proceed in one of many directions. At times when a victim thinks the claim was not adequately investigated, the employee will go to local law enforcement or the media. When this occurs, it is imperative to involve the organization’s communications department. All inquiries should be directed to them, and other departments should be advised not to discuss the case and refer all questions to the Communications Department.
A recent report by the FBI (Silver et al. 2018) examining active shooter cases from 2000 to 2013, provided information useful in understanding the preattack factors that contributed to these incidents in which multiple people were injured and killed with firearms and bombs. All businesses will need both active shooter awareness and mitigation training (Interagency Security Committee 2015; Wallace and Webber 2018). The main information provided included that has been an increase over the past 7 years in active shooter incidents, incidents occurred predominantly in commercial settings, the majority of shooters were lone men, and that more than half of the shootings ended by the shooter either fleeing or committing suicide, particularly after law enforcement engaged with the shooter (Silver et al. 2018).
Many organizations are training their staff on how to deal with an active shooter situation. They are interfacing with local law enforcement agencies and hiring external consultants to train their staff on recommended guidelines to follow during an active shooter situation (see “Public-Private Partnershps: Training and Coordination in Disasters” in this encyclopedia). Depending on your business and your building active shooter plans will vary from location to location. The three primary objectives law enforcement communicate to the public during mitigation training are: “Run-Hide-Fight.” If possible, run from the active shooter safely. If running is not an option, hide from the shooter. Once inside a secured area, lock the doors, turn off the lights, call “911” if possible and silence your cell phones. The last alternative is to grab any item in the area and use it to defend yourself and fight back against the shooter.
Corporate security must “harden” their company to prevent becoming a target. One method to do this is called Design Basis Threat (DBT) which aids in reducing or mitigating risk by implementing physical security barriers or ESS. DBT is a basis for designing systems to protect against acts of aggression against an individual or organization. Examples include placing bollards around the perimeter of your facility to stop or deter a vehicle from crashing into your building, or ensuring all individuals entering your location have an updated access control card or visitor’s badge so former disgruntled employees or visitors who attempt to re-enter the facility will be intercepted (see “Physical Security: Exterior Application” in this encyclopedia).
The fourth challenge is fire safety and laws vary by jurisdiction. In many locations, their security officers act as Fire Safety Directors, Assistant Directors, Floor Wardens, Floor Searchers and Aiding the Disabled to name a few other responsibilities (see “Fire: Prevention, Protection, and Life Safety”). Corporate security departments will need to interface with facility or building managers to become familiar with the fire codes and ordinances. Within the United States, many organizations comply with the National Fire Protection Association (NFPA). The NFPA creates and maintains private, copyrighted standards and codes for usage and adoption by local governments. The NFPA works to achieve these goals by delivering information and knowledge through their more than 300 codes and standards, research, training, education, outreach, and advocacy and by partnering with others who share a similar vision and an interest in furthering their mission (see “Public-Private Partnerships: Emergency Management” in this encyclopedia).
The fifth challenge is communications. Every organization thinks it is prepared for communicating during a crisis, but unfortunately, they may not be. In most instances, corporate security is one of the first departments to learn of a crisis and then it often fails to enact the communication protocol. The Communications Department/Media Information Department can be a significant partner if utilized properly. It is imperative to formulate a crisis communication team to ensure that one strong, accurate message will be sent in a timely manner notifying all stakeholders of the status before, during, and after the crisis (Lindell et al. 2006). It is also necessary to appoint one spokesperson for your organization. This individual should be part of the communications team and will be designated point person to answer all questions and inquires.
Global security departments should consult a communication specialist for every location in which their organization is located. The message will be designed consistent with the type of business it is, the stakeholders it has, and legal requirements. In the last 2 years, misinformation on social media and “fake news” have become a concern for businesses. It is important that any incident affecting the company is communicated to the public accurately particularly as individuals are able to upload and distribute information at the tap of various communication devices. Once information is out there, it is thought to be factual. It is advantageous for an organization to inform the stakeholders of the issue(s) in a proactive manner rather than stakeholders and employees seeing it first via social media.
Interfacing with External Agencies
The sixth challenge for corporate security departments is interfacing and sharing information with other city, state, federal, global, and private organizations. The CSO must become familiar with a variety of external agencies and be able to define both risks and threats to the company depending on its size, goals, structure, and business model (Nemeth 2018). To do this, the Security Professional can use the CARVER System, an acronym that represents the following attributes – criticality, accessibility, recuperabiilty, vulnerability, effective, and recognizable.
