Rate Your Security Program

Rate Your Security Program

Print Friendly

Most security practitioners don’t get the chance to assess their security programs often enough.

So, to make it easier, I collected together several evaluation approaches that practitioners have found valuable.

They deal with factors determining how easy or hard it is for you to:

  • (a) manage the costs and effectiveness of your program
  • (b) gain broader and more active support within your organization

These approaches are likely to reveal opportunities for improvement from perspectives you have not considered before.

Here are some reasons for taking a special look at your security program and its parts:

  • You inherited the security program from your predecessor, you understand it well enough now and you want to being making improvements.
  • You’d like to start with immediate improvements that could free up your time and attention so you can then focus more on long term improvements.
  • Some program elements need “shoring up”—due to personnel changes or other factors—and you want restore their effectiveness and stability.
  • You’d like to delegate more day-to-day responsibilities and need to figure out where to start.
  • Management has requested a number of security improvements, or has expressed a general interest in improvements, and you need to develop a prioritized list to consider.
  • In order to prepare an annual budget request that includes security program improvements, you need to identify improvements worth making.
  • You’d like to formalize the security program more so that less of the daily activity is ad hoc and more of it is according to plan and established procedure.
  • You want to enhance the skills and knowledge of your personnel according to current and future security function needs.

Why Review or Rate Your Security Program?

Over time, the individual elements of a security program tend to drift what was originally intended, for any number of reasons.

As security responsibilities grow, it can be difficult to make improvements without overloading the existing staff, as well as the head of the security function. When gaps are recognized, or improvements are being considered, it’s important not just to review the people and technology, but also the processes by which security is performed. Without a good handle on security processes, security personnel and security technology are not likely to be as effectively as they could be for you. But all three aspects (people, process and technology) are related, and so these approaches for evaluation address both people and process elements.

  • Manageability provides a detailed chart to help assess your program’s manageability. It also helps you see how to get from where you are now to where you want to be, including lightening your own burden and making it easier for your personnel to do more.
  • Business Alignment provides both a way to rate how closely your program aligns with the business, according to the various stages of security’s focus on, and participation in, the business. Additionally, it presents a way to report this status to security stakeholders.
  • Security Ladder of Involvement is a way to examine and rate the current status of security stakeholders, and also to set short and long term objectives for their roles in supporting security.
  • Relationships and Allies provides a set of questions and a basic chart you can customize for examining the strength and sufficiency of the Security function’s internal organizational relationships and allies.
  • The Prioritizing Tool has two purposes. First, you can use it to gain consensus among security stakeholders, be they top-level decision makers or business unit managers whom the Security function supports. Second, it can be used as a basis for exploratory discussions (one-on-one or in a group) to gain additional insight into the thinking of those responsible for the organization’s critical assets and critical processes.

    Manageability

    Print Friendly

    (Download a PDF Version of this Manageability assessment guidance)

    Businesses objectives change. Personnel change. Economics change. Threats change. Thus security risks change. This is why an organization’s risk profile either improves by plan and action or backslides by neglect or lack of initiative. Even a static security program drifts away from business relevance, either slowly or quickly, depending upon the rate of business and changes to the threats facing the business.

    This is why the managing of a security program must include periodic assessments of the effectiveness and relevance of the security program elements.

    But there are also other reasons why the effectiveness of security decreases over time. Results don’t remain consistent and completely acceptable. As it turns out, there are specific factors that determine how easy or hard it is to maintain intended results and performance.

    Maturity Models: The Key to Improving Manageability

    Just over 20 years ago the U.S. Department of Defense approached Carnegie Mellon University to help solve the key problem of its massive industrial software development programs: the lack of consistent and acceptable results across the spectrum of companies who—at one time or another—were high performers.

    A key discovery was that in addition to having capable people and technologies, organizational capabilities were needed that had not been previously defined or given adequate attention.

    A capability maturity model[1] for software development organizations was created that would enable any organization to be brought forward from its current situation to one of stable and improving success.

    Since that time the basic principles of the capability maturity model developed by Carnegie Mellon have been applied by many organizations to create many dozens of successful maturity models[2], which enable business functional areas to sustainably deliver excellent results while incrementally improving.

    The simple chart below can be applied to all aspects of security, from high level security strategy and planning to daily security operations and incident response. No security program is entirely at one place on the chart. For example, some aspect of your security program may be “repeatable – intuitive but not documented” while other aspects are “documented”.

