How to Validate
Your Security Program
15 Ways to Rate Your Program
WHY VALIDATE? The top 5 reasons to validate your security program.
Your Security Program Should Be:
#1 – Authoritative
#2 – Defensible
#3 – Qualified
#4 – Justifiable
#5 – Proven
#6 – Well-Supported
#7 – Official
#8 – Robust
#9 – Relevant
#10 – Well-Founded
#11 – Accepted
#12 – Effective
#13 – Viable
#14 – Substantiated
#15 – Successful
By Ray Bernard PSP, CHS-III
Note: This is the thirteenth of a multi-part series that provides 15 important perspectives from which to validate your Security Program. If this is the first article you have seen in this series, please read the WHY VALIDATE? introductory article before launching into the validation steps.
An attribute is a quality or feature regarded as a characteristic of something. What we are calling the “15 Validation Attributes” are 15 characteristics that you can use to validate your security program.
Validation Attribute: Viable
- workable; can be put into practice
- sustainable; able to be maintained
- able to improve, grow, expand, develop, etc.
The emphasis for the Viable validation attribute is first, on the practicability (capability of being put into practice with the available means and resources) and manageability of the security program (the workable aspect); second, on maintaining the integrity of security operations and results (the sustainable aspect); and third, on the security function’s ability to improve in effectiveness and efficiency, and to develop and grow so as to continue to meet the needs of a changing business (the improvability aspect).
Workability, Sustainability and Improvability
To be fully workable means that security measures or controls that are put into place—whether people, process, technology or a combination—remain fully effective without any special or out-of-the-ordinary efforts. It means that the currently available resources have to be fully up to handling the roles and responsibilities, or can be brought up to that point within a reasonable time frame. Once in a while a security measure is implemented that won’t work because it conflicts with business operational needs and activities. Sometimes the conflict is with the local business culture, which can vary from facility to facility, and from department to department.
Sometimes an evaluation of a security department will determine that personnel are not complying with security policies and procedures, or are ineffective in performing their roles and carrying out their responsibilities, and conclude that there are personnel problems—when the related security measures weren’t fully workable from the start for non-personnel reasons. Instead of “correcting” the personnel in such situations, the workability of the security measures must be addressed first, otherwise attempts to “correct” the personnel can easily fail.
To be sustainable means that security results can be maintained without backsliding, which means without losing effectiveness or efficiency. This requires well-documented security program elements and staff who fully understand them. Sustainability also requires ordinary good business practices be applied within the security function such as strategic planning, change management, education and training (including cross-training for handling peaks in demand), metrics, audits, reporting and periodic performance reviews. It is common for security training to be focus closely on security vulnerabilities and the specific security controls and measures used to address them. Often the need for good business practices to be applied within a security program is not sufficiently emphasized; sometimes security specialists don’t even realize that metrics and audits are business practices applied to security, and are not—strictly speaking—security controls.
Improvability is the ability to grow, expand and develop through guided staff initiative and by leadership at the top of the security function, so as to continue to meet the needs of a changing organization endeavoring to success in a changing business environment. Improvability requires that the security program elements are workable and sustainable.
That’s what makes continuous improvement possible; continuous improvement is a common objective many organizations have for their functional areas. Inattention to the workability and the sustainability of the program elements of any functional area is why some continuous improvement initiatives don’t achieve their intended results. The initiatives are launched without first determining if the areas to be improved are already fully workable and sustainable. Where they are not, continuous improvement won’t be workable or sustainable, and will be considered to have “failed”, without anyone realizing that the prerequisites to continuous improvement were not in place, and thus success was not possible.
Like sustainability, improvability requires certain business processes to be in use in addition to risk assessment and risk treatment planning, such as change management, performance monitoring, and corrective/preventive action planning. This is why many companies have found that management systems based upon the plan-do-check-act approach, such as ISO 27001 for an Information Security Management System and ANSI/ASIS ORM.1-2017 for an Organizational Resilience Management System, are so successful—the management systems contain the business practices that are essential for implementing continuous improvement for the designated function.
The Importance of Identifying Business Practices
When the business practices utilized to achieve sustainability and improvability are not identified as business practices, they come across as “instructions”, “requirements” or “training” and “tasks”, and the personnel involved don’t really get the full perspective that helps them manage their own areas of activity, and understand how good business practices fit into the overall scheme of the security program. (Editor’s note: the previous validation attribute, Effective, deals with identifying the best business practices in other functional areas of the organization, and applying appropriate practices to the security program.)
When security program elements are not fully workable and sustainable, the head of security may end up being too involved in problem solving, fire-fighting, dealing with consequences, and performing too many operational tasks to be able to put enough time, thought and effort into his or her proper leadership role. This is one reason why ensuring the workability and sustainability of security program elements is so important.
First Things First
These three aspects of a security program (workability, sustainability and improvability) build one on top of the other. A security program can’t be made sustainable if its program elements are not fully workable. A security function won’t have sufficient improvability if its program elements aren’t sustainable.
Where an element of the security program doesn’t seem to be achieving the intended results, or require too much attention or effort, it can be extremely helpful to determine which aspect of that element needs attention: workability, sustainability or improvability. And that’s what the Viable attribute’s validation steps are about.
The starting point for these validation steps is the chart or list of your security program elements.
Step 1. Download the RBCS Security Program Viability Chart. Download the Microsoft Word® document from this page.
Step 2. List the elements in your security program. In the left hand column of the Security Program Viability Chart, list the names of the security program elements you want to validate.
Step 3. Rate the Workability, Sustainability and Improvability of each element. Choose the appropriate rating using the drop-down list in each of the rating columns: Excellent, Good or Needs Improvement.
Step 4. Note your thoughts about following up on those items that need improvement. You can write a short note in the Follow-Up column, or you can write “See Note A.” and so on, and put the longer notes in the notes section following the chart.
Use the Excellent rating to identify those security program elements that stand above the Good elements in one or more ways. Perhaps the owner of that program element is good at taking initiative. Perhaps you get hear good feedback about the results of that element, or the reports from it are accurate and timely and something you can comfortably rely on. It may be that it runs very well without your having to pay much attention to it. Usually there are some distinctions that you can make between Excellent and Good, and helpful insights can often come from analyzing the differences between each category.
Most security program elements are highly workable and sustainable. When you validate those that are, and identify those that aren’t, it is easier to focus of your leadership efforts where they will be maximally effective in keeping your security program strong, effective, and well-aligned with your organization’s needs. You can also use the chart to validate for management those security program elements that are in great shape, and also to indicate where you are focusing some of your improvement efforts. Additionally, performing these steps shows that you are evaluating your security program from multiple perspectives, something they would expect from an individual in a security leadership position.