Introduction to Security Management Because system security is the aggregate of individual component security, "system boundaries" must encompass individual users and their workstations. But because personal computers are just that (personal), staff behavior can't always be dictated without potentially hampering workers' overall productivity. Recall that security policy becomes ineffective if it's so restrictive that legitimate user access is threatened. Thus, a key to successful security implementation is finding a reasonable balance between system protection and user autonomy and convenience. The person responsible for finding that balance and actively promoting organizational security is the security manager. Security management consists of nurturing a security-conscious organizational culture, developing tangible procedures to support security, and managing the myriad of pieces that make up the system. The security manager ensures that administration and staff are aware of their security roles, support security efforts, and are willing to tolerate the minor inconveniences that are inevitably a part of system change and improvement. After all, if personnel circumvent security procedures (e.g., write down passwords, share accounts, and disable virus-checking software), they put the entire system at risk.
Important point. Effective system security depends on creating a workplace environment and organizational structure where management understands and fully supports security efforts, and users are encouraged to exercise caution. The security manager leads this effort.