    The chart below summarizes the basic maturity levels as they apply to a security department or functional area. Without drilling down any deeper into the other aspects of a maturity model, the concepts in chart provide useful perspectives from which to rate a security program overall as well as the individual elements in it, and to identify ways in which valuable improvements can be made.

    More about the Chart

    The chart does not address the risk-orientation or business alignment of your security program. It looks only at the status of processes and organizational effectiveness.

    Without a good handle on security processes, security technology by itself is unlikely to be as effectively as it could be for you.

    The experience and training of your work force is not always enough. Working harder is not the answer. A well-defined process can provide the means to work smarter. It also shifts the blame for “problems” from people to the process. As processes improve, problems become fewer and effectiveness becomes greater.

    Clearly defined and documented processes also make it much easier to evolve your security program to be more aligned with the business, to take advantage of new technology capabilities, and to adjust for changes in the risk picture.

    This chart is not in any way the ultimate security program maturity tool—it is simply a high-level way of looking at the manageability and improvability of security management and operations functions.

     

    Level Characterization Description Results and Objectives
    Level 0 No Security Program
    • Security is given little to no attention.
    • Security measures implemented reactively after incidents occur
    The occurrence of incidents invariably leads to the maximum business impact that could be expected.
    Level 1 Ad Hoc
    • Processes are ad hoc and disorganized, and the organization or department does not provide a stable environment.
    • Success depends on the competence and efforts of the people in the organization, and not on the use of proven processes.
    • Technology is not always used effectively or correctly.
    • In spite of this ad hoc, chaotic environment, organizations at this level often produce products and services that work; however, aspects of operations and projects frequently exceed the resource budgets and schedules planned for them.
    • Success depends upon having high quality people.
    • The talents and capabilities of people are generally not well-utilized, while at the same time people tend to be stressed or burned out.
    The occurrence of incidents often results in the maximum business impact that could be expected.The results of the improvement efforts are unstable and hard to sustain.Thus security ROI is low because the levels of effort and cost are higher than anticipated, and results are less than hoped for.
    Level 2 Intuitive But Not Documented, Also known as Repeatable
    • Security is acknowledged as an important aspect of the business. The level of incident impacts is a combination of good fortune, individual efforts, and organized operations.
    • Expectations, incidents, and assets are sometimes evaluated.
    • Processes follow a regular pattern.
    • Reactive security measures are taken until the security budget is exhausted.
    • The environment is generally stable. The procedures and practices of the processes can drift somewhat what is intended, but are corrected once the results are noticeably less than needed.
    • Technology is not used as effectively as it could be.
    • The minimum process discipline is in place. Process discipline helps ensure that existing practices are retained during times of stress.
    • Basic processes are established to track cost, schedule, and some performance aspects of operations.
    • The talents, capabilities and insights of people are often shared and have a positive impact on operations.
    • However, the results of improvement efforts fade with time, due to personnel changes, business changes, and human nature.
    The occurrence of incidents usually doesn’t lead to the maximum impact that could be expected.
    The results of improvement efforts drift from the intended levels of performance and effectiveness over time.
    Thus security ROI is deceptive and in the long term turns out to be less than expected.
    Level 3 Documented
    • Security is acknowledged as an important aspect of the business. The absence of significant incident impacts is the result of organized operations.
    • Expectations, incidents, and assets are usually evaluated.
    • Security policies and procedures exist.
    • Some best practices are in use.
    • Processes are documented and communicated.
    • Security responsibilities are clearly defined.
    • The organization’s or department’s set of standard processes are established and improved at intervals over time.
    • Standard processes are used to establish consistency across the organization.
    • Technology is generally used effectively as part of well-defined processes.
    • The security’s management establishes process objectives and ensures that these objectives are appropriately addressed.
    • An effective security management system is implemented as part of a well-documented security program.
    • A baseline security program is established based upon commonly accepted security practices.
    • Key security measures are audited.
    The occurrence of incidents normally doesn’t lead to the maximum business impact that could be expected.
    The results of improvement efforts are as intended and permanent.
    Security ROI is as expected.
    Level 4 Controlled
    • Security is acknowledged as an important aspect of the business. The absence of incidents is the result of continuous organizational efforts.
    • Expectations, incidents and assets and risks are evaluated qualitatively on a systematic basis.
    • Security planning ensures that the best security measures are taken considering the budget.
    • Processes are not only documented and communicated, they are monitored and measured.
    • Security responsibilities are clearly defined and are up to date with security requirements.
    • A business continuity plan is in place that considers the organization’s current status, and is properly implemented.
    • Security standards are developed for the various security domains, to establish a minimum level of effectiveness and quality for security operations and actions.
    • A risk-based security management system is established and operating.
    • Using precise measurements, management can effectively control the quality and effectiveness of operations.
    • In particular, management can identify ways to adjust and adapt the processes without measurable losses of quality or effectiveness.
    • Organizations at this level set quantitative quality goals for security operations and event response.
    • Sub-processes are selected that significantly contribute to overall process performance.
    • These selected sub-processes are controlled using statistical and other quantitative techniques.
    • Best practices are generally followed.
    • The results of the department or function’s efforts are permanent.
    The occurrence of incidents virtually never leads to the maximum potential business impact; many incident impacts are negligible due to effective security measures, but not all incident impacts are acceptable. Improvement efforts are ongoing, and their results are as intended and are permanent.The breadth of security ROI increases over time.Security is appropriate for the business sector of the organization.
    Level 5 Continuously Improving
    • Security is well known to be an important aspect of the business. The absence of incident impacts is the result of systematic efforts to continually improve process performance through incremental and innovative improvements.
    • All of the Level 4 elements remain in place and are enhanced by Level 5 improvements.
    • Security standards are developed for the various security domains, to establish a minimum level of effectiveness and quality for security operations and actions.
    • Security measures are audited against objectives.
    • Quantitative process-improvement objectives for the organization or department are established, continually revised to reflect changing objectives, and used as criteria in managing process improvement.
    • The budget is developed consistent with security objective and strategies.
    • Best practices appropriate to the business sector and to the specific organization are applied in the physical, IT and corporate security domains.
    • A validated “Business Continuity and Disaster Recovery plan” exists. This plan considers the organization’s evolution, is properly implemented, and is kept current.
    • Third party agreements define mutual security commitments at the organization’s borders with others.
    • Quantitative information is collected about incidents or close calls.
    • Security measures are selected using objective criteria.
    • The effects of deployed process improvements are measured and evaluated against the process-improvement objectives.
    • Optimizing processes that are nimble, adaptable and innovative depends upon alignment with the business values and objectives of the organization.
    • The organization’s or department’s ability to rapidly respond to changes and opportunities is enhanced by finding ways to accelerate and share learning.
    • A business continuity plan is in place that considers the organization’s evolution, and is properly implemented.
    • The results of the organization efforts are permanent and are kept well-aligned with the business.
    Multiple layers of security result in fewer incidents. The occurrence of all but catastrophic incidents results in negligible business impacts.Security improvements are continuous and are easily sustained.Security operations become more efficient over time, providing an increasing return for the ongoing security investment.Security is well-aligned with the business.

