Q. What do you consider to be some key components in developing a successful security program and, specifically, how should the role align with the organization?
A. In my opinion, organizational structure plays a huge role; however, you have to look at the maturity level of the program because the role and how you manage the program will need to be different for different levels of program maturity. Senior management’s expectations for a startup will be very different from what it will be for a well-funded program that’s been running for 25 years. You have to be realistic about where your program is and what the expectations are.
There are a number of things you need to consider. First, you must have enterprise alignment. You need to know what management expects, what their priorities are and the circumstances under which you are going to be pressed for an opportunity for success.
The next thing you need is a good threat risk assessment. You’ve got to know what types of risks your particular organization might face and what management’s expected response would be. You’ve got to know who might be the perpetrators of certain types of threats and be ready to engage your tools and resources at an appropriate level.
From there you can do an assessment of your current resources. Just about no security leader has all the qualified people, contractors or money they need. So you need to know what you have; rate resources on effectiveness and then identify the gaps to build a solid framework. When we see really successful programs, one thing we can say about them is they have a really solid resource framework from which to respond or to deliver services. Once you get that framework, then I think it is preparation. Do you have a plan? Have you looked at the sequencing of how you might have to respond under certain circumstances? Have you done training for that? Is everybody on your team up to speed?
Develop an extensive communication capability. Another trademark of successful programs is that they communicate well to all the key stakeholders to keep them apprised on risks and your mitigation strategies (that are aligned to the organization). If you’re doing great work it doesn’t matter much if nobody knows about it. The ability to communicate as you manage negative situations is critical.
Then, it's all about executing your plan. At the end of the day, whatever tools, assets and people you have in place, you have to execute with them to the best level possible. These are some of the key things we see repeatedly in very successful programs.
Answer provided by Bob Hayes, Security Executive Council Managing Director.