Security & Facilities: It’s time for a divorce

In my little more than a decade of healthcare security experience, I have seen many different reporting structures for healthcare security organizations. One of the most prevalent is the rolling up of security under the facilities management team. This organizational alignment seems like a convenient way to pull all of your functional areas that impact the physical environment together under the Director of Facilities. Still, this arrangement has some hazardous issues, and frankly, it is time for a divorce.

My first concern with the alignment of facilities and security is the general lack of respect for the vast differences in these two disciplines. We would not expect a Security leader to be easily able to take on the leadership of the physical plant and facility engineering functions, nor should we expect the Facilities leader to take on the leadership of security functions successfully. Neither have the experience or education to do the other’s job successfully and while there are some individual exceptions, in my experience, this is a broadly applicable rule.

Secondly, when someone is leading the security function of an organization without the proper experience or training, two key issues can emerge. First, those hired to serve as the organization’s security experts under the facilities leader will likely be less well-vetted in their security expertise. Second, the chain of command through the facility department tends to preclude the effective education of executive leaders. Neither of these issues is intentional or malicious, but they are a natural result of a lack of expertise associated with the function of security operations.

Finally, there is a natural conflict of interest between identified security and facility needs in many cases. Facility leaders work tirelessly to ensure their facility serves the needs of the organization, and rightly so. However, this can cause workarounds to physical security procedures to be implemented without proper vetting or risk analysis. If the organization’s security management function is not co-equal to the facilities management function, then all security needs will be subservient to facilities’ needs. This subservience can create an unnecessary liability issue for the organization.

In all, it is not my intention to lambast leaders of facilities departments across healthcare – I know I would fail miserably in their respective roles. By likewise, I see most facilities leaders as incompatible with my role. There is a need for healthcare to recognize the Security function as an equally relevant and critical function. Security leaders need direct access to executive leadership for that relevance to be legitimized.

What are your thoughts? Do you think security should be a standalone department? Or, do you think the alignment under facilities makes more sense? Join the conversation in the comments below, and don’t forget to like, follow and share to support the Proactive Security Blog.

4 Thoughts

  1. Part of the problem is that departments have a need to be separate and yet, at the same time, operate in a truly unified platform. This means that security’s IMS should be able to send information to the facilities CMMS so that a work order can be generated from an incident.

    Software used requires closed APIs that allow communication with third party software. Most of the healthcare programs like Midas were not meant for security incidents and the critical needs of security require upgraded notification abilities. Most do not have this.

    Having been a member of IAHSS, and attended various events, I know the biggest problem is the lack of unification amongst hospital departments. The original post bears that out in security being under facilities. With the appropriate software, many of the concerns caused by that hierarchy could be eliminated.

    I am sure there would be some disagreements with this and yes I am a security professional with more than 40 years of experience.

    Thanks for allowing me to make a comment

  2. This is a great point and i couldn’t agree more. Where do you see the best fit for security at this time?
    There is no physical without cyber so should we fall under a CISO and in the same realm as IT?

    Security exists throughout the facility and, to that end, has to have strong enough leadership to stand with leaders across the board and speak up accordingly.
    As with many of these things it comes down to communication backed with sufficient standing to support this and a seat at the table early on in projects. Too often, at least in my experience, security is an add on or afterthought and as such brings added cost and is starting from behind.

    Security needs to sit alongside facilities, IT and the like directly under the nominal head of non-clinical functions, who ideally would have risen from one of these. This role should be able to manage these departments, conflicts and all, to ensure a safe and secure environment for patients, staff and visitors alike.

  3. I think that the security-facilities marriage is a throwback to old school thinking; namely protect the facility and you are protecting the institution. It has become more nuanced than that today. My experience is that the institution members want to “feel safe.” They don’t necessarily want “more security.” Security teams belong at the Enterprise Risk Management table. Security solutions are not always technology additions.. However, when they are, the technology is more based in what if/then logic as opposed to inputs and outputs. This seems to favor IT relationships. I think the successful solutions converge IT/security/facilities and risk management.

Leave a Reply