Don’t Reinvent the Wheel
One essential trick: Don’t reinvent thewheel. Don’t start a policy, program or department from scratch when it isn’t necessary.
Let’s first make clear that sometimes it is necessary to build from the ground up. Consult or conduct a thorough risk assessment of the organization to know or discover how the security program fits into the business. Examine security’s mission and vision statements, or develop them if none exist. Consider or learn the organization’s culture, goals, and business philosophy, and find security’s place within it. Be familiar with the existing security guidelines, policies, processes and programs and understand how they’re perceived by the organization; measure them to determine their effectiveness; demonstrate how they are or are not adding value to the business.
If policy or guideline creation is the goal, there is a surprising breadth of material out there that can serve as a foundation for your efforts, including policy templates, guidelines and open-source presentations.
We’ve compiled a list – representative, but not comprehensive – of websites and organizations that offer downloadable policy templates, assessment materials, standards and guidelines on a variety of security-related subjects, including information protection, crisis management and business continuity, risk assessment, overseas operations and travel, physical security and premises protection. Visit https://www.
securityexecutivecouncil.com/savetime for the complete list.
Resources like these can save you time, but it’s important to use them with discretion. Only use open-source documents from sources you have good reason to trust. Check the date to ensure the document hasn’t been rendered obsolete by subsequent events. Generic, open-source documents should not be plugged into any program without modification.
“You need to go through a process both to determine what guidelines and templates you intend to use and to build them into your organization,” says Bob Hayes, managing director of the Security Executive Council and former CSO at Georgia Pacific.
“So there’s a vetting process you have to go through to make sure you choose guidance that’s going to work in our situation. And then you need to consider input from those other groups to help you customize the guidance or templates you choose. No product is going to work for everyone all the time. If the policy or guideline is going to touch a lot of employees, the collaborative portion of the process is even more important." important.”
Learn from Those Who’ve Been There
Benchmarking among a few peer companies is another way to save time. Learning from others’ experiences can help you avoid common missteps. It can also help you see how others are dealing with emerging threats, or why other programs have gained support for types of initiatives that have foundered in your company. It can help you see how other organizations are complying with security-related regulations.
“There are several ways we can get benchmarks,” says Derek Benz, CSO, Performance Materials and Technologies for Honeywell. “We can work with organizations like the Security Executive Council, or the Corporate Executive Board Company’s Information Risk Executive Council. We also have a network of friends and peers with whom, if we have any challenges, and they’ve already solved them, I’ll set up some time and go out to their office to talk about the issue.”
Participation can provide benchmarks that draw from a large pool of data to provide a broad and reliable picture of what other organizations are doing. This can help to target security’s efforts.
While less formal benchmarking doesn’t always amount to the discovery of best practices, it’s certainly well worth the effort. Even within single industry segments, security functions and corporate goals are so unique from company to company that it may be hard to find peers whose programs would provide an appropriate comparison. Peer-to-peer benchmarking also requires faith that your peers will not disclose any details you provide them. “If we share any information it’s highly sanitized,” Benz continues, “but there’s no doubt about it that a weakness in one company can also be a weakness in another. We’re interconnected, and it behooves all of us to bring ourselves up a level as an industry. The rising tide lifts
Build a Staff You Can Count On
Micromanagement is a stealthy but notorious time thief. If you feel like you have to have your hands in everything to ensure it’s done right, you are wasting precious hours every day, and you’re limiting your ability to do your own job.
A tendency to micromanage may sprout from a naturally controlling or anxious personality. If you’ve done your best to surround yourself with talented people and you’re still trying to do their jobs for them, the problem lies with you.
If, instead, you micromanage because you know from experience that when you leave tasks to your staff they are regularly done incompletely or incorrectly – the problem still lies with you. You may need to make some tough staffing decisions, or you may need to find a way to provide the existing staff more engagement, more opportunities to learn and grow.
Honeywell, says Benz, has created a Career Paths Group to answer questions like “How do you retain people? What are the qualities of our critical people, and how can we make sure we have a career path for them here? How do we attract the best and the brightest?” The group is involved in recruiting and hiring as well as retention and promotion, and they work to ensure that quality staff and potential leaders are shown how much the organization values them.
When you have the opportunity to create your team from the ground up, you’re at an advantage. Consider more than certifications and experience during the hiring process; try to determine whether prospects have the character traits that would lead them to strong performance and fit well into your corporate culture and team. These traits may include a willingness to collaborate, inquisitiveness, flexibility or an observant nature.
If you’re working with an existing security team, it may be beneficial to sit down and carefully examine the qualities and skills of each team member. Identify their greatest strengths and weaknesses and see how you can shift their responsibilities, placement or focus to maximize their potential. Think about what training and development opportunities you can offer them to build their skills and confidence. This is a time-intensive process, but time spent on the front end can save you much more time over the long term, and it may also reduce turnover and increase the effectiveness of your function.
When the security leader can steal time from low-level or labor-intensive tasks, he or she can fill that time in dealing with strategic or horizon issues, things that can enhance protection efforts and give the business a competitive edge. A small time investment in staff development, benchmarking and finding basic policy or guidelines documents can pay off in spades in the long run.