Security management is what?
What is Security Management? It is a really hard-hitting question for security managers. Sadly many people involved in security management cannot answer it clearly. Intuitive approach is not bad, but getting the answer known would be a great help to focus on what and how they should do for increasing security performance.
The performance of security cannot be estimated by numerical values, though, I suggest an easy equation to imply the elements of security. Here is the one.
Risk = Value * (Threat * Vulnerabilities / Countermeasures)
Companies consider Risk so as to minimize the loss from it. Fully understanding of each factors in this formula would lead you to know about the risk and then apparently define the role of security manager.
The first is Value which means the valuable things separated into 3 categories: monetary value, future value and secrets. If there is no value, there is no risk.
And the next one is Threat, the possible threats which can give you damage regardless of their intention, for example, natural disasters like earthquake, hackers, etc. These two elements cannot be reduced by security plan but the following things (Vulnerability and Countermeasures) are controllable and so more focused when thinking of the role of security manager.
Vulnerability is a kind of hole which can be exploited and hackers harness it in software to exploit users to do what they intend to. And Countermeasures are the methods to prevent the accident. Countermeasures could be firewall, anti-virus software and so forth. Security managers should make their plans focusing on those two elements. They need to search for possible vulnerabilities and to seek for countermeasures against them.
In conclusion, the role of security manager is not to MINIMIZE the risk but to OPTIMIZE it. Assigned budgets would be limited because most senior managers and CEOs don't like to invest into such an invisible matter. Security manager can offer the report of vulnerabilities and show how he or she can reduce the damage from any disasters, then the security plan would be going through the right path without profligate spending.
