First, let’s define what the SEC means by security program and security services.
Security Services: Day-to-day activities that employees or contractors deliver to customers in support of security risk mitigation. For example, issuance of ID badges for employees; pre-hire background checks; conducting interviews as part of a fraud investigation, are all risk mitigation services.
Security Programs: Designed and aligned with the organization’s security risks and executive management’s risk appetite. Goal-driven and comprised of the necessary security services that will achieve the desired results of the security program’s risk reduction (e.g., business continuity, investigations, personnel protection).
Granted, there is a huge variation on what a program is or how it is defined in different organizations. But sometimes people confuse a set of ad hoc services that have evolved over time with a comprehensive security program.
Do you really have a security program and are you managing program results?
If you answered yes to these (or most of them), you have a security program. If you mostly answered no, you are an ad hoc service provider. The issue with this for a security leader is, well, a lack of the “leader” component. You are expected to perform certain service as requested by the organization. Comparatively, a security program manager is expected to identify risks and mitigate them. He or she helps define the security requirements and the “best” mitigation plans.
Leading and managing a security program also requires communication and demonstrating the breath of the program; how effective is it; what kind of results is it providing? Ultimately, what is the business value to the organization? You may also want to provide a service directory that demonstrates what the security department does day-in and day-out. At the end of the day, security leaders need to ask themselves: Do I want to be a service provider – or a program manager?
Answer provided by Bob Hayes, Security Executive Council Managing Director.