Security program development (SPD) and design is a process that doesn’t happen overnight. Security professionals face a complex environment that requires a dedicated and sustained approach in a constantly evolving landscape. Physical vulnerabilities coupled with those in the “digital domain” have created greater complexity as to how security programs are designed and developed into an operational working model.
In simple terms, a security program has five phases that form the foundation:
- Technology design
- Policies and procedures
- Standard operating procedures (SOPs)
In a typical security program, the director will methodically establish a process and system to provide the organization with a means to train the program, beginning first with exercising policies, procedures and standard operating procedures.
These documents should nest with the purpose of the business and the reason for its existence. Every security director should think about the end state of the security program when they set out to develop or refine it. This is called vision.
How to develop a successful security program
A security program’s vision should trigger an increase in the maturity of the program and allow for all stakeholders to understand exactly how it should function on a day-to-day basis and during special events, which require a different level of exercising the systems in place.
Security programs are linear in planning and cyclical in execution. The goal is to plan, coordinate resources, implement risk mitigation measures, implement technology to support, train staff, rehearse, and, finally, establish a tabletop exercise program. The exercise program is the “icing on the cake” and should have a dedicated rhythm throughout the year that test current policies, procedures and SOPs to assess their value.
As a reminder, all these documents are living documents that may require adjustments as the threat environment evolves and the business model changes. There should be a dedicated proprietary staff teammate that owns the updating process so that continuity can become a norm. Keep this in mind as an additional duty.
Keeping documentation relevant and up to date should be a task that has leadership emphasis for many reasons, not the least of which is meeting the business’s duty of care responsibility to its staff and patrons.
Additionally, exercise or operational testing programs built to support the overall security program must have a dedicated budget and time on the calendar to be freely conducted with complete stakeholder involvement. This includes external stakeholders that will require coordination with external agencies. The importance of solidifying the budget is simply a good business practice and allows for leadership to see the importance.
Lessons learned while planning tabletop exercises
During my Army career, I had the distinct honor to lead all exercise planning, coordination and execution for specific tactical ground units in the United States European theater as they prepared to deploy into various conflict zones around the globe. This was a monumental task that required coordinating across all Department of Defense (DoD) services, contract support elements, coalition partners and the deploying unit.
One of the techniques I used was to establish a series of planning events that led up to the initial tabletop exercise. This exercise set the conditions for a full operational exercise that put all the systems into play against realistic scenarios.
So how can security leaders set conditions for tabletop exercises that support the exercise program and become the bridge to full operational testing of the security program?
First, establish a linear milestone checklist that shows progression to the first tabletop exercise. This is the preliminary step. Some items to include in milestone development are:
- Determine objectives for the exercise. What does the team want to achieve?
- Create a list of realistic and proportional security problems that are unique to the business.
- Determine internal and external stakeholders who should participate in the exercise.
- Establish a model of “hip pocket” training for on-duty staff to accomplish as part of the day-to-day operations. This is a great way to bridge individual security tasks associated with a tabletop exercise.
- Secure time and funding to execute the exercise.
- Review existing documentation to include policies, plans, procedures, emergency operations and crisis response.
- Begin to establish a framework to plan all exercise components, including consideration of a third-party moderator.
- Create an open environment for learning and growth. Underwrite mistakes so that both internal and external stakeholders feel comfortable sharing concerns about areas that may need special emphasis.
Once these initial milestones are envisioned and achieved, they should be assigned to a proprietary security team member that has the additional duty of “Exercise Planner.” This allows the security director to maintain focus on the bigger vision of the security program and oversee the daily operations while keeping leadership informed on progress and requirements for additional support to keep the program viable.
The next step is to design the tabletop exercise to train or test the program. This is done by focusing on a realistic security problem that forms the requirement to exercise the business plans against the scenario.
A good example is the fast evolution of commercial drone technology or the concern of insider threat activity that deals specifically with the protection of intellectual property. A simple framework to get started might look like this:
- Start the exercise plan based on the milestone glide path.
- Determine logistics and administrative needs, such as location, equipment, preparatory material and scenario development.
- Set the exact day and time — a good rule of thumb is to limit tabletop exercises to a maximum of three hours.
- Invite and confirm stakeholder involvement.
- Build the scenario by establishing an initial problem. Create follow-on injects to support further training.
- Come together and set the ground rules for the event.
- Execute the exercise.
- Determine a dedicated note-taker for the event.
- Conduct an after-action review (AAR).
- Produce a report that outlines definitive outcomes and the way ahead.
- Update policies, procedures and emergency/crisis response plans.
- Plan for the next exercise.
Tabletop exercises are a good way to test, evaluate and reevaluate all aspects of a security program. Keep in mind that security program development takes energy and sustained focus.
Threats, vulnerabilities and critical assets are constantly in flux and therefore require a dedicated “exercise program” embedded in the plan to help the security team and overall enterprise deal with long-term viability and business continuity.
Planned tabletop exercises give security leaders the ability to see the program through a different lens and provide adequate time to make changes where needed. Remember, security is linear in planning and cyclical in execution, and execution requires exercise. Let’s keep the conversation going.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.