How to Validate
Your Security Program
15 Ways to Rate Your Program
WHY VALIDATE? The top 5 reasons to validate your security program.
Your Security Program Should Be:
#1 – Authoritative
#2 – Defensible
#3 – Qualified
#4 – Justifiable
#5 – Proven
#6 – Well-Supported
#7 – Official
#8 – Robust
#9 – Relevant
#10 – Well-Founded
#11 –Accepted
#12 – Effective
#13 – Viable
#14 – Substantiated
#15 – Successful
By Ray Bernard PSP, CHS-III
An attribute is a quality or feature regarded as a characteristic of something. What we are calling the “15 Validation Attributes” are 15 characteristics that you can use to validate your security program.
Validation Attribute: Accepted
Definition:
- generally believed or recognized to be valid or correct.
- regarded as sound or true.
- received or admitted into an organization or group.
The Accepted attribute has very specific meaning for this validation step. Many of the previous attributes have dealt with aspects of security program validation that result in the first two definitions above. The third definition, as we are applying it, has special meaning:
Accepted refers to a security program that is part of a
very well run department or business unit.
It describes a security function whose senior management has concluded is very well run, not just with regard to security operations, but for all of the business aspects of the security function. This is not a one-dimensional rating.
There are two ways to look at this validation trait. First, it will validate the good things you are doing as a business unit manager. Second, as a way of making your function even more valid in the eyes of management by improving on what's important to them.
Requirements for Being Accepted
What are the requirements that Security has to meet in order to be “accepted” as being as one of the better-run business units in the organization? Typically, there is no such formal requirements list on hand, but it is easy enough to put together. It only takes a small amount of homework to make the list.
The Best-Run Function in the Company
These are two key questions to ask not just senior executives, but also their executive secretaries or administrative assistants (who, due to their roles, sometimes have more insight into the functional areas than the executives do), and divisional heads:
- What is the best run business unit (or division)?
- What are the key factors or business unit traits for your conclusion?
Note that there may be more than just one. For organizations with divisions, also ask the division heads and their assistants.
Answers to these questions can vary quite significantly from company to company. Sometimes it is a lack of problems or troubles in some business units that put them in the “well-run” category. If that's the kind of answer you get, ask for examples of the kinds of problems that don't occur. If you are given specific traits that make the "well-run" units stand out above the others, that's even better.
Below are some examples of business unit traits that have been offered up in answer to the second question above.
- Managing the department’s workload well
- Good resource management and working within budget
- Consistent achievement of business unit goals
- Manage personnel matters well (evidenced by lack of complaints to HR, employees referring new hires, and/or low personnel turnover, no complaints to higher-ups)
- Compliance with company mandates (such as overtime reduction)
- Contributing to organizational objectives
- Good cross-functional collaboration
- Good execution/project management
- High staff morale
- Unit leadership well-prepared for management meetings
- Financial records are in good order
- Good execution/project management
- Well-kept physical spaces
- Good personnel attendance records
- The business unit builds good managers who can lead in other parts of the organization
- Strong participation in community outreach programs
The main point is—what does management think?
How Well-Run is Security?
The whole point of this exercise is to identify functional area traits unrelated to security matters, whose improvement would be helpful to the security function. Such improvements would be important to management and the organization. Think of these as good business practices within the company.
You may find that you are doing well on some of the traits already, and that there are other traits that you could easily improve on. Other improvements may take some work. Based upon importance to management, and value to the Security function, you can prioritize the improvements and make create an appropriate management action plan for them.
Interview the Heads of the "Best-Run" Units
You should find that the business unit heads are more than happy to discuss the traits of their business unit that management has found important. They are usually very open to sharing the stories of their own paths to achievement for these traits. The "lessons-learned" aspect of these discussions can be highly valuable.
Schedule the interviews first with the people you feel most comfortable talking to. Then progress through the list. It can take several weeks or more to complete the interviews, depending upon your schedule and those of the people you need to see.
Time Frame
Depending upon what improvement objectives you have set, and what level of effort is required for them, your time frame for plan implementation could be anywhere from a few months to two years. For plans longer than six months, incorporate “reality check” review points for the plan, and recalibrate if appropriate based upon what you have been learning as you make progress.
Validation Steps
Step 1. Download the Best-Run Business Unit worksheet from www.go-rbcs.com/best-run. This worksheet includes additional guidance for Step 6.
Step 2. Make your list of people to ask. Make a list of the management personnel (and assistants) whom you should ask the key questions:
- What is the best run business unit (or division)?
- What are the key factors or business unit traits for your conclusion?
Step 3. Set Appointments. Check with their Administrative assistants and schedule appointments for your short question sessions. If you can, ask them the questions first. (Regardless of whether or not they have any answers, offer to share the results of your learning exercise. They will appreciate it and it will enhance your rapport with them.) Sharing the questions helps them understand why you only need a 15-minute appointment, and why the appointment is important. You can explain to each executive that you have already been working on security improvements, but now you want to make sure you are identifying opportunities to improve how "Security the business unit" functions as another business unit in the company. If you already engage in dialog with one or more of the executives you will be checking with, you may not need a special appointment. You can include these questions along with whatever regular business that you would be discussing.
Step 4. Document the answers. Take initial notes during your conversations, and type them into a Word® document, expanding your initial notes to include your thoughts about how relevant each trait is to your Security function, how improving that trait would help you or your personnel, and what time frame you think would be required to achieve the improvement.
Step 5. Interview the Business Unit Heads.This step is very enjoyable. Set an appointment for an office or lunch meeting with the head of each business unit that is considered "well-run". When you talk to each business unit head, let him or her know which executives said their function was one of the organization's best-run functional areas (or departments, divisions-as the case may be), and that you have been given the specific reasons why they thought so. Explain that you would like to hear more about the highly regarded traits of their business unit, and what it took to achieve them-vision, briefings, trainings, time-frame, and anything else-that might be helpful for you to understand and apply to improving the running of the Security function. Take good notes during these discussions.
Step 6. Analyze your data. Now that you have collected the business leader data, you need to analyze it to determine which recognized traits are relevant to the Security function, select those you want to achieve, and prioritize them. Use the Best-Run Business Unit worksheet to help you with this task. List the "best-run business unit traits" in the worksheet, and fill out the evaluation points for each one. Specify the order in which you want to apply the traits you have selected to achieve.
Step 7. Create a management action plan based on the information in the Best-Run Business Unit worksheet.
Step 8. Prepare talking points that will help you explain your plan (rationale, purpose and expected outcomes).
Step 9. Obtain any buy-in, approvals and support that you need for implementation.
Step 10. Begin plan execution and report appropriately on your progress.
Step 11. When the execution of the plan is complete, document the results and report them accordingly. Be sure to send thank-you/commendation memos for the personnel who helped and supported the effort to those personnel, their personnel files in HR, and senior management.
Final Note
You can find when you do this step, that your organizational peers and those above you adjust their opinion of you. You are now demonstrating, by taking an innovative action and by the type of thinking that is involved in it, that you are both a security leader and a business leader.
One security director embarked on his action plan, and about half-way through the plan, he was surprised to have the divisional manager above him declare in a management meeting, that he believed the Security Department had become the best run department in the division. This was very unexpected, and very well-deserved.