Created by the Security Executive Council
The following is an abbreviated portion of the Security Executive Council's strategic planning process. The process represents a compilation of methods successfully used at several companies we have collaborated with. It should be noted that your situation will be unique and, therefore, you should make the needed modifications to make it fit with your organization's risk profile, corporate culture and policies.
If you would like to learn more about this process, contact us.
SECURITY PROGRAM LIFE CYCLE
The Security Program Life Cycle is a process whereby security improvements are reviewed on a continuous basis. The following provides a summary of each of the segments in the image:
- Senior Management Input. The cycle begins with a meeting between the security leader, senior executives and business unit leaders. The purpose is to gain insight into the management philosophy, the culture of the business, the long- and short-term objectives, and management’s expectation of security needs.
- Crime Risk Assessment. In order to understand the physical environment in which business will be conducted, it is imperative that a review of crime statistics in the surrounding area be conducted. This is best accomplished by a direct interface with local, state and federal public safety officials. Country assessments may also be considered.
- Peer Company Benchmarking. Because no one company has all the answers, it is a good idea to benchmark with peer companies to determine the successes and failures they have encountered when identifying and applying security solutions. However, recognize that your organization will be unique to your peers so benchmarking gives only a portion of the picture.
- Organizational Security Risk Assessment. This is designed to assess the security posture at the organization; identify risks that impact both the short-and long-term survivability of the organization; and provide cost-effective solutions to reduce or eliminate identified risks.
- Baseline Security. In order to ensure that all operations maintain an acceptable level of protection, minimum security guidelines should be developed. These guidelines ensure that the organization meets an acceptable baseline level of security.
- Enhanced Security. Solutions to security risks beyond the baseline risks should be measured on a scale. The scoring system is used to measure progress toward the implementation of security solutions identified in the security risk assessment.
- Security Systems Design. The results of Baseline Security and Enhanced Security processes provide the foundation for a security plan that is customized for the organization, based on its needs and risks. This security system is designed to reduce risks without impeding business operations.
- Security Program Plan Design. The resulting security plan is a living process that will recycle itself through continued risk assessments and benchmarking efforts. Costs and restrictions that impede the business operation will determine the degree of risk that management is willing to accept.
- Validation Review. To achieve operational excellence, regulatory compliance and civil liability reduction validation or audits are no longer optional in a professionally run security program. Validation of the controls, notification and the response for programs, systems and mitigations strategies is imperative.