How to validate your security program: Part 6

March 8, 2016
Gaining and acknowledging the support of key stakeholders is vital to a program's success

Editor's note: This is the sixth entry in a multi-part series that provides 15 important perspectives from which to validate your security program. If this is the first article you have seen in this series, please read the introductory article before launching into the validation steps:

An attribute is a quality or feature regarded as a characteristic something. What we are calling the "15 Validation Attributes" are 15 characteristics that you can use to validate your security program.

Validation Attribute: Well-Supported

Definition: (organizational)

  1. Is provided with all of the resources needed to achieve its purpose
  2. Has full organizational approval of its objectives and plans
  3. Receives assistance and cooperation in carrying out its plans and programs

There are many kinds of support required to effectively and efficiently carry out a security program. You need support from your staff and contracted service providers, meaning that they do their jobs with just the right amount of attention and initiative, keeping you appropriately informed. You need support from HR and legal relating to investigations, personnel matters, and background checks. You need management approval for policies, programs, and projects. You need funding for security operations as well as for security projects. You need collaboration from IT for networked technology deployments. You need cooperation from executives for executive protection measures to be effective. Emergency response plans require the buy-in and participation of various response team members. And so on and so on.

It can be incredibly beneficial to take a step back and evaluate the support that you get from security stakeholders. And that is what this step is about—rating your security stakeholders and outlining a plan to improve or strengthen support where you need it.

A Simple but Powerful Step

One simple but powerful action that is one of the validation steps, and which has a tremendous strengthening effect, is to accurately acknowledge the support that you receive from your security stakeholders. Just sending a "thanks for your support" note doesn’t cut it and is not what I mean. Accurately acknowledge involves 1) taking a good look at all of the ways that a stakeholder does provide support, and 2) explaining and acknowledging the specific value that each support action has, including identifying the critical elements of your security program that the support actions contribute to.

One security leader got a very positive result by thanking one of her particularly harsh critics for the various negative things that he had said over the past year. In the thank-you memo, she stated: "I just wanted you to know that I appreciate your taking the time to tell me about your concerns for a few specific aspects of our security program. I’d like to meet with you to discuss them in more detail to make sure that I understand them. I am thinking that you may have some suggestions for improvements." She listed the areas of concern. The stakeholder responded to her by saying: "No need for a meeting. I have thought about it more and I think I’m okay with all except the restrictions I am listing below. I have included some suggestions to address them. Please let me know what you think." She was floored. Just the use of the word "please" indicated a change in attitude.

Most of the time active security stakeholders are aware of the fact that they support you in one way or another, but they are not aware of how important their contributions are in terms of the security results.

Stakeholder Value

It is common to find that, absent a specific focus on engaging with security stakeholders, the potentials of stakeholder support are underutilized. Even in situations where a lack of support is a continuous frustration, it is amazing how possible it is to improve the situation. But it does require a little bit of homework first, to set the right perspective. That’s what these validation steps are about.

A fantastic tool for getting started along this line is the Security Ladder of Involvement, from the book "Security Education, Awareness and Training" (page 75) by Carl Roper, Dr. Lynn Fischer, and Joseph A. Grau. The rungs of this ladder include:

  • Ownership
  • Participation
  • Compliance
  • Apathy
  • Avoidance
  • Subversion

Many of us think of security education as a campaign or project that involves posters, slogans, policy reminders and perhaps a live or online security training class or two. That is a very narrow view, as the authors explain:

"Security education is everything we do to enable people in our organization to carry out their roles in our security program effectively and reliably, plus everything we do to influence them to do just that."

My two favorite words in that statement are "enable" and "influence." It doesn’t make much sense to try to influence people to carry out a role if we don’t first enable them with the knowledge and the means to do so. This applies to getting support from the people we need it from.

Validation Steps

These validation steps include an application of the Security Ladder of Involvement. Sometimes it is beneficial to take a break between one step and the next, in case the ratings you come up with prompt more thoughts regarding support for your security program.

Step 1. Download a PDF version of the guidance on using this tool, and a Word template for rating stakeholders, from my Security Ladder of Involvement page.

Step 2. Read the guidance on using the Security Ladder of Involvement. You will use this tool to assess where your stakeholders stand. You will also use it to outline what steps to take over time to advance your stakeholder support.

Step 3. Make a Security Stakeholders List, using the Security Stakeholder Rating Chart Template. Create a list of your stakeholders, including those who are currently helpful, and those who are not or who don’t have security on their radar, but should. Sometimes you have a category of stakeholders, such as night shift staff, traveling salespeople, and so on. Add rows to the chart as needed.

Step 4. Determine the Current Rating for your stakeholders, entering it in the "Current Rating" column. It is a good idea to use the chart’s notes column to further explain the rating. For example, for Ownership, HR may own background investigations, except for senior executive positions, which sometimes are the responsibility of legal.

Step 5. Determine the Desired Rating for your stakeholders, entering it in the "Desired Rating" column. In the notes provide a description of what the desired rating level of support would include.

Step 6. Outline a Support Improvement Plan. Create a new document, and outline a simple support plan with steps for each stakeholder. If a stakeholder is already at the level of support that you want, be sure to make an action item to acknowledge that support in writing. For most companies, it is appropriate (and very beneficial) to write a letter on company or departmental letterhead, or as a company memo. Send one to the stakeholder, with a courtesy copy to the stakeholder’s superior, and one to HR for the stakeholder’s personnel file.

You put a lot of work into your security program. It’s worth taking the time for this simple validation step, to make sure that you are getting all the support that your hard work deserves.

About the Author: Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 28 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.