End security frustrations by using a no-cost tool for advancing your program
When resources are limited, it’s tough to advance your security program as much as you’d like. It’s a big frustration for most security practitioners.
This is where a little known tool—micro-assessment—can come to the rescue. (A link to a downloadable template follows later on this page.)
Micro-Assessment: a narrowly focused short assessment that provides support for decision-making and planning.
Micro-assessments are small efforts that quickly provide actionable insight.
The purpose of a micro-assessment is to quickly and easily find out enough to make a decision, set a direction or objective, or to perform preliminary or high-level planning.
In any given period of time, usually more things require attention than get attention.
A micro-assessment is a feasible way of quickly giving more things more attention, including getting data you need to make the business case for specific security improvements.
Although many managers and security practitioners often perform micro-assessments mentally, without realizing that’s what they’re doing, there are many reasons for defining the process and giving it a name.
Five Reasons Why Micro-Assessments Are Valuable
- Many security programs are not well-enough documented. It is common for security program documentation to be out of date or have gaps. Risk profile visibility lessens as risk data ages. Micro-assessments are a good way to prioritize knowledge capture.
- Business changes can take the business out of alignment with existing security controls. This can be true for both physical and electronic critical assets. Micro-assessments are a good way to perform a gap analysis.
- Downsizing and budget cutbacks, as well as business expansions, increase risks. Yet related assessments are commonly not included in business planning. Micro-assessments can be a quick remedy.
- Delegation is more effective when a specific task framework is provided. A micro-assessment provides a framework for delegating critical inspection and analysis.
- It’s easier to enlist participation from other business managers for a named process. The simple formality of having a name for an important business process gives credibility to the activity and validates the call for collaboration.
What Really Needs Attention?
That’s the $64,000 question! Just finding out what needs attention can be a challenge. Here are a few areas where a micro-assessment can determine what needs attention next:
- Risk Severity: In times of change you need precursors to impending trouble and clear indicators of shifts in risk severity.
- Business Alignment Gaps: Check the alignment of security objectives and planning with corporate strategic planning.
- Business Unit Concerns: Quickly determine what security concerns are most important to middle managers and prioritize them.
- Employee Concerns: This is usually a variety of items that could include, for example, supervisor’s concern about tailgating into a sensitive area, night-shift employee desire to see more active security patrolling, or the appearance of “shady characters” loitering in the parking structure.
- Security Program Documentation: Determine for each portion of your security program whether documentation is current, needs updating, or is actually non-existent.
- Security Camera Business Value: Provide a video tour in the command center (or bring a laptop) to find out what business managers think about the business value of security cameras coverage in the areas they manage.
- Business Insight: What are the most critical business processes of each business unit, and how are they vulnerable?
Sometimes a set of very small micro-assessments are used to assess a range of items to enable prioritization of further action.
Security Risk Metrics
For security management purposes, it can be helpful to consider metrics according to these four categories:
- Risk trends
- Business alignment
Most security functions report measurements, not metrics. Measurements provide no insight into the security picture; they are just raw data. Metrics utilize comparative data to provide valuable insights.
When initiating or expanding a metrics program, a micro-assessment can be used to determine what metrics data is feasible to collect. Data collection should be automatic or require only minimal effort, or it won’t be easily supportable in the long run.
What metrics data has value for security management and planning purposes? What data would be useful for reporting to management on security program elements and risk picture changes? Micro-assessments are great for answering questions like these.
Learn more about metrics and see example metrics on the metrics page.
Example Micro-Assessment Template
The template below can be adjusted as appropriate and used to get started on any micro-assessment. Remember that the purpose of a micro-assessment is to provide insight, not to implement corrections or develop an action plan. Those things come afterwards.
The idea is to carve out a scope that will provide needed insight and that can be executed with a minimal amount of effort—a few hours to a week at most, and with an appropriate level of effort considering the value of the information that will be gained.
See How Micro-Assessments Can Help You