Security management never ends and is always pragmatic, partial and selective. This is because:

- There are limits to the amount of information you can deal with - not all factors affecting security can be grouped and treated simultaneously;

- It is a complex process - time and effort are necessary to create aware- ness, develop consensus, train people, deal with staff turnover, imple- ment activities, etc.

Security management can rarely attempt a comprehensive, long-term overview. Its contribution lies in the ability to prevent attacks and highlight the need for organisational strategies to cope with these. This may not seem very ambitious, but we must not forget that often too few resources are allocated for security!

When reviewing a defender’s or an organisation’s security practices, you may find that some sort of guidelines, plans, measures or patterns of behaviour are already in place. Conflicting forces will be involved, ranging from stereotypical ideas about security practices to a reluctance to increase existing workloads by incorporating new security activities.

Security practice is typically a fragmented and intuitive work in progress. Security management should aim to make step-by-step changes to improve per- formance. Security rules and procedures tend to emerge from the parts of an organisation covering specific areas of work, such as logistics, a field team espe- cially concerned with its security, or a manager under pressure by donor con- cerns about security, etc.

Step-by-step security management opens the door to informal processes and allows space for new practices to take root. Sudden events, such as security inci- dents, will prompt urgent, short-term decisions that, if properly managed, will shape longer-term security practices for the whole organisation.