Most security practitioners don’t get the chance to assess their security programs often enough.
So, to make it easier, I collected together several evaluation approaches that practitioners have found valuable.
They deal with factors determining how easy or hard it is for you to:
- (a) manage the costs and effectiveness of your program
- (b) gain broader and more active support within your organization
These approaches are likely to reveal opportunities for improvement from perspectives you have not considered before.
Here are some reasons for taking a special look at your security program and its parts:
- You inherited the security program from your predecessor, you understand it well enough now and you want to being making improvements.
- You’d like to start with immediate improvements that could free up your time and attention so you can then focus more on long term improvements.
- Some program elements need “shoring up”—due to personnel changes or other factors—and you want restore their effectiveness and stability.
- You’d like to delegate more day-to-day responsibilities and need to figure out where to start.
- Management has requested a number of security improvements, or has expressed a general interest in improvements, and you need to develop a prioritized list to consider.
- In order to prepare an annual budget request that includes security program improvements, you need to identify improvements worth making.
- You’d like to formalize the security program more so that less of the daily activity is ad hoc and more of it is according to plan and established procedure.
- You want to enhance the skills and knowledge of your personnel according to current and future security function needs.
Why Review or Rate Your Security Program?
Over time, the individual elements of a security program tend to drift what was originally intended, for any number of reasons.
As security responsibilities grow, it can be difficult to make improvements without overloading the existing staff, as well as the head of the security function. When gaps are recognized, or improvements are being considered, it’s important not just to review the people and technology, but also the processes by which security is performed. Without a good handle on security processes, security personnel and security technology are not likely to be as effectively as they could be for you. But all three aspects (people, process and technology) are related, and so these approaches for evaluation address both people and process elements.
- Manageability provides a detailed chart to help assess your program’s manageability. It also helps you see how to get from where you are now to where you want to be, including lightening your own burden and making it easier for your personnel to do more.
- Business Alignment provides both a way to rate how closely your program aligns with the business, according to the various stages of security’s focus on, and participation in, the business. Additionally, it presents a way to report this status to security stakeholders.
- Security Ladder of Involvement is a way to examine and rate the current status of security stakeholders, and also to set short and long term objectives for their roles in supporting security.
- Relationships and Allies provides a set of questions and a basic chart you can customize for examining the strength and sufficiency of the Security function’s internal organizational relationships and allies.
- The Prioritizing Tool has two purposes. First, you can use it to gain consensus among security stakeholders, be they top-level decision makers or business unit managers whom the Security function supports. Second, it can be used as a basis for exploratory discussions (one-on-one or in a group) to gain additional insight into the thinking of those responsible for the organization’s critical assets and critical processes.