The first step is to measure public health and economic impacts of an attack (Lindell et al. 2006). For example, what would happen to your employees or organization if a medical crisis affected your organization (e.g., rubella outbreak, Severe Acute Respiratory Syndrome/SARS that occurred in 2004). The second step is the ability to access and egress from a target physically. Accessibility is the directness of the target to the threat so the CSO must consider whether the organization has created a plan to mitigate or reduce the threat of an attack. The third step is the ability of a system to recover from an attack (Wallace and Webber 2018). The CSO should determine how quickly the organization can be operational after a crisis (see “Business Continuity Plan” in this encyclopedia). The recovery time objective (RTO) is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs. The fourth step involves the ease of accomplishing attack against the company. By conducting a Strength, Weakness, Opportunity, and Threat (SWOT) analysis, organizations can determine how vulnerable they are to both external and internal threats. The fifth step involves the amount of direct loss from an attack as measured by loss in production. Organizations must equate how lost revenue and reputation may affect the bottom line. In particular, the CSO must determine when a crisis occurs, what the RTO is before a company can recover from a crisis. The sixth step is the ease of identifying the target. Organizations need to focus on how the degree to which specific building, system, or network is relaxed. Once an analysis is conducted, countermeasures must be incorporated. Corporate security must conduct an author or hire an external security consulting organization to do so. Once the CARVER method is applied, it is imperative for the Security Director to reach out to other security professionals within the field, as well as to the various public sectors including city, state, and federal organizations, in order to network and share information regarding how to enhance security on a domestic and international scale.
Corporate security will continue to face internal and external challenges. A paradigm shift in security has occurred due to the introduction of new technology, methods, and trends in response to threats and criminal actions against corporations. As quickly as a threat is discovered in business, it is the responsibility of the corporate security department to mitigate it. This takes strategy, financing, and support from senior management to mitigate risks and operate an effective corporate security department.
- Caine, A. (2018). In response to office violence. Business Insider. Accessed at https://www.businessinsider.com/shooting-drills-at-work-2018-4
- Harrison, R. (2014). Managing and defending a security budget. In R. Harrison (ed.), Security leader insights for effective management (pp. 57–61). Amsterdam: Elsevier Inc.Google Scholar
- Interagency Security Committee (2015). Planning and response to an active shooter: An interagency security committee policy and best practices guide. Accessed at https://www.dhs.gov/sites/default/files/publications/isc-planning-response-active-shooter-guide-non-fouo-nov-2015-508.pdf
- Lindell, M.K., Prater, C.S., & Perry, R.W. (2006). Fundamentals of emergency management. Accessed at https://training.fema.gov/hiedu/aemrc/booksdownload/fem/
- McCrie, R. (2016). Security operations management (3rd ed.). Waltham: Butterworth-Heinemann.Google Scholar
- Nemeth, C. P. (2018). Private security: An introduction to principles and practice. Boca Raton: CRC Press.Google Scholar
- Silver, J., Simons, A., & Craun, S. (2018). A study of the pre-attack behaviors of active shooters in the United States between 2000–2013. Federal Bureau of Investigation, U.S. Department of Justice, Washington, DC. 20535.Google Scholar
- Sylves, R. (2015). Disaster policy & politics (2nd ed.). Thousand Oaks: Sage.Google Scholar
- Strom, K., Berzofsky, M., Shook-Sa, B., Barrick, K., Daye, C., Horstmann, N., & Kinsey, S. (2010). The private security industry: A review of the definitions, available data sources, and paths moving forward (NCJ No. 232781). Retrieved from National Criminal Justice Reference Service website https://www.ncjrs.gov/app/publications/abstract.aspx?ID=254874
- Wallace, M., & Webber, L. (2018). The disaster recovery handbook (3rd ed.). New York: Amacom.Google Scholar
- Doss, K. T., & Shepherd, C. D. (2015). Active shooter-preparing for and responding to a growing threat. Oxford: Elsevier Inc.Google Scholar
- Huehls, R., & Lackey, Z. (2018). Building a modern security program. O’Reilly Media Inc. Accessed at https://www.oreilly.com/library/view/building-a-modern/9781492044680/
- Maras, M-H. (2016). Cybercriminology. Oxford: Oxford University Press.Google Scholar
- Thompson, G. J., & Jenkins, J. B. (2013). Verbal judo: The gentle art of persuasion. NY: Harper Collins Publishers.Google Scholar