    [1] Capability Maturity Model® and CMM® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University
    [2] For a list of 34 maturity models, along with an entertaining overview, see: http://tinyurl.com/sticky-minds-maturity-models; for over 200 charts on a wide variety of maturity models, see: http://bit.ly/maturity-model-images.

    Business Alignment

    Print Friendly

    (Download a PDF Version of this Business Alignment assessment guidance)

    For more than a decade now business alignment has been an increasingly common security management objective. Research performed by the Security Executive Council presents an interesting picture of the security profession today, and the security programs that security practitioners have developed.

    The research shows the relative percentage of CSOs who have in place or are working on programs that can be characterized as shown below:

    • 75% – Core Security Programs (traditionally common security measures, such as basic policies & procedures, investigations, risk assessment process, workplace violence prevention, awareness programs, reporting policies, access control and so on),
    • 15% – Sector Security Programs (business sector-specific security programs tailored for the specific risk or incidents of the industry such as retail, manufacturing, higher education, electrical energy, hospitality, oil & gas, etc.)
    • 8% – Business Alignment Programs (where they are at the leadership table discussing the security implications of new business strategies and are becoming influential in the business)
    • 2% – Future Security Programs (they are future-focused and very well-aligned with the business, and are involved in its evolution and planning for the emerging risks the horizon and not yet here)

    Most security programs are not 100% in one category. Usually there are many common core security program elements, along with some that are business sector-specific and some that are specifically aligned with the business and the specifics of each facility type.

