There’s just not enough time to pay attention to enough things that need it. When resources are limited, it’s tough to advance your security program. It’s a big frustration for most security practitioners.
This is where a little known tool called a micro-assessment can come to the rescue. A micro-assessment is a narrowly-focused, short assessment that provides support for decision-making and planning.
The purpose of a micro-assessment is to quickly and easily find out enough to make a decision, set a direction or objective, or to perform preliminary or high-level planning.
In any given period of time, usually more things require attention than get attention.
A micro-assessment is a feasible way of quickly giving more things more attention, including getting data you need to make the business case for specific security improvements.
Although many managers and security practitioners often perform micro-assessments mentally, without realizing that’s what they’re doing, there are many reasons for defining the process and giving it a name.
Five Reasons Why Micro-Assessments Are Valuable:
• Most security programs are not documented well enough. It is common to find that documentation for many portions of a security program are out of date or even non-existent. When resources are scarce and “something has to give somewhere,” often documentation efforts are curtailed or suspended. Additionally, visibility into the organization’s risk profile lessens as documentation ages. Micro-assessments are a good way to prioritize documentation improvements.
• Business changes can take the business out of alignment with existing security controls. This can be true for both physical and electronic critical assets. Micro-assessments are a good way to perform a gap analysis.
• Downsizing and budget cutbacks, as well as business expansions, increase risks. Yet related assessments are commonly not included in business planning. Micro-assessments can be a quick remedy.
• Delegation is more effective when a specific task framework is provided. A micro-assessment provides a framework for delegating critical business research.
• It's easier to enlist participation from other business managers for a named process. The simple formality of having a name for an important business exercise lends credibility to the activity and validates the call for collaboration.
What Really Needs Attention?
That’s the $64,000 question! Just finding out what needs attention can be a challenge. Here are just a few of the many areas where a micro-assessment can determine what needs attention next:
• Business alignment gaps: Check the alignment of security objectives and planning with corporate strategic planning.
• Business unit concerns: Quickly determine what security concerns are most important to middle managers and prioritize them.
• Employee concerns: This is usually a variety of items that could include, for example, a supervisor’s concern about tailgating into a sensitive area, a night-shift employee’s desire to see more active security patrolling, or the appearance of “shady characters” loitering in the parking structure.
• Security program documentation: Determine for each portion of your security program whether documentation is current, needs updating, or is actually non-existent.
• Security camera business value: Provide a video tour in the command center (or bring a laptop) to find out what business managers think about the business value of security cameras coverage in the areas they manage.
• Business insight: What are the most critical business processes of each business unit, and how are they vulnerable? How do other business units track performance and report it to management? What are the best-run business units and why do senior managers consider them so?
Following up on Security Metrics