Establishing a Risk-Based Security Strategy

At a recent security conference, security practitioners were asked to list some of the “important security processes” in their security function. Some responded by asking, “What qualifies as a process?” Others named specific processes such as visitor management, investigations, background checks or security clearance, reviewing critical server audit logs, training, access control (both physical and logical), software patching process, security officer patrols, incident response, departing employee exit interviews and so on.

Out of the many dozen practitioners asked this question, only one mentioned a process for managing security. This is not surprising.

For many organizations, security management evolves over time out of incident response, or the need to oversee certain aspects of organizational security such as executive protection or supply chain security, or to deal with regulatory compliance. As organizations grow, security needs grow, and sooner or later (but not always) someone is designated or hired to fill a full-time security position. Having been created in response to one or more security problems, the security position often starts in problem-solving mode and before long, the security program grows to become a collection of security practices and activities that are mainly the collected solutions to past problems.

However, for many companies, security is changing from the reactionary function described above to a proactive function that looks and plans ahead. Periodic risk assessments are performed, recommendations are made and the security program advances.

But at the same time, security programs tend to backslide. Processes and procedures are put into place, but they often evolve away from what was initially established. The organization also changes, creating unseen security gaps that are not addressed as quickly as they should be.

As the organization grows and operates, maintaining effective security can become an almost overwhelming activity. Practitioners work too-long days that overflow from one into the next. The daily question changes from “What should I get done today?” to “What can’t I get done today, and what will the consequences be?”

Not all days are equally stressful, and all days do pass. In any given year, a lot gets done, but more often than not when looking back, it seems like more progress should have been made.

This situation hits the most dedicated and sincere security practitioners the hardest, as they take their jobs seriously and take their responsibilities to heart. It can be difficult not to view security shortcomings as personal shortcomings, because “the buck stops here” is a somewhat built-in attitude for many practitioners.

However, there is a very big difference between performing security and managing security, and most security practitioners were performing security duties long before they were managing them. The primary source of stress — the lack of an appropriate process for managing security — is not obvious; thus, neither is the solution.

Process vs. Stress

The term “process” sounds technical, making a discussion about “a process for managing” seem clinical or academic. Many people have negative experiences with organizational processes, for example, mindless execution of prescribed actions regardless of whether or not they fit the circumstances. In some organizations, processes have been implemented by mandate and without sufficient planning and piloting — sometimes resulting in confusion and chaos.

I have talked to security practitioners who bristle at the thought of “management processes.” They are caring and thinking people who do not want any more mindless bureaucracy than what they already have to deal with — and they especially do not want to be the ones creating or mandating it. To them, more process equals more stress, not less.

These ideas and attitudes — while completely understandable — put completely out of reach the most important tool that a security practitioner can have: a sound process for managing security.

Lacking a process for managing, practitioners make up for it through: Strong intuition; Persuasion and favor-asking; Over-dependence on communication skills and personal charisma; and working long hours.

Without a process for managing, practitioners can find themselves: Delegating tasks instead of responsibilities; Managing everything down to the lowest detail; Looking over everyone’s shoulder; Getting frustrated at the pace of accomplishment; Avoiding interaction with management; and dealing with high levels of personal stress.

Thus, the personal price for maintaining a good security program can be higher than it should be. How is this different when a process for managing security is in place?

How a Management Process Should Work

Successful implementation of a process for managing security requires putting aside any bad experiences and poor impressions relating to “process” and taking a close look at how a process can be a highly effective and perceptive tool for managing the security function and reducing risks. A good security management process cannot be a blindly mechanical process. It has to include a perception of the organization and its objectives and resources, its critical functions and assets, and the related security risks. It has to be a tool that, when applied, results in sound and executable risk mitigation strategies and programs. These requirements still fit the general definition of a process.

Definition: A process is a set of steps to take to get consistent results. Thus, a process for managing is a set of steps for getting consistently good results in the work of managing are: decision making, action planning and organizational establishment (putting people and functions in place).

A security management process should also be implemented in a way that prevents backsliding. This means that when the security management process is implemented as a business process, it should result in a security management system that is self-correcting and also improves over time. It would be a self-managing system that takes into account changes to the organization and to the risk picture. When run according to design, it should result in reducing security risks to an acceptable level at an acceptable cost, in a manner that is harmonious to the organization (see chart, right).

The process depicted in the Security Management Process diagram can be implemented as an organizational framework for managing and advancing security. To see how that works requires looking more closely at what a management system is.