    Click to view full size example business alignment status chart.

    One way to apply these research results is to create a summary chart like that shown to the left. Place your mouse cursor over the chart to display a larger version. Such a chart can be used to brief both company management and security personnel, and can serve as a year-to-year metric depicting the continuing progress in security program development.

    Don’t underestimate the value of such a simple presentation of information. In some cases, senior executives have asked, “What would it take to make faster progress and get us all the way up to the top of the chart, where we have better risk mitigation?” Of course, you should be prepared to answer such a question—but not with a barrage of technical details or a large budget number. The most easily understood and most quickly communicated answer is one that characterizes the approach that should be taken to perform the required risk assessments, determine potential business risk impacts, and then incorporate the appropriate people, process and technology measures to reduce security risks to acceptable levels, at an acceptable cost.

    These four categories of security programs can be applied to individual security program elements, and also are helpful in guiding thinking about additional elements that would advance the business alignment of the security function.

    Application Tips

    Here are some ways to apply these categories in examining your current security program, and in considering future security program elements.

    1. Create four pages in a word-processing document (use four pages on a writing pad), and title each page in this sequence:
      • Core Common Security Practices
      • Business-Sector Specific Practices
      • Company-Specific and Facility-Specific Practices
      • Business Planning and Future Trends
    1. Core Common Security Practices: Identify and list the security program elements such as card access control, visitor management, security officer patrols, intrusion detection, and so on that are common to most businesses.
    2. Business-Sector Specific Practices: If any of the core elements you listed are strongly tailored for the specific business sector of your organization, move them into this category.Identify and list the security program elements that are common specifically to your business sector, such as shrinkage reduction (retail) or container screening and tracking (supply chain). Include business-sector security conferences participation.
    3. Company-Specific and Facility-Specific Practices: Identify and list the security program elements that are specific to your organization or to specific facilities. For example, it may be a practice in some facilities to escort employees that work after hours to and from parking areas. There may be special cash handling procedures in place, or special audits or security reviews. Your security metrics may be very organization-specific.
    4. Business Planning and Future Trends: Identify and list the ways that you and your security program take into account planned changes to the business and future trends impacting your business. Do you participate in quarterly and annual management planning actions?  Do you have metrics that are leading indicators to business changes (that advance warning instead of after-the-fact reporting)? In some organizations the security function is not actively included in business planning, but is simply informed of changes after-the-fact.

    This is an exercise that is a cross between list-building and idea-capturing. Typically there are more items in the first two categories than in the second two.

    After walking through this exercise once, repeat it again but this time adding onto each page the security program additions or improvements that you think would be valuable. Consult with your security colleagues for those categories where you think outside input would be helpful.

    This is not a one-hour exercise. One successful approach has been to go through the list several times, each time writing down what comes to mind quickly, and then putting the work away for a day or more and letting new thoughts occur in between work sessions. Usually the initial ideas—whether many or few—are followed by more thoughts that occur in the days following the first pass at this exercise. Commonly it’s a process of iterative development, where first thoughts lead to others, and ongoing thinking expands the original picture.

    The primary purpose for this exercise is to provide a way of examining your current security program and considering it from new perspectives and to bring to light opportunities for improvement. Even without a summary status chart, the concepts and ideas make productive talking points for meetings and on-on-one discussions.

    Security Ladder of Involvement

    Print Friendly

    Download a PDF Version of this page:
    Security Ladder of Involvement Guidance

    Download the Security Ladder of Involvement Rating Template (MS Word):
    Security Stakeholder Rating Chart Template

    Ladder of Involvement

    “People’s attitudes toward security in general and your organization’s security program in particular tend to fall into one of six categories, which we’ve put on what we call our ‘ladder of involvement’ in security.

    • Ownership
    • Participation
    • Compliance
    • Apathy
    • Avoidance
    • Subversion”

    —Carl Roper, Dr. Lynn Fischer, and Joseph A. Grau, from page 75 of their book Security Education, Awareness and Training.

    Many of us think of security education as a campaign or project that involves posters, slogans, policy reminders and perhaps a live or online security training class or two. That is a very narrow view, as the authors explain:

    “Security education is everything we do to enable people in our organization to carry out their roles in our security program effectively and reliably, plus everything we do to influence them to do just that.”

    One-on-one education for key stakeholders who influence and direct others can be more important and effective than some of the typical “poster awareness programs” that have no supporting education and training elements.

