Companies are always interested in saving money, but in our economic climate, more of them are trying anything and everything to raise their bottom line. Some are undergoing massive corporate restructuring, some are firing and hiring, and many are asking individual business units to make do with less. These types of situations often call for the re-engineering or from-scratch development of a security program.
Of course, companies that are not struggling also have a periodic need for a fresh approach to security. Some need a formal security program where there has never been one before. Some require security to start over when they shift departmental responsibilities and move it either out of or into the authority of another function. Some just recognize that their current programs are not adequately securing the organization and ask for a new plan, from either the existing security leader or a new one.
If you are that security leader, you have a big job on your hands. If you have been through this before, you are lucky enough to have experience — good or bad — to guide you. But if you have never been asked to develop a program, or if you are simply uncertain how to proceed, it can be difficult to find the kind of guidance you need.
Consider basing your development process on a three-phase plan that has proven itself worthwhile in several corporate redesigns. In most organizations and in most situations, you will have a good chance of success by breaking your design or redesign into four phases: inventory, interview, assessment and action.
What Do You Have to Work With?
First, you have to find out what you have to work with. If there is a program already in place, catalog the resources you have available to you. Note that this phase is important even if you have led the security function at this company for years. You may feel you know your assets inside and out, but writing them down in a document or spreadsheet should help you arrange and prioritize assets, remind you of items you have forgotten or under-used and point out any redundancies in the use of those assets.
Take a look at the existing systems, policy, personnel, culture, budget and the environment to digest change. What is the main focus of the security department now? What is the reporting structure? What is the budget and where does the money go? Does the function have any advocates within management or among the staff? Who are the primary stakeholders? Is the department outsourcing any of its processes?
You should be able to collect this information from existing documents (such as contracts, budgets, previous risk assessments and communications) and by speaking with the existing staff. If you have multiple sites, go off into the field and take a look around. This first phase can be time-consuming, but it is a crucial foundation for the process. Not only will it give you an idea of how you can redistribute or better use your resources, it will help you to better understand the business’ needs and begin to see what is missing at a baseline level.
What Should Your Mission Be?
Do not jump straight from inventory to assessment. You cannot develop a new plan until you know what that plan is expected to accomplish. If your company is restructuring, your security mission statement may need a little restructuring too.
Set up a series of meetings with the stakeholders you identified in phase one. To develop a successful plan — and to lead a successful security program — you must find out what their desires and expectations are for the business and for corporate security. If you do not, you may build your new program only to have it shot down by an unconvinced management. You may also find that when corporate executives are not convinced of the necessity of a given risk mitigation measure, their reluctance to embrace it is sometimes translated down to the employees — who become resentful of the inconvenience the measure may cause. Since the cooperation of the employees is often paramount to the success of a security technology or policy, this could easily weaken your entire system.