The security measures you invest in are not final solutions. The appropriateness of your security measures, as well as the effectiveness of your entire security program, must be continuously monitored and validated.
—Bob Hayes, Workplace Security Playbook, Chapter 3
Why Bother?
As one security practitioner said to me: “I already know what my security program is about. My company has already approved it, and we’re doing a good job with it. Why should I bother ‘validating’ our program? I don’t really have anything to prove to anyone. I just have to show up and do my job. It seems like a lot of bother for not much gain.” This is why I hate the word “validate.” It just makes the wrong impression.
What Makes a Valid Security Program?
We hear a lot about monitoring security programs, and there are books about that, but we hear next to nothing about validating them.
There are many synonyms for “valid,” and here are some that apply: accepted, authoritative, defensible, effective, justifiable, official, proven, qualified, relevant, robust, substantiated, successful, viable, well-supported and well-founded. You could say that these are key attributes of a sound security program.
The trouble is that “validate” is a horrible word to use, because that word in itself conveys nothing about the value of any actual validation exercise. But I can’t find a better word, so we’ll use it.
Five Reasons
Here is what practitioners have said about validating their security programs. By validating your program, you will:
- Learn the true strengths and weaknesses of your program
- Be able to better articulate the value of your program
- Know how to increase the stability of your operations and reduce your stress
- Be a more effective security advocate
- Be a better mentor to your people
There are more benefits, of course, but these are the ones most commonly reported.
Why It Works
This may seem like an awful lot of benefit for performing a “validation” and it is. The reason that it gets such great results is because you already know a lot about your program, security and your organization. In performing the validation, you get to connect more dots. You get to see around corners that daily activities keep you too busy to see. Your “bigger picture” gets sharper, and you gain greater insight into how to accomplish the things you want to achieve.
A validation provides official “thinking time” in which you get to examine your role and the role of your security program from perspectives that shine a new light on situations, relationships, opportunities and possibilities that just weren’t obvious before. It’s a great first step in increasing the effectiveness and efficiency of your security program.
The nicest thing about it is that you get to do what you often want to do but normally never have the time to do: stop and think for a bit. However, in this case it is guided thinking that is focused on specific results. Each validation perspective is designed to help clear off your windshield, put a little more air in your tires, sharpen your rear view mirror, add some power to your engine, and give you more control from the driver’s seat you are already in.
So let’s get started with "How to Validate Your Security Program: Part one."
