New Delhi: The security of a democratic state includes the security of its citizens and today both are contingent on the wider security of the world at large. Similarly, at the level of an organisation its well-being is linked to the security situation within the country.
In the prevailing unsafe environment ‘enterprise security’ could no more be relegated to a set of hired ‘guards’ and security ‘supervisors’ since it has become a ‘mainstream’ function taking care of the organisation as a whole, including its members.
Rise of terrorism as an instrument of ‘proxy war’, targeting of economic lifelines of the country by the enemy and the advent of natural or man-made disasters on the national security agenda have all impacted on the security and safety of organisations — big or small — and put a new focus on the security management of corporate entities.
Terrorism basically is ‘resort to covert violence for a perceived political cause’ and since a ’cause’ was driven by ‘motivation’ it was no surprise that faith-based driving force rooted in ‘radicalisation’ in the Islamic world with its advocacy of ‘Jihad’, had become the new terror threat globally.
Arising out of certain geopolitical developments traceable to 9/11 and the resultant ‘war on terror’ launched by the US, this danger faced nations across the world.
India and its strategic establishments were particularly affected because of cross-border terrorism instigated by Pakistan against the country.
In the post-Cold war era of ‘proxy wars’ there is also the added threat of enemy taking recourse to economically damaging the opponent in order to weaken the latter.
The need for economic security has in the process, added to the ‘mainstreaming’ of security function. Also,the importance of proactive measures required by organisations and individuals to deal with disasters, has further sharpened the role of the security set-up of the enterprise.
A deeper understanding of security of a business enterprise today calls for a conscious adoption of many practices that added upto the mainstreaming of security function.
First, it should be understood that security is basically protection of the three assets of the organisation — physical assets, manpower and protected information, against covert attacks of the enemy.
It clearly runs through the length and breadth of the enterprise correspondingly requiring ‘physical’, ‘personnel’ and ‘information’ security to prevent ‘sabotage’, ‘subversion’ and ‘espionage’ respectively. This makes security a mainstream function by the very nature of its mandate. In sensitive establishments of strategic importance personnel security is of overriding importance.
Apart from ‘antecedent checks’ at the time of recruitment, there has to be an internal ‘vigilance’ set up in place integrated with the ‘security’ function to detect signs of ‘vulnerability’ in an employee — a member given to addiction, living beyond means or developing an unnatural and intimate friendship with an outsider of opposite gender, may have to be taken note of for reasons of security.
As regards security of information, it has to be protected first through ‘classification’ by way of giving the information a marking like ‘restricted’, ‘confidential’ or ‘secret’ and then determining the ‘need to know’ ambit within the organisation. Since most information is now on internet, a cyber security administrator under the IT Act is to be appointed and the security head would be a key functionary working with the latter. All of this makes security a very special function.
Security is an integral or complete looking concept requiring all its dimensions — physical, personnel and information — security related — to be perfected. Further, security being a protection against the hidden attack of the unseen adversary, it is clearly anchored on information about the likely sources of threat that would have to be collated and analysed.
Most business corporates therefore had a central set-up for studying the market, evaluating the competitors and pooling together all reliable information relating to the three kinds of risks already mentioned. It produces what is called ‘Business Intelligence’ incorporating the ‘risk assessment’ for the enterprise. This means that the set-up has to be headed by a competent leader who had the skills of assessing what lay ahead in terms of both ‘opportunity’ as well as the potential ‘risks’. This functionary has to be swift in handling information, capable of making assessments and confident about extending the outreach all the time.
Personal security of the leadership of an enterprise that made a substantial contribution to national economy is an important responsibility of this set-up in view of the recognised concept that a country’s economic power strengthened its national security as well.
The second most important aspect of security is that it has to work on the authority of the top man of the enterprise. The chief of security has a matching knowledge of how various wings of the organisation were working. He should have the locus standi to take note of any flagrant violation of security even by a senior member of the organisation and for that reason alone should have a direct line of communication with the head of the enterprise.
In fact, it is said that the top man should also consider himself as the head of security. Further, since security embraces all resources and members of the organisation it needs to be incorporated at the level of policy and should be one of the determinants of organisational ethics and in fact of the system of management of the enterprise itself. Also, since security does not come cheap it requires planned funding.
On his part the security chief should have the ability to realise that ‘cost effective’ security was the best security even when the organisation was liberal with funding. If two persons can do a job where three were deployed earlier or when the number of steps for completing an operation could be reduced from four to three, this makes the functioning more efficient and cuts delays.
Finally, the ultimate mainstreaming of security is reflected in the dictum — now well established — that the security of an organisation required contribution of all members, high or low in the hierarchy. It flows from the thought that if the enterprise ensured every member’s security then the latter also owed it to oneself to do whatever was possible to strengthen the security of the organisation.
The importance of the security set-up being able to run ‘awareness’ programmes for the organisation as a whole suggests itself. This is best done through periodical informal ‘briefings’ that would also help to facilitate flow of information relevant to security from members to the security chief.
The security set-up has to be manned by people who were information savvy and professionally up-skilled. Such people can distinguish essentials from non-essentials in the context of security, know that ‘you have to reach information — information will not reach you’, have curiosity which creates the ‘spirit of inquiry’, show an interest in human nature and behaviour and have an analytical mind.
The era of ‘proxy wars’ and the advent of cyber warfare have compelled the world to take note of the convergence of economic security, externally instigated attacks on systems on which the governance of the country rested and resort to ‘misinformation’ and ‘deepfakes’ even to influence the outcome of elections in a targeted country.
Artificial Intelligence is getting into security domain — both in analysing the threats and finding solutions for dealing with them. Today, people handling enterprise security have to be familiar with various dimensions of knowledge economy and intricacies of misuse of cyber space by the adversary.
Security has become a demanding function linked to the mainstream of the organisation that was sought to be protected and dependent on people, who had special skills deserving of a higher level of recognition and compensation than what ever was existing earlier.
(The writer is a former Director of the Intelligence Bureau. Views are personal)
–IANS