Having worked with this tool now for almost eight years, I can tell you that its simplicity hides its power. At every organization where we have simply discussed it, security managers couldn’t stop applying it in their thinking, even when we had no formal step in place.
There is more than a decade of research behind this rating chart, and after looking the chart over and understanding each rating, you can perform an “off the top of your head” rating that will be accurate and insightful.
A study performed by at Carnegie Mellon University in 2000 revealed that in general, the more you spend the less difference each additional investment makes on your security. Early investments in security provide the greatest return.
For example, if you have no locks on the doors to your business offices, and you then install locks, that early investment will make a huge difference in the risk exposure of your business. That’s a no-brainer kind of situation. After that, it requires risk assessment to determine where to invest next to get a return that’s worth the expenditure.
The graph at the top of this article shows the initial steep upward line for security results that applies to early security investments.
Further application of the results of this study has shown that the less mature your security program is, investing in increasing your program’s maturity level has the potential for providing you with the greatest next return on security investment.
The Maturity of Your Security Program
This article links to a chart that you can use to rate your program overall, or any part of it, and make specific improvements (some of which are low- or no-cost improvements) that will raise the effectiveness of existing measures and fill in additional risk mitigation gaps.
When you read the chart, you’ll see exactly how this works. Your own familiarity with your security program is what enables this step to be done so quickly. If your program is large enough and various parts of it are delegated to staff, then each of your staff will be able to quickly apply this to their own areas of responsibility.
There is also guidance on how to rate individual security program elements to the next level of depth, which can help for creating an action plan for the coming quarter or year. Security practitioners often find easily obtainable results that are very worth achieving.
So go to the chart to rate your security program in 90 seconds, and take advantage of the opportunities for improvement that you will discover.
About the Author:
Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 28 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security and has been a regular contributor to Security Technology Executive magazine for almost two decades.