3 Steps for Managing Scope Creep in Security Operations

June 27, 2018

While the specific day-to-day tasks for a Global Security Operations Center (GSOC) may vary from organization to organization, there are typical, core functions that are universally familiar, be it crisis management, travel security or executive protection. Responsibility for the safety, security and well-being of an organization, its assets, people and reputation has widespread institutional impact. With so many eyes on the security team, there is often a delicate balance between ensuring all needs are covered and getting pulled into every issue that arises, even if it falls outside the department’s defined area of responsibility. Security teams must remain focused, or risk giving in to scope creep and being taken off-task.

A baseline process for managing scope creep can be broken down into three steps: start with a plan, support the mission and show your value.

1. Start with a Plan

Leading a team of security professionals requires proper planning, and the more specific the better. It starts with defining a set of core values that guides the team and ensures strategic alignment. Clearly laying out areas of responsibility for the department and its role within the context of the larger organization helps evaluate what lies within and outside of the security job function. Drafting a roadmap that classifies short-, medium- and long-term goals and triages potential issues reduces the tendency to take on additional missions.

Defining this process with and communicating it to internal stakeholders is invaluable for keeping the security team on track. For example, when it comes to travel, some may view the role of security operations as taking action on every global event. However, things like a lost laptop or a fully booked hotel when travelling abroad – while disconcerting for the affected individual – may not meet the threshold of requiring a security versus administrative response on the triage scale, and need to be reassigned elsewhere. In instances like these, delineating the services security operations provides and setting clear expectations avoids misunderstandings and disappointment.

2. Support the Mission

With a plan in place, the focus shifts to identifying the types of tools best suited to supporting the security operation. As technology evolves there are myriad options available, ranging in complexity from video surveillance cameras to artificial intelligence, and it may be tempting to over-purchase and focus solely on the technology. But it is necessary to conduct a thorough evaluation of all available tools to ensure they align strategically with the needs of the department and organization. A proper tech stack works best as an enabler, utilized in support of the core functions and processes the security team has mapped out in advance.

In addition to technology, identifying the staff needs of a security department assures it functions most effectively. Simple headcount numbers are not the only factor to consider. Building a successful security operations team hinges on assembling a group of individuals based on their specific skill sets and how they can collectively best deliver on the predetermined strategy. The needs of the organization drive the composition and organization of the department. For example, graduate-level analysts play a very different role than personnel monitoring security video screens and access control alarms. Being fully and appropriately staffed and supported with technology keeps the security operations team focused on its strategic plan and avoids potential scope creep.

3. Show Your Worth

Security is not typically considered a revenue-generating function. Yet, there is a need to report on the positive return on investment (ROI) a properly run security operation provides an organization. Uncovering hard metrics indicating impact on the bottom line demonstrates the value of the security team and can help build partnerships to create value instead of presenting an area where other groups can try to pile on out-of-scope work. It sets a clear expectation of the quantitative and qualitative value that an sophisticated security organization can provide along with clear metrics to measure and report success.

ROI, along with cost avoidance and risk mitigation savings, can be difficult metrics to verify. But many security teams are increasingly reviewing outside research and partnering with internal financial departments to help the organization create scalable models for demonstrating business value. For example, identifying the cost associated with issues like weather disruptions or workplace violence and matching that up against incidents mitigated by the security team provides actual figures that can be shared broadly. Communicating this information internally builds an environment of partnership and collaboration.

Scope creep is a real risk for security operations departments. But establishing a plan and critical processes at the outset, assembling a supportive staff and tech stack, and creating and reporting metrics that prove the value of the department to the greater organization keeps the department focused on its core value – minimizing the impact of potentially damaging incidents.

Send the Right Message: How to Streamline Emergency Communications in the Social Media Era

Brand Security: Maneuvering in the Wild, Wild West (AKA Social Media)

The ROI on Physical Safety and Security

5 Ways Social Media is Changing Corporate Security

Dillon Twombly manages corporate security engagements for Dataminr, a leader in real-time information discovery that transforms the public Twitter stream into actionable alerts about breaking news, real-world events, off-the-radar content and emerging trends, ahead of traditional sources.

Dillon Twombly is Senior Vice President of Corporate Sales at Dataminr, a real-time event notification and social media analytics platform. Dillon was previously Assistant Vice President for Strategy and Planning at MetLife where he helped to build a new Global Corporate Security group across 46 countries. Prior to joining MetLife he worked at a political risk boutique where he helped global multinational corporations and major financial services firms understand and mitigate political and security risks around major transactions. Prior to joining the private sector Dillon served as an Operations Officer with the Central Intelligence Agency where he completed three field tours, including Afghanistan, and focused on counterterrorism. Dillon also has worked as an Analyst at the Office of Naval Intelligence and as an Investment Banking Summer Associate at Houlihan Lokey's Aerospace and Defense Group. Dillon is a Term Member at the Council on Foreign Relations and a founding member of the Ambassador Council at the International Crisis Group. He holds a BA in History from Trinity College in Connecticut, and an MBA in Finance from the University of North Carolina and speaks Turkish.

You must login or register in order to post a comment.

In this webinar, we will outline the Security Growth Curve, which provides you with the context of the different levels of maturity to effectively assess where you are relative to the industry in terms of value and maturity. If you are trying to improve your financing with your current provider, looking to expand into new markets or new products, keep key employees, or looking to take some money off the table, you should invest 50 minutes of your valuable time.

A critical event is defined as an incident that disrupts normal operations, such as severe weather, crime, violence and critical equipment or technology failures. Business continuity and crisis response plans can only go so far if there isn't buy-in across functions, with executive-level support.