3 Steps for Managing Scope Creep in Security Operations

June 27, 2018

While the specific day-to-day tasks for a Global Security Operations Center (GSOC) may vary from organization to organization, there are typical, core functions that are universally familiar, be it crisis management, travel security or executive protection. Responsibility for the safety, security and well-being of an organization, its assets, people and reputation has widespread institutional impact. With so many eyes on the security team, there is often a delicate balance between ensuring all needs are covered and getting pulled into every issue that arises, even if it falls outside the department’s defined area of responsibility. Security teams must remain focused, or risk giving in to scope creep and being taken off-task.

A baseline process for managing scope creep can be broken down into three steps: start with a plan, support the mission and show your value.

1. Start with a Plan

Leading a team of security professionals requires proper planning, and the more specific the better. It starts with defining a set of core values that guides the team and ensures strategic alignment. Clearly laying out areas of responsibility for the department and its role within the context of the larger organization helps evaluate what lies within and outside of the security job function. Drafting a roadmap that classifies short-, medium- and long-term goals and triages potential issues reduces the tendency to take on additional missions.

Defining this process with and communicating it to internal stakeholders is invaluable for keeping the security team on track. For example, when it comes to travel, some may view the role of security operations as taking action on every global event. However, things like a lost laptop or a fully booked hotel when travelling abroad – while disconcerting for the affected individual – may not meet the threshold of requiring a security versus administrative response on the triage scale, and need to be reassigned elsewhere. In instances like these, delineating the services security operations provides and setting clear expectations avoids misunderstandings and disappointment.

2. Support the Mission

With a plan in place, the focus shifts to identifying the types of tools best suited to supporting the security operation. As technology evolves there are myriad options available, ranging in complexity from video surveillance cameras to artificial intelligence, and it may be tempting to over-purchase and focus solely on the technology. But it is necessary to conduct a thorough evaluation of all available tools to ensure they align strategically with the needs of the department and organization. A proper tech stack works best as an enabler, utilized in support of the core functions and processes the security team has mapped out in advance.

In addition to technology, identifying the staff needs of a security department assures it functions most effectively. Simple headcount numbers are not the only factor to consider. Building a successful security operations team hinges on assembling a group of individuals based on their specific skill sets and how they can collectively best deliver on the predetermined strategy. The needs of the organization drive the composition and organization of the department. For example, graduate-level analysts play a very different role than personnel monitoring security video screens and access control alarms. Being fully and appropriately staffed and supported with technology keeps the security operations team focused on its strategic plan and avoids potential scope creep.

3. Show Your Worth

Security is not typically considered a revenue-generating function. Yet, there is a need to report on the positive return on investment (ROI) a properly run security operation provides an organization. Uncovering hard metrics indicating impact on the bottom line demonstrates the value of the security team and can help build partnerships to create value instead of presenting an area where other groups can try to pile on out-of-scope work. It sets a clear expectation of the quantitative and qualitative value that an sophisticated security organization can provide along with clear metrics to measure and report success.

ROI, along with cost avoidance and risk mitigation savings, can be difficult metrics to verify. But many security teams are increasingly reviewing outside research and partnering with internal financial departments to help the organization create scalable models for demonstrating business value. For example, identifying the cost associated with issues like weather disruptions or workplace violence and matching that up against incidents mitigated by the security team provides actual figures that can be shared broadly. Communicating this information internally builds an environment of partnership and collaboration.

Scope creep is a real risk for security operations departments. But establishing a plan and critical processes at the outset, assembling a supportive staff and tech stack, and creating and reporting metrics that prove the value of the department to the greater organization keeps the department focused on its core value – minimizing the impact of potentially damaging incidents.

Dillon Twombly manages corporate security engagements for Dataminr, a leader in real-time information discovery that transforms the public Twitter stream into actionable alerts about breaking news, real-world events, off-the-radar content and emerging trends, ahead of traditional sources.

Dillon Twombly is Senior Vice President of Corporate Sales at Dataminr, a real-time event notification and social media analytics platform. Dillon was previously Assistant Vice President for Strategy and Planning at MetLife where he helped to build a new Global Corporate Security group across 46 countries. Prior to joining MetLife he worked at a political risk boutique where he helped global multinational corporations and major financial services firms understand and mitigate political and security risks around major transactions. Prior to joining the private sector Dillon served as an Operations Officer with the Central Intelligence Agency where he completed three field tours, including Afghanistan, and focused on counterterrorism. Dillon also has worked as an Analyst at the Office of Naval Intelligence and as an Investment Banking Summer Associate at Houlihan Lokey's Aerospace and Defense Group. Dillon is a Term Member at the Council on Foreign Relations and a founding member of the Ambassador Council at the International Crisis Group. He holds a BA in History from Trinity College in Connecticut, and an MBA in Finance from the University of North Carolina and speaks Turkish.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

3 Steps for Managing Scope Creep in Security Operations

Recent Articles by Dillon Twombly

Send the Right Message: How to Streamline Emergency Communications in the Social Media Era

Brand Security: Maneuvering in the Wild, Wild West (AKA Social Media)

The ROI on Physical Safety and Security

5 Ways Social Media is Changing Corporate Security

Security Magazine

2020 October

3 Steps for Managing Scope Creep in Security Operations

Recent Articles by Dillon Twombly

Related Articles

Report Abusive Comment