Security efforts in most organization focus almost exclusively on protecting the physical assets of the company. As such, security is seen as a standard operating cost to go along with doing business, leading to it being segregated from the rest of the business. To anyone in the security field, the separation of security from the rest of the business leads to numerous complications, not the least of which is obtaining the needed resources to maintain the proper level of security across the enterprise.
In order to properly understand security, the baseline assumptions on the nature of security need to change. Security needs to be seen less as a cost of doing business, and more of a tool to protect the business as a whole and properly enable the business to succeed in the marketplace. To enable the shift in viewpoint, we advocate moving to a model of security we refer to as Security Governance. This type of change needs to involve the whole organization, spearheaded by the executive level.
The Security Governance Model
Security Governance is a framework for corporate security that centers on the ability of the highest levels of a company to take a holistic view of the security components in place at an organization and apply this view to the policies and procedures established within all aspects of the organization to ensure that security is being used to mitigate risk as much as possible. Put simply, Security Governance fully utilizes every security resource within a company and builds security into every process.
Pierre Bourgeix is the VP of Business Development for SecureState. Within the security industry, he spent 12 years as a global security business development consultant, at such global leaders as Tyco, ADT, HySecurity. Bourgeix has years of experience within the physical security arena, and has been involved in developing security governance programs.
For a company to effectively move to a Security Governance model, three main factors need to be considered as part of the security program:
- People: The organization needs to examine what people it has in place, determining their skill levels, how they should report up the chain within the company, if they lack training and what their formal roles and responsibilities are.
- Business Processes: All aspects of the company need to be fully examined and understood, including what processes are in place for onboarding, management, governance, HR, incident management, emergency management, vulnerability/risk management, continuity of operations weapons management, and written procedures.
- Technology: The programs and devices available for use at the company need to be understood, including the security systems in place, the administration of those systems, the technology used for communications security, access control, and video surveillance.
In short, to fully develop the security program, an organization needs to understand who is part of the security program, what they are protecting, and what tools they have for protection.
With all this knowledge, the next step in developing a Security Governance program is aligning it all to create a coherent security program for the whole organization. The stated goals of the organization and the known risks that it faces should guide the entire alignment. All security policies and procedures need to be aligned to support the goals while also mitigating the risks. Specific resources, both people and technology, need to be aligned with each policy and procedure.
The overall goal of Security Governance (and any security program) is the mitigation of risk. Risk can be mitigated using electronic controls, where the security plan is matched with the proper technology to properly protect resources. Mitigation can also require logical controls that maintain security across the entire internal enterprise. Finally, physical controls should be put in place to protect the actual facility and the people therein. A proper Security Governance program designs each of these controls based on the goals of the business and integrates them into all aspects of the company.
Security Governance at the Executive Level
At the executive level, implementing Security Governance can seem like a daunting task, and far too “in the weeds” to get involved in. This is often because the focus of security conversations tends to be on the minute details of implementing specific technologies or hiring specific personnel. However, in working to implement a full Security Governance program, the executive level of a company needs to act as the guides for the entire endeavor, and should work to focus on the bigger picture issues of security, leaving the finer details to trusted personnel.
To get started implementing Security Governance, the executive level needs to consider many different aspects of the overall business. They should being by mapping out the three-to-five year goals for the business, and identifying the processes that are most crucial to achieving these goals, and also to the continual operation of the business. Each of these processes will need to have specific people, locations, and data identified that support the process. Each process should also be examined for how it affects the safety of the organization’s employees or the general public.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply