In What the Defendant Can Do Wrong, security management and risk management expert witness Ira Somerson, BCFE, CPP, CSC, writes on security oversight:
Unfortunately security managers are not taught security management in business schools. Most security problems are business and people problems, but still no serious effort exists (with an established business school) to provide this important curricula to future business executives. Security is taught within criminology curricula, but that is more like preaching to the choir. As a result, a business organization’s operation is usually not structured to include and coordinate security oversight. It is often left to others, not qualified to understand security risks, to assume this important stewardship. This could be an argument for hiring a security manager if your organization does have unique and developed security threats, but it also begs the issue of ensuring that other disciplines within an organization include analysis of security threats in their agenda. For example: audit, safety/environmental, operations, human resources, legal and/or facilities are routinely exposed to security issues. Discovery and investigation will more often than not identify that organizations do not understand or provide desired stewardship of security within their organization.