    Enabling and Influencing

    My two favorite words in that statement are “enable” and “influence“. It doesn’t make much sense to try to influence people to carry out a role if we don’t first enable them with the knowledge and the means to do so. This provides a good yardstick against which to measure the current situation.

    Moving Stakeholders Up the Ladder

    Here is an excellent exercise for security practitioners:

    1. Make a list of the categories of security stakeholders in your organization. For example, Purchasing Stakeholders, Business Unit Managers, Budget Decision-Makers, Risk Assessment Collaborators, ID/Access Badge Holders, and so on.
    2. For each category, identify where you want them to be on the Security Ladder of Involvement.
    3. Make your best estimate based upon evidence and intuition, as to what percentage of stakeholders in each category are at each level.

    Regardless of the scores, consider how your thinking has now changed with regard to your objectives for security education and awareness. Where the results are not to your liking, consider what education, training and awareness elements would help improve the picture. One-on-one collaborative discussions with individual stakeholders to influence and direct others can be very effective in making changes amount the broader audience whom they influence and manage.

    Helping security stakeholders understand their role, and enabling them to fulfill it, is definitely not a “one-shot” action. Depending upon your starting point and also how much happens to be on each stakeholder’s plate at any time, helping the stakeholders could be a series of conversations and supporting actions that take place over a period of months. It’s easier and often more effective to start with small steps, as each action can build on the previous one.

    Basic Steps with Stakeholders

    The following questions can server as the underlying basis for a conversational discussion with security stakeholders:

    1. What is your role in supporting Security?
    2. Are you fully empowered for it?
    3. If not, what would it take to fully enable you in that role?

    Those questions capture the ultimate issues that you want to address. However, the questions are a bit to direct and are usually a bit of a leap for someone to consider, if they have no assigned security role or aren’t aware of or disagree with their assigned role. (Sometimes a role exists in policy, such as is common with information security, but in practice is not given the attention it deserves and can become completely forgotten.)

    Any manager or executive has at least a role in seeing that the personnel in his or her charge apply security policy and procedure and report about any security weaknesses or any over-burdensome security practices. The most effective perspective is not one of “compliance”—which is the historically common approach to security roles—but one of “helping protect the critical assets and critical processes” of the individual’s business unit or functional area. This small shift in attitude can make a very significant difference in the effectiveness of a security program.

    This is why you wouldn’t ask these key questions directly, but would find good success with related sub-questions or discussion points like those shown below each question. The idea is to get the stakeholder’s thinking going in the right direction. At the same time, you’ll have an opportunity to discover the stakeholder’s current concept about security and his or her relationship to it based upon job position or business unit risks.

    The stakeholder group that is furthest away for your objectives for them is a suitable candidate group for your next initiative. Remember that anything you do or say–no matter how small–has value if it helps to enable or influence them to better fulfill their role.

    Obviously these are example questions, and you’d have to determine what kind of discussion is appropriate to have given the security stakeholders in your organization, and the current state of information, physical and corporate security as it affects them.

    Here are some example questions for a business unit manager or executive who has no specifically assigned security role.

    1. What is your security role?
      1. How do you think most managers at your level feel about security in general? Too much, not enough, or something else?
      2. Are there any security policies or procedures that should be changed or improved to be less burdensome or more effective?
      3. Can you think of any ways in which security could or should support your business unit more or better?
      4. Could I ask you to take on the role of letting me know if at any time you think Security should be doing more or doing something differently?
      5. In the future, we may be doing (or updating, if they have already been done) some risk assessments around the critical assets and functions within the company. Before we start that initiative, I’ll circle back and touch base with you about exactly what we have in mind at that time, and provide you with some idea of what our objectives are and what possible approaches might be effective. The idea is to minimize any interruption to your time or that of any of your key personnel. How does that sound?

    Note that in the initial conversation you wouldn’t even address questions 2 and 3 below, as these would come later since the person has just been introduced into their security role.

    Here are some example questions for a business unit manager or executive who does have an officially assigned security role, but hasn’t been giving it the attention it requires.

