Airlines operate within high visibility of consumers, passengers, and various domestic/international regulatory agencies. In order to provide a service, however, there are numerous ‘back office’ functions and systems required to deliver such services. Both aspects must be inclusive of the enterprise security strategy. In addition to this all-inclusive approach, priority application and security support/coverage decisions must be made or determined to ensure that commensurate focus and resources are applied in the most vital areas, rather than an averaged across the organization and operational spectrum. As with all modern business practices and systems, integrated security must be documented, measurable, performance-based and consistent with corporate culture; therefore, removing legacy allegations of security being an “art form”, rather than an evidence-based support structure of modern, international businesses. Elements of the security plan may be implemented or augmented by service providers, in addition to the requirement to integrate with regulatory agencies and applicable government agencies.
Security must be led and staffed with the appropriate level of technical and subject matter expertise, who also have relevant, senior business management experience and/or qualifications, as part of the overall corporate system. Security, therefore, must be able to apply their expertise within the universal business and operational structure of the airline and their operations. Consideration of identified security management systems must, therefore, be both technically and commercially relevant. All relevant security resources and support should be owned by the management team and accessible to the relevant business unit without disruption or non-alignment with the business unit/s primary commercial objectives.
One of the key shared responsibilities of the security system is that of intelligence. The focus of identifying and analyzing information, events or data is shared across the business as there are various technical and commercial variants that cannot be found in any one business unit or discipline, therefore a highly collaborative approach, of which security plays a role, is required. Security should also be featured in the documented evaluation and prioritization of information and subsequently created intelligence, along with the collection process and access to current or historical content. This shared responsibility should occur and be evident as an almost daily occurrence, not as a milestone or scheduled convening of featured stakeholders. Processing of collected information and analysis should be inclusive of security but dissemination of qualified intelligence may include elements of security for public consumption but it will also require restricted privileged audience dissemination. This means security will have the means and capacity to self-distribute but also collaborate to a wider commercial intelligence agenda and distribution as required. Given the experience and nature of security intelligence, an advisory role may also be assumed to assist other parts of the business adequately capture, review, report and act upon intelligence-based content. The entire intelligence mechanism must be inclusive of current operational focus, future intent and changing influences, events or trends as they present to ensure the business is adequately prepared for current and future operational threats or commercial influences.
Events and incidents are inevitable, both those that are forecast and prepared for in advance and those that are unplanned or unscheduled. Response is dependent upon the urgency and threat it poses to the business, its operations or stakeholders. Security will be called upon and possibly even lead in certain aspects of what is deemed emergency response within the business and operational activities. It must maintain an understanding of operational activities and influencing factors, even if not part of their support scope. Identification and activation will also feature security elements, dependent upon the event and required response. Many of the resources, both contracted and in-house, will include security as means of on-ground reporting, direct support, and control over affected areas, assets and support to people in need. Security will be one of the disciplines represented within the emergency/crisis management plan, business continuity solution and incident response approach. Security may lead at times but it does not own the systems. Advice and guidance, drawn from operational and technical expertise within the security field will also feature within the response capability and actions of the airline. Events and incidents identified as predominately security based would be directed by the security leadership but all aspects of the response, action follow up will naturally reside with various other business units and departments.
The Master Security Plan and supporting Security Strategy are aligned with the business’ objectives, tolerance and needs in order to ensure the protection of assets, operational activities and the business’ ability to prevent or recover from a negative event. This resilience will have a dedicated plan to which security contributes. Utilizing all the resources, experience and expertise available to the security department, it will be able to assist in the maintenance of a more effective plan and support the routine review and consideration required to aid the business in being prepared for likely and even less likely events. The accuracy of the application and the timeliness of response will also feature as contributing factors to the business’ ability to sustain and recover from negative event/s. Security will assist in this function. As noted in the function of intelligence, security will contribute to the technical considerations and priority of effort associated with both planning and response to plausible threats. Security’s capacity and capability to respond will also contribute to the overall resilience of the business, as will other supporting/inclusive stakeholders.
Security cannot be measured by its visibility or frequency of application within airline operations. There will at times be compliance or public pressure for specific security measures but the mainstay of security management will be dependent upon the inclusive nature and integration of security within the business, not a standalone business unit. Security will seek out and support the business in all front/back office functions but base their priority of application and budgeting upon an enterprise risk model and resourcing approach. This will result in security assets, vendors, systems, staffing, resources, and capabilities, as defined by the business requirement. Security, like the wider business, will never reach “steady-state” as there will always be a need to analyze events, threats, change, commercial/regulatory variance and the day-to-day security demands of servicing customers in multiple locations around the world. Security, therefore, will evolve, adapt and remain dynamic in order to support airline operations.
Pertains to select or agreed information and data that permits the business to make informed decisions in order to mitigate, manage or prevent undue risk to the business. Until information or data has been reviewed, qualified and evaluated it does not yet meet the standards of commercial intelligence.
Post event/trigger action or measures taken by the business on a routine basis. This includes planned and unplanned instances such as emergencies. There is no fixed timeline for response, with each event or change subject to its own agreed priority or schedule for response.
The commercial entity’s ability to continue and/or recover from both foreseeable and unforeseen events. This definition of resilience is both measurable and demonstrable as defined by metrics pre/post event.
Security is a defined and measurable facet of the business, contributing to growth, profitability and operational pursuits. Security, therefore, must be accessible, understood and supportive across various business units and functions, as determined by the business and supportive technical inputs. It does not operate autonomously or without consideration/impact upon the greater business entity.
Includes physical, information, cyber, personnel and other disciplines associated with security management such as investigations, intelligence, technical services and risk mitigation.