Q. We feel we provide a multitude of security services to our organization. Senior management wants us to demonstrate we are not just providing ad hoc services but have an evolved program. Any ideas on how we approach this?
A. Depending on how you arrived at the list of your services, the issue may be you are only providing discrete security services and not an overall comprehensive security program.
First, let’s define what the SEC means by security program and security services.
Security Services: Day-to-day activities that employees or contractors deliver to customers in support of security risk mitigation. For example, issuance of ID badges for employees; pre-hire background checks; conducting interviews as part of a fraud investigation, are all risk mitigation services.
Security Programs: Designed and aligned with the organization’s security risks and executive management’s risk appetite. Goal-driven and comprised of the necessary security services that will achieve the desired results of the security program’s risk reduction (e.g., business continuity, investigations, personnel protection).
Granted, there is a huge variation on what a program is or how it is defined in different organizations. But sometimes people confuse a set of ad hoc services that have evolved over time with a comprehensive security program.
Do you really have a security program and are you managing program results?
- Is your program mapped to specific risks and does management agree with the risks and your mitigation strategy?
- Is the level of mitigation effort consistent with the level of risk?
- Is your program measurable?
- Does it have defined goals?
- Do you have defined processes? Are they documented?
- Are there (full-time equivalents (FTEs) dedicated to program elements?
- Are the FTEs experienced and trained in providing the program elements?
- Do you have a strategic plan or a schedule for the year?
- Do you have an identified budget?
- Do you have a succession plan?
If you answered yes to these (or most of them), you have a security program. If you mostly answered no, you are an ad hoc service provider. The issue with this for a security leader is, well, a lack of the “leader” component. You are expected to perform certain service as requested by the organization. Comparatively, a security program manager is expected to identify risks and mitigate them. He or she helps define the security requirements and the “best” mitigation plans.
Leading and managing a security program also requires communication and demonstrating the breath of the program; how effective is it; what kind of results is it providing? Ultimately, what is the business value to the organization? You may also want to provide a service directory that demonstrates what the security department does day-in and day-out. At the end of the day, security leaders need to ask themselves: Do I want to be a service provider – or a program manager?
Answer provided by Bob Hayes, Security Executive Council Managing Director.