We spoke with Miroslav Fryšar, President of the Czech Association of Security Managers, about the present security situation in both society and businesses. Our security should not be taken for granted.
The Association of Security Managers unites professionals who are crucial to a company’s operations. Could you explain the role of your Association?
The Czech Association of Security Managers unites security managers, specialists, and other experts in the field. Founded in 2004, the Association has been in existence for 20 years and currently has over 120 individuals who hold security positions in state administration, local government and the private sector. Our mission is to enhance the level of security and elevate the role of security managers within companies and organisations. Our members includes security managers, security directors, security specialists, cybersecurity managers, data protection officers, and representatives from academia and educational institutions. These professionals are responsible for safeguarding people, property, and information within their organizations.
Safety and security are often underestimated by companies and institutions. In your opinion, how can this situation be improved?
The underestimation of security has been an enduring issue in the Czech Republic. Typically, society, business leaders, and politicians only respond to specific incidents or significant declines in the security situation. However, their interest tends to wane over time. A crucial measure to address this is the creation of the National Security Adviser position, which is dedicated to a comprehensive and long-term approach to security. The security sector frequently suffers from insufficient financial resources. State institutions are also reducing security expenditures to cut costs. Security services are often understaffed and tend to compete primarily on price. In over half of businesses, security expenses account for less than 1% of the total company costs.
Every organization or company should evaluate its security risks and determine if the existing security measures are suitable for the current risk levels. Both top management and security management need to play crucial roles in this process. For instance, it is problematic that many large companies lack a security manager. In other companies, the security manager does not hold an appropriate position within the organisational structure.
The current security situation in Europe should prompt a reassessment of the role of security within organisations and private companies. Everyone needs to consider whether they are genuinely prepared for emerging threats without waiting for new regulations. It is essential to move beyond the long-standing habit of selecting security services and technologies based solely on cost. We must recognise that a security manager and robust security measures are not merely expenses but vital components of business continuity and overall operations.
What do you think are the current trends in security?
One of the issues is that many organisations and companies are falling behind in technical security. This is largely due to management’s reluctance to invest in this area. Physical security is, therefore, still too dependent on guarding something physically, which is logically the weakest link in the whole system. Another factor is the shortage of experienced technical security specialists on the part of investors, along with the unwillingness to engage such independent experts. Consequently, investors often depend on recommendations from security system suppliers. This approach can not only increase the initial investment in security but also raise the costs of its ongoing operation. Additionally, it creates a significant dependency on specific technologies and their suppliers. Vendor lock-in is now a problem that affects not only IT but also security technology.
In May, you held the annual Security Conference for corporate security managers. What were its conclusions?
The conference covered a broad range of topics within the Security field. The first day was traditionally dedicated to physical protection and crisis management. Presentations addressed the security situation in the Czech Republic, soft target protection, the implementation of the CER Directive, supply chain security, current measures against unmanned aerial vehicles, and trends and innovations in technical security. During the conference, participants were introduced to a new initiative by Czech Air Traffic Control (ATC CR), which offers support to all critical infrastructure entities and other businesses and organisations in the area of UAV protection. The ATC CR will manage a surveillance centre for monitoring unmanned aerial vehicles and provide the design, engineering, and supply of equipment for protection against these devices.
The second day of the conference focused on information protection. The agenda was enhanced by a presentation on the use of robotic systems for building security, which is part of a security research and development project by the Ministry of the Interior of the Czech Republic. Conference participants and all association members have access to the individual lectures.
One of the key conclusions agreed upon by the conference participants is that the primary focus of security management should be on implementing the European CER and NISII directives. There is no need to wait for the approval of national regulations; instead, it is crucial to analyse the changes in security measures that the implementation of these directives will bring. It is also essential to address the implementation of Business Continuity Management and supply chain security now.
Security systems should be designed based on risk analyses, and installation company proposals should be reviewed by independent experts or specialists in technical protection systems. These experts should also be involved in the design and installation processes, including the professional delivery of the finished work. If such specialists are not available within the organisation, they can be contracted externally. This approach helps prevent potential issues in the operation of technical protection systems and is advantageous for optimising the costs associated with security investments and the operation of technical protection systems.
The conference also brought attention to emerging security risks that we are still learning to manage. These risks can manifest in various ways, such as the arson attacks on different targets currently being observed in neighbouring Poland. The most significant current physical security threats include attacks by unmanned aerial vehicles, active shooter incidents, the deployment of explosive devices, and vehicle attacks. For security managers, these new risks necessitate updating security risk analyses and devising additional security measures.
The penetration tests and resilience tests of security systems are effective ways to verify the functionality of security measures. These tests utilise social engineering techniques and an understanding of the vulnerabilities in technical protection systems. By simulating a real security incident or emergency, penetration testing can identify weaknesses in security systems and measures. Many operators of a critical infrastructure and soft targets already conduct penetration testing on a regular basis and consider it a valuable tool for enhancing their security measures.
It is crucial to safeguard information related to security measures. This information should be categorised into different levels of accessibility. The first category includes information that is publicly accessible and intended for visitors to the site. Another category consists of information for employees and tenants of the premises and buildings, which they need to know to adhere to security measures. A special category encompasses detailed information about facility security and access privileges, including guidelines and procedures for security personnel and others involved in implementing security measures. This specific category of information must be protected from potential attackers.
Greater emphasis should be placed on security training, including the education of top management in the areas of security and the protection of sensitive information. Often, top managers lack an understanding of security management requirements because they are not fully aware of the associated risks. Therefore, it is beneficial to organise courses on security and information protection for the leadership of organisations and companies. These courses can also contribute to enhancing cybersecurity and combating misinformation.
Thank you for the interview