    1. What is your security role?
      1. In assessing our security program effectiveness, it appears that we haven’t been giving some of our managers (or executives – as the case may be) the support they should be getting for their security-related managerial roles. For example, according to our business planning (notice we didn’t say “company policy”) we should be providing some guidance and assistance to mangers to help them annually assess the criticality of the information they depend upon, to make sure that our business continuity plans are sufficient to keep the business units at low risk from operational interruptions. Over the past few years, do you recall receiving any guidance or communication about this particular managerial role?
      2. Have the results of our last business unit information assessment been made easily available to you?
    2. Are you fully empowered for your role?
      1. Have you been hampered in any way in accomplishing any information protection objectives that you have for your area?
      2. Do you have any current concerns about the current state of business continuity planning for your area?
      3. Is there anyone to whom you have delegated responsibilities in relating to information classification, protection or business continuity planning?
    3. If not, what would it take to fully enable you in that role?
      1. As soon as I have talked to most of the other managers and executives, I’d like to circle back with you and let you know what the general status is across the business units, and what approach we are considering to close the information protection gaps. Between now and then, would you let me know if you have any thoughts or questions on this topic?
      2. We’re thinking of establishing an Information Protection Council for the managers at your level, who would meet once a year, and to whom Security would report progress on initiatives that we undertake. We might have one or two ad hoc meetings throughout the year prior to undertaking any initiatives, or if we want to explore the potential impacts of any new security threats that appear on the horizon. The purpose would be to keep the managers from being blindsided by any new threats, and to provide a channel for feedback to Security regarding the efficiency and effectiveness of our programs.  I guess I could describe this as a small but critical partnership between Security and the business unit managers. Does that make sense to you? Is that likely to address any concerns that you might have now or in the future about the sufficiency of information protection in your area?

    Although information security has been used as the subject area above, this same approach could be applied to protection of critical materials and areas, such as copper storage, clean room manufacturing areas, warehouses, R&D materials, federally regulated materials, and so on.

    Relationships and Allies

    Print Friendly

    (Download a Saveable PDF Worksheet of this Relationships and Allies guidance)

    An assessment of your internal organizational relationships and allies includes an examination of Security’s role in corporate functions and its relationship to other business functions. There are two parts to this assessment. The first part addresses factors that are involved in cross-functional relationships.

    These worksheet pages were inspired by and are based in part on this 2004 article by  Mahesh K. Nalla PhD: Assessing Corporate Security Departments’ Internal Relationships and Linkages with Other Business Functions, Journal of Security Education, Volume 1, Issue 1, pages 29-40. This article presents research on this topic from Security directors and managers from the Fortune 500 and Fortune Service 500 companies who were surveyed to assess the corporate security departments’ relationship to other business functions. Purchase ($37.00) and download Dr. Nalla’s article in PDF format, which provides benchmarking information from the companies surveyed. The major categories of respondents included chemical/pharmaceutical, financial, manufacturing, service, and utilities companies. The article also contains information about security reporting patterns.

    Relationship to Other Business Functions

    1. Are Senior security personnel included in the corporate strategic planning process?

      __ Always

      __ Usually

      __ Sometimes

      __ Rarely

      __ Never

    2.  

    3. Does Security have its own mission statement?

      __ Always

      __ Yes

      __ No

      If Yes, is the mission statement up to date and in alignment with other corporate and divisional mission statements?

      Corporate: __ Yes  __ No

      Division:      __ Yes  __ No (answer separately for each division Security supports or services)

    4.  

    5. Does Security have its own strategic plan?

      __ Yes

      __ No

      If Yes, is the strategic plan up to date and in alignment with other corporate and divisional strategic plans?

      Corporate: __ Yes  __ No

      Division:      __ Yes  __ No (answer separately for each division Security supports or services)

    6.  

    7. Are cross-functional councils, groups or committees involved in setting the priorities for major security risk mitigation actions?

      Check all that apply.

      __ Always

      __ At Security’s Request

      __ At Management’s Request

      __ At Business Unit’s Request

      __ Rarely

      __Never

    8.  

    9. How strong is Security’s influence in determining the priorities for asset protection and risk mitigation actions?

      __ Absolute

      __ Major

      __ High – as Part of Routing Collaboration

      __ Usually Given Consideration

      __ Low

      __ None – Management Dictates

    10.  

