Establishing a Risk-Based Security Strategy

Implementing a security management process is key


Lacking a process for managing, practitioners make up for it through: Strong intuition; Persuasion and favor-asking; Over-dependence on communication skills and personal charisma; and working long hours.

Without a process for managing, practitioners can find themselves: Delegating tasks instead of responsibilities; Managing everything down to the lowest detail; Looking over everyone’s shoulder; Getting frustrated at the pace of accomplishment; Avoiding interaction with management; and dealing with high levels of personal stress.

Thus, the personal price for maintaining a good security program can be higher than it should be. How is this different when a process for managing security is in place?

How a Management Process Should Work

Successful implementation of a process for managing security requires putting aside any bad experiences and poor impressions relating to “process” and taking a close look at how a process can be a highly effective and perceptive tool for managing the security function and reducing risks. A good security management process cannot be a blindly mechanical process. It has to include a perception of the organization and its objectives and resources, its critical functions and assets, and the related security risks. It has to be a tool that, when applied, results in sound and executable risk mitigation strategies and programs. These requirements still fit the general definition of a process.

Definition: A process is a set of steps to take to get consistent results. Thus, a process for managing is a set of steps for getting consistently good results in the work of managing are: decision making, action planning and organizational establishment (putting people and functions in place).

A security management process should also be implemented in a way that prevents backsliding. This means that when the security management process is implemented as a business process, it should result in a security management system that is self-correcting and also improves over time. It would be a self-managing system that takes into account changes to the organization and to the risk picture. When run according to design, it should result in reducing security risks to an acceptable level at an acceptable cost, in a manner that is harmonious to the organization (see chart, right).

The process depicted in the Security Management Process diagram can be implemented as an organizational framework for managing and advancing security. To see how that works requires looking more closely at what a management system is.

Management System

A management system is a process for decision making and action planning to achieve intended results in accordance with an organization’s overall policies and objectives. A management system is often also called a framework.

Definition: A framework is a structure that supports or contains something.

There are two aspects of “framework” to a management system: The management system model is a conceptual framework containing ideas that guide decision making and action planning. It is what enables the participants in the management process to “be on the same page” and interact effectively.

Once implemented, a management system provides an organizational framework that consists of organizational elements required for effective management. These elements include management commitment, people in organizational positions with assigned roles and responsibilities, management-approved objectives and senior policy to set direction that is consistent with the organization’s overall policies and objectives. Implementing these elements as part of a management system has a major stress-relief effect, as it shifts many of the burdensome aspects of managing security off the shoulders of the security practitioner and onto an organizational framework that is designed to deal with them.

This is why the best way to implement a risk-based security strategy is to establish a security management system that incorporates risk evaluation as one of its process elements.

Management System Models