Extreme security program makeover

A guide to building or rebuilding your security program

When you start interviewing stakeholders, begin by asking them what their goal is for their own function or for the business as a whole. Find out the annual business and department objectives, and ask them what they need to be successful. Then start thinking about how your program can assist them in those goals. If HR’s goal is to create an environment where workers are comfortable and want to come to work, for example, then check into the state of the workplace violence prevention program, if one exists. See if you have some tools in your toolbox that can help HR reach that goal.

Once you have ascertained the business and departmental missions, then talk to stakeholders specifically about what they want from security. This will almost certainly be a more difficult part of the conversation. Sometimes other executives simply do not know what they want from security — they know they want to be secure, but they may not be able to verbalize the details behind that desire. That’s why it is important to come with questions prepared: Where is my jurisdiction? Do you expect me to be involved with investigations, ethics and compliance? Then drill down from there to pinpoint specific action items they want you to accomplish.

Sometimes the expectations of stakeholders are unrealistic. Listen to them, write them down, then think through them after the interview to determine which parts of those expectations can be accomplished and build on those.

Where Do You Stand?

The next phase, assessment, is about collecting all the information from your inventory and interviews and analyzing it to determine where your existing program is lacking. One of the challenges of the assessment phase is that you have to know what “good” or “effective” security is if you are going to assess the effectiveness of your own program. That is, you will not be able to see what is missing from your program unless you know what the full picture of effective security is supposed to look like.

Experience is the first place you can turn to see potential gaps. Your past observations should assist you in finding some of your program’s weak spots. But your own experience may be limited by the industries and organizations you have worked in and the roles you held. In other words, any one person’s experiences alone will probably not provide enough insight to help him or her find all the gaps in a new situation.

Industry associations like ASIS International and the International Security Management Association can provide guidance on some of the fundamentals of security. But keep in mind that what might be tried-and-true in other organizations may not work in yours.

The Security Executive Council has worked to develop several tools and resources that set forth a baseline for security programs — a list of the fundamental elements that must be in place for effective security in any industry or type of organization. One of these is the recently released book Adding Business Value by Managing Security Risks, which addresses the core components of a successful program, as identified by Council staff and faculty through many years of research. One of this article’s co-authors has successfully used the Council’s Comprehensive Security Program presentation for a similar purpose. This PowerPoint also lays out the fundamentals of successful security, enabling users to identify elements that are lacking in their own programs. Resources like these are built on the collective knowledge of many successful current and former security practitioners across industries.

Regardless of the tools and resources you use, your assessment phase should compare your existing program with both the needs of the business and the fundamentals of effective security. Make note of where your program struggles to succeed and where it excels, and use that information to enter the final phase, the action plan.

Build Your Plan

Create an action plan based on the resources you have, the goals you have identified, and the assessments you have performed. Include action items that will guide your program development from communication to implementation. You likely will not be able to give all your stakeholders everything they want. You will need to prioritize risks, expectations and initiatives to create the most acceptable risk picture.

Again, your peer groups, your experience, and some outside resources can assist you in the writing of your new mission statement and program. Adding Business Value by Managing Security Risks, for instance, includes actual program elements, documentation, examples, templates, outlines, presentations and other components that Security Executive Council community members, faculty and staff have used successfully in their own programs.