There are critical questions that the enterprise security executive team should be asked before preparing to purchase any physical security solution. I have prepared a few for our conversation today:
1. Is your security program mission critical to the success of the organization?
This is one of the most important questions that must be faced, because it will determine where and how to construct or support the value proposition to the board and the corporate executive team. If it is not strategic, then the purchase has no guiding performance measurement that is aligned with the organization.
2. Have you done a risk assessment?
This is a bit tricky. There are standards for conducting a risk, threat and vulnerability assessment, but we believe it is time to expand the focus to the following:
Evaluation of the executive owners of risk. This is the key to a persistent advisory resulting in becoming a trusted consultant to the organization. As well, it guides the urgency and scope of work to follow.
Evaluation of the culture of the organization. According to Peter Drucker, the father of management theory, culture can dramatically impact the performance of the organization. Providing an assessment of the executive messaging and conduct, and the culture’s response, will influence how you proceed.
Evaluation of the IT Technology standards of the organization. Physical Security must be aligned with the long-term direction of this architecture. Our devices and software must eventually be interoperable with the critical applications that IT provisions.
Evaluation of the current security technology architecture. Has the IT department evaluated the security technology for the ‘‘-ilities:’’ availability, reliability, scalability, maintainability, and defensibility? Has security done a user performance analysis that would include how the employees use the technology within a process?
The next generation provider of security risk management services must be able to converge the domains of Enterprise Security Risk Management (ESRM) assessments, strategies and plans, with a firm understanding of the impact of technology, especially in this new sensor-driven world.
Here are four elements that should be core to a security executive’s evaluation of service vendors:
They are a student of your market.
They regularly research technology trends to understand the future.
They regularly assess and benchmark current technology uncovering what is best-in-class for solutions and markets. This becomes the basis for technology recommendations.
They augment their benchmarks by creating use cases for their clients that create the proof point for developing a technology roadmap.
We have a saying that I believe should be adopted by our clients: “Security is knowing it works.” The operative term in this saying is “knowing.” It is a discipline. It is not easy or cheap. If you are not rigorous in your attention to your business alignment and your program measures of performance, it will come back to haunt you. Spec or data sheets from a technology vendor; or an RFP response, does not meet this standard. Demand a new measure of performance from the next generation of security solution providers.