How to Validate Your Security Program: Part 15
By Ray Bernard PSP, CHS-III
Editor’s Note: This is the last of a multi-part series that provides 15 important perspectives from which to validate your Security Program. If this is the first article you have seen in this series, please read the introductory article before launching into the validation steps.
|Part One (key attributes)||Part Six (well-supported)||Part Eleven (accepted)|
|Part Two (defensible)||Part Seven (official)||Part Twelve (effective)|
|Part Three (qualified)||Part Eight (robust)||Part Thirteen (viable)|
|Part Four (justifiable)||Part Nine (relevant)||Part Fourteen (substantiated)|
|Part Five (proven)||Part Ten (well-founded)|
An attribute is a quality or feature regarded as a characteristic of something. What we are calling the “15 Validation Attributes” are 15 characteristics that you can use to both validate and strengthen your security program.
Validation Attribute: Successful
- achieving the intended result
The emphasis for the Successful validation attribute is the perspective of ongoing improvement of the organization’s security risk picture (what the current level of risk is with security controls in place).
The primary mission of security is to reduce security risks to an acceptable level, at an acceptable cost.
This is an ongoing activity, not a one-time result to achieve. This is why the definition we are using for success is an action definition: “achieving the intended result” as opposed to “having achieved the intended result”.
The very nature of our ongoing security efforts causes us to be focused on what we are accomplishing and what we still need to accomplish, and so what we have already accomplished tends to fall out of sight.
It can be not only heartening but very helpful, to stop and take a look at what has already been accomplished, and create a simple timeline that documents it. Some practitioners have published the timeline in poster format within the security function. Others have included it in management reports to help provide a perspective on the success-to-date of the security function, or some aspect of it.
That kind of thing helps to validate all the individuals who have contributed, and making sure that the timeline has that effect is one of this attribute’s validation steps.
Performing these simple validation steps below will refresh your memory about what you can say or write, and make you better prepared to articulate the validity of any security program element at a moment’s notice. One practitioner found that the completion of the success timeline was cause to have a celebratory lunch, to acknowledge the efforts of those who spearheaded the various security initiatives.
There can be any number of timeline approaches, and which to choose depends partly on (a) what’s easy to do and (b) what you want the timeline to accomplish. Some practitioners have several success timelines, one for internal consumption to validate the security team, another to share with management, and a third timeline (or set of timelines) to document the accomplishments of the function head (and the functional area leaders). Once you have created a first success timeline, variations on that theme can be done more quickly.
Here are some example success timeline perspectives:
- Security initiatives completed: Various sets of security measures put into place over time
- Risk reductions achieved: Especially good where metrics can be used to quantify the accomplishments
- BC/DR readiness: Divisions, business units, facilities or systems brought up to a particular standard of readiness, especially with regard to business continuity/disaster recovery readiness
- Security Stakeholder Satisfaction: Improvements in the confidence of security stakeholders that their risks are being adequately addressed (requires historical data to be available)
- Risk Councils: Establishment of regional or local risk councils and their accomplishments, either by initiative or by the expanded scope of their focus.
- Security Technologies Implemented: A timeline of security technologies that have been put into place.
Most organizations have a number of security perspectives that can be helpful to document and share in one way or another.
An easy approach is to initially document the timeline information in a simple table in a Microsoft Word® or another document format. Then, you can decide if you want to finalize it in table format by selecting a good-looking format, or whether you want to publish the timeline in some other visual format.
Step 1. Download the Example Physical Security Technology Success Timeline. This is a Microsoft Word document for you to review that provides one example of how a success timeline could look. You don’t have to call it a success timeline, as this example illustrates. You can utilize whatever title best represents the information you are presenting.
Step 2. Select a focus and objective. What will your timeline depict, and how will it be helpful to you, your function, and your organization (it could be one or more). Utilizing a Start Date and End Date helps establish the timeline position, but also conveys the level of effort required (multi-year or 90-day, for example)
Step 3. Set up your timeline table document. Establish the columns that will be appropriate to capture the timeline data. Some example column headings are:
- Start, End, Improvement, Reasons, Outcomes
- Start, End, Initiative, Rationale, Results
- Start, End, Type, Purpose, Results, Participants
What exact data to include will depend upon the types of initiatives or accomplishments that you will be documenting, and who the stakeholders are that will see or use the information.
Step 4. Populate your success timeline data table. Staff can be very helpful in this regard, as they usually have a strong interest in their work, or the work of your security function, being acknowledged.
Step 5. Finalize the format of your success timeline. Sometimes you need two versions, one letter size for email distribution or inclusion in HR files, etc., and another for poster-size printing. It depends upon how you will be using the timeline. One practitioner made an interactive PowerPoint presentation, which she converted into an interactive PDF file, where various timeline data items had a separate slide of its own. That made it possible to list project participants, and details about project results, on separate slides with a link back to the timeline page.
Step 6. Make best use of your success timeline. That includes keeping track of the feedback you get, by documenting the verbal feedback that you receive (including from your staff), and saving any written feedback provided. Have a celebratory lunch if that turns out to be appropriate!
Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private organizations (www.go-rbcs.com). Mr. Bernard has also provided pivotal strategic and technical advice in the security for more than 29 years. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). He is also an active member of the ASIS International member councils for Physical Security and IT Security.