Management System

A management system is a process for decision making and action planning to achieve intended results in accordance with an organization’s overall policies and objectives. A management system is often also called a framework.

Definition: A framework is a structure that supports or contains something.

There are two aspects of “framework” to a management system: The management system model is a conceptual framework containing ideas that guide decision making and action planning. It is what enables the participants in the management process to “be on the same page” and interact effectively.

Once implemented, a management system provides an organizational framework that consists of organizational elements required for effective management. These elements include management commitment, people in organizational positions with assigned roles and responsibilities, management-approved objectives and senior policy to set direction that is consistent with the organization’s overall policies and objectives. Implementing these elements as part of a management system has a major stress-relief effect, as it shifts many of the burdensome aspects of managing security off the shoulders of the security practitioner and onto an organizational framework that is designed to deal with them.

This is why the best way to implement a risk-based security strategy is to establish a security management system that incorporates risk evaluation as one of its process elements.

Management System Models

There are many management system models. The most well-known are those found in the international standards for Quality Management Systems (ISO 9001), Environment Management Systems (ISO 14001), Information Security Management Systems (ISO 27001) and Supply Chain Security Management Systems (ISO 28001). Each standard defines a management system model based on the Plan-Do-Check-Act cycle, or PDCA for short. PDCA is a four-step process used in quality management and elsewhere as a simplified method of achieving improvements. The PDCA cycle was first proposed by U.S. mathematician Dr. Walter Shewart, and was made popular by the work of Dr. W. Edwards Deming, a visionary leader in the field of quality management.

The PCDA steps are:

1. Plan: recognize an opportunity and plan a change.

2. Do: carry out the plan, on a small-scale first if possible.

3. Check: analyze the results against objectives and specification.

4. Act: take appropriate steps to close the gap between planned and actual results.

The PDCA cycle is an iterative cycle that is repeated at periodic and event-driven intervals, according to the scope and purpose of the management system using it. Specific application of PDCA to security management systems can be found in a new standard developed by ASIS International and released through the American National Standards Institute (ANSI): ASIS SPC.1-2009 Organizational Resilience Standard. Its title is: “Organizational Resilience: Security, Preparedness, and Continuity Management Systems — Requirements with Guidance for Use,” and it can be downloaded at

Security Management Systems and Organizational Resilience

As stated in the Introduction section of the standard, “The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. A management system can provide the framework for continual improvement to increase the probability of enhancing security, preparedness, response, continuity, and resilience.”

In its white paper entitled “Business Resilience: Proactive measures for forward-looking enterprises,” IBM Global Services defines business resilience as, “The ability to rapidly adapt and respond to risks, as well as opportunities, in order to maintain continuous business operations, be a more trusted partner, and enable growth.”

In its work on business resilience, IBM identified six fundamentals to a successful business resilience strategy, shown in the graphic below. Note that the ASIS Organizational Resilience standard addresses all of them — including “market readiness” — as that requires awareness of the security risks inherent in market changes and in the organization’s plans to respond to them.

Using the ASIS Organizational Resilience Standard

Although not necessary, it would be helpful for a security practitioner who has no familiarity with PDCA-based management systems to team up with someone from the business who does, such as a manager from the IT, Quality, or Environment, Health and Safety department.

With a preliminary assessment of the organization’s critical objectives, functions and assets — and an initial idea of the primary risks to them — the various elements of the security function (prevention, avoidance, deterrence, readiness, mitigation, response, continuity and recovery) can be given appropriate weight in the initial implementation of the management system.

The ASIS standards document itself provides more than 11 pages of guidance for applying the standard. It is important to realize that standards documents are necessarily limited in scope and cannot, for example, provide detailed guidance on how to bring an existing security program under a management system, or on using a common management system framework that covers both security and safety (of interest to companies who want to implement OHSAS 18001 — an internationally recognized standard for occupational health and safety management systems).

It is also important to use such standards as tools for management system development, rather than simply a set of compliance requirements. For additional guidance on using the ASIS Resiliency Standard as a tool for improving an existing security program, and on reconciling multiple management systems standards, see

Get Started!

Put a clearly defined process in place for the management of security functions. Practitioners who have done so have commented that their efforts were paid back many times over. To learn more about applying the ASIS Organizational Resilience Standard, attend the ASIS session described in the sidebar on the left.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), which can be reached at