    11. What is the level of Security’s participation in the following corporate or divisional decisions?

      1. Physical site location

        __ Major   __  Medium via Requests for Input
        __ Low       __None – role determined after decisions

      2. Physical site design

        __ Major   __  Medium via Requests for Input
        __ Low       __None – role determined after decisions

      3. Employee hiring process

        __ Major   __  Medium via Requests for Input
        __ Low       __None – role determined after decisions

      4. New employee orientation

        __ Major   __  Medium via Requests for Input
        __ Low       __None – role determined after decisions

      5. Employee training

        __ Major   __  Medium via Requests for Input
        __ Low       __None – role determined after decisions

       

    12. Regarding acquisitions and mergers, what is Security’s level of advance participation?

      a. Assess acquisition or merger candidate’s security profile

        __ Always  __ Sometimes  __ Never

      b. Assess requirements for integrating the security functions

        __ Always  __ Sometimes  __ Never

      c. Estimate budget for integrating the security functions

        __ Always  __ Sometimes  __ Never

     

    How would you characterize the roles (whether de facto or specifically assigned), attitudes and effectiveness of Executives and Business Units in ensuring security effectiveness within the organization? (See also the Security Ladder of Involvement guidance.)

    Position or Business Unit Role Attitude Effectiveness
    a.  Chairman      
    b.  President      
    c.  Accounting      
    d.  Administration      
    e.  Communications/PR      
    f.  Corporate strategic planning      
    g.  Facilities      
    h.  Finance/Accounting      
    i.  Health/Safety environment      
    j.  Human Resources/Personnel      
    k.  Information Systems (IS) /
          Information Systems (IT)
         
    l.  Internal Audit      
    m.  Legal      
    n.  Logistics      
    o.  Manufacturing      
    p.  Marketing      
    q.  Operations      
    r.  Quality      
    s.  Real Estate      
    t.  Sales      
    u.  Other (add as needed)      

     

    Prioritizing Tool

    Print Friendly

    This Critical Asset and Risk Prioritization tool is named “Pairwise Comparison”, because it is based upon ranking items by addressing them one pair at a time. It can be used for one or both of two purposes:

    • Consensus Use: To obtain a consensus among business unit managers and/or senior executives (i.e. critical asset stakeholders) for ranking critical assets and risk mitigation measures so that assessment actions and protective measures can be scheduled according to the needs of the business.This can be important when budgeting requires that some security measures may be implemented in the current or upcoming budget period, and some must wait until the following budget period. In the case of annual budgets, a year-long delay may be a significant risk period. For a set of risks that all involve significant potential impacts, a delay of even a few months may result in too much exposure, such as for gaps in regulatory compliance.

      As a security leader, it is a better position to be in to gain consensus among the stakeholders, whose combined opinions set the priorities, than to set the priorities yourself and held to blame for any undesirable consequences of the prioritization decisions you make.

      It is a winning approach to start the ball rolling on the most highly prioritized security measures (per consensus), and then to work with the stakeholders closest to the lower priority set of risks to implement temporary measures that are worth implementing for the sake of lessening the potential business impacts until the full set of measures can be put into place.This approach gains maximum support for you and the security measures being implemented from the set of critical asset stakeholders.

      Financial support for interim security measures sought by business unit managers are more easily approved by senior management, than if presented as a budget request based upon your own personal desires or preferences.

    • Insight Use: When prioritization is not critical or doesn’t apply to get approval, it can still be very beneficial for Security to gain additional insight into the thinking of critical asset stakeholders and the functions that depend upon the critical assets. The pairwise comparison process can be used as a means to obtain specific about risk factors, especially business impact.

      As part of the pairwise comparison discussion, ask: “What are the worst business impacts that could result from [insert critical asset] being compromised?” Often there are multiple types of impacts, such as financial, public reputation, employee morale, production, product quality, partner relations, customer relations, investor relations, regulatory compliance, injury or death, and so on. Another revealing question is, “Who would have to approve doing nothing about the risk of these impacts for the next year?”

      It’s one thing to say “No” to expenditures, another to say “Yes” to the resulting risk. Even when full budgetary support for desires security improvements is available, is it valuable to know what senior stakeholders won’t have to be consulted about risk acceptance―and can instead be informed about risk mitigation requested or approved by the business unit managers.

      This is one way of making the value of the Security function clearly known to senior level management.Another important use of this tool is to enable scheduling of security measure implementation to minimize the disruption to routine or special business activities, and to business unit personnel who may be impacted by the implementation. Areas that will be impacted most by the security measure implementations may desire more time to prepare for them.

    Performing Pairwise Comparison

    Pairwise Comparison is explained, including an example comparison chart, on The Security Minute website’s page about Ranking Critical Assets.