The C-Suite’s opinion of the security program can make or break its success. This is especially true in the existing economy where companies are cutting costs in order to stay viable. Current economic times call for security departments to demonstrate value within the organization. Credibility with the CEO is vital to the sustainability of security services within the organization.
Credibility starts with reliable and consistent security services. Basic principles need to be present within the security program in order to maintain reliable, consistent service. This process includes the evaluation of people, policy, procedure and physical security systems, which emphasize layered security (Concentric Circles) and utilizes crime prevention through environmental design, or CPTED. In addition, programming should include the establishment of standards, contain criteria for compliance, use primary source verification, be simplistic in design and implementation, and continually be updated to meet changes within the organization.
For the past several years, access control and identification issues have not only attracted media attention but also sustained great interest within the security industry. From ex-employees who enter companies and injury workers to outsiders illegally accessing company databases, the control of access and the proper identification and credentialing of employees have become key focal points in the determination of credible security services.
To ensure credibility, reliable and consistent access control and identification programs need to be designed and implemented with a predetermined operational strategy. This strategy should contain an analysis of the program that includes a long term plan, provisions for service improvement, incorporates program competencies, considers contingency plans, and contains regularly scheduled program reviews and updates.
Developing a program strategy which will provide for reliable and consistent service requires the implementation of specific strategic components. The first component to consider is goal analysis. A review should be conducted on the direction or goal for which the program is based. Security can be either a hindrance to job performance or a required process that provides a safe and secure online experience.
So whether creating network security for a corporate IT infrastructure or developing a process to screen new employees, once the goal of the program has been analyzed, the next step is the implementation of a process map. Process mapping breaks down the specific steps within a program so they can be analyzed. The detailed steps and all of the alternate steps would be laid out so that the process could be further analyzed to determine goal alignment, compare it to other processes, look for ways to increase user satisfaction and develop information on contingency planning.
In addition to process mapping, data collection relating to the identified process components should be completed. Once data is collected and analyzed, and users are interviewed, the collected data should be integrated into the program strategy.
The next step in the strategic plan is the consultation with all of the possible program stakeholders to discuss their long term goals and focus on possible program consolidation and coordination. Using the access card as a cafeteria debit card or combining the identification database with human resources or IT databases would require coordination with these departments. When developing a program strategy, it is important to consider long term technology migration.
Changes and upgrades to the security protocol require forecasting in order to determine the program growth and the potential risks that may arise in the future. Because technology changes so quickly, the program strategy should look two, five and 10 years into the future and include an assessment of the technology available to the institution. Many times, credibility is lost because an initial technology installation does not meet the requirements of the program when the program grows or changes, and is in need of replacement shortly after the initial installation. Sometimes a cost/benefit analysis could be helpful in the justification of additional monies at the beginning of a project so that additional funds are not required in the future, when costs are higher.
Every strategy should include the continued analysis of data that monitors the quality of program service and its continued improvement. Good service is the key to reliability. The ability to provide consistent, reliable service within any program adds value to the program through higher program compliance. Data should be collected on the service components of the program, highlighting the client or customer needs.
The quick response to user requests for lost passwords directly relates to the users willingness to continue to use passwords when accessing the system. And again, the simpler the process, the higher program compliance will be.
Contingency planning is probably the single most important component to providing credible security services. The inability to sustain security services during a failure has buried many security programs. Reliability and consistency dictate that the same level of service be maintained when normal processes fail. That is why process mapping is so important to the program strategy. Provisions need to be instituted to provide alternate measures so that the program continually operates at the same level.
To reduce program down time and further ensure reliability and consistency, regularly scheduled maintenance should be conducted on physical security components. When upgrading systems, it is important to consider the effects of software changes subsequent to upgrades or patches. Even the most minute, routine changes can take a system down for extended periods of time. So maintenance and upgrades to the system should be well planned out prior to implementation.
The implementation of competencies and standards within the program help maintain consistency and reliability. Competencies relate to the human aspect of any program and are standards set on behavior and knowledge necessary to complete a specific task.
In addition to competencies, program standards should be implemented. Standards, like competencies, are a measure of performance. They are the established level in which the program is expected to operate.
The corporate environment changes on a daily basis. Many programs are undermined and lose credibility when there are changes within the company which are not addressed by the security department. Access control doors are moved or taken away. Software is upgraded without notification. Constant awareness of environmental or institutional changes is paramount to reliable, consistent security services.