Can any security program be scaled, regardless of size, number of employees, sector or budget? Chaim Roberts, Founder of Roberts Risk Solutions and Supervising Security Coordinator at the World Trade Center, employed by the Port Authority of New York and New Jersey, believes the answer is a resounding “yes!”

What about small organizations with one security employee or a brand-new security program with little budget or resources?

The answer is still “yes,” but security leaders need to be extremely deliberate about planning and mapping out a clear mission to ensure future scalability.

“Any program is scalable, no matter the size, but the easiest mistake to make is not outlining those goals and objectives. As you scale, you cannot shoot from the hip. Every little piece needs to be put together by sitting down and planning,” Roberts says.

For Roberts’ part, he has a passion for scaling security programs and has been involved in both the research and execution of such programs. During Roberts’ tenure with the Port Authority and the World Trade Center, the organization has grown from one building to an entire campus, including the World Trade Center Transportation Hub, the National September 11th Memorial and Museum, multiple commercial office towers, a yet-to-open performing arts center, and much more.

“The beginning point for any program is the master plan, and you have to design that master plan with scaling in mind — you can never assume a program will stay small,” Roberts says. A master security plan should include what the program and organization are protecting — and that doesn’t only include people or places, but also processes and procedures.

In addition to defining the ultimate mission of the program, security leaders must define what risks or scenarios the organization is defending or protecting against, be it building collapse, intruders, emergency weather events, insider threat, etc.  

The trick to scaling a security program from that master plan is working from the ideological down to the day-to-day minutiae and dictating those markers based on the ultimate goal. “To get to the operational, you have to work from the plan, starting from the biggest concepts and working to the smaller to dictate those baselines and develop those procedures,” Roberts says.

The guidelines will dictate the ongoing developments needed to scale a security program, but the buildout doesn’t have to be designed to only be met by internal resources. Security stakeholders must determine how to meet those guidelines and who is involved, whether that’s the security program manager themselves, additional staff, contractors, electronic security requirements, or a combination.

How can you build a sustainable, scalable security program?

Becoming operational is one thing, but sustainability is another, and that’s where program management must come into play, according to Roberts. Part of the program management piece for any security program is evaluating the long-term efficacy of the people, technology and systems in place needed to meet the goals of the master security plan.

As a security program scales, constantly evaluating what is needed to meet objectives and how those resources are used (whether people, processes or technology) is imperative.

“You must look at what systems are in place, what you need to maintain those systems and what support is needed. This includes management, field operations and maintenance,” Roberts says. Ultimately, all elements of operations need maintenance plans, whether that’s actual maintenance of a system or technology, or continual communication and training for staff and contractors. “It’s a crucial piece to maintaining the effectiveness of the program,” he adds.

How do you know if you are scaling your security program effectively?

If you are meeting the goals of the master plan, you’re doing it right, Roberts says.  

“It doesn’t mean you can’t change things along the way,” Roberts says. “You will, but you must really evaluate the master plan working down to those day-to-day program elements and determine how effective they are before changing them.”

If this all sounds simplified, of course, it is. At the end of the day, security leaders must still deal with limited resources, inadequate budgets and challenges of enterprise-wide buy-in, but these challenges can be overcome in just about any scenario, according to Roberts.

“Cost is the number one consideration that gets put on the table for any security program. Being lean is tough, but that’s why a scalable master plan is essential,” he says.

Security leaders can associate dollars to each baseline, beginning with the most essential and working their way out. Continual reviews will help security leaders identify what’s working, what’s not and what is next on the risk analysis assessment.

“Do I need contract staff at every location? How can I make sure staffing and technology are as efficient as possible?” Roberts asks. “The goal is not just to build a program for the sake of building a program; you have to be conscious of costs and efficacy.”

How do you deal with limited resources?

For security programs with limited resources, scaling a program often gets put on the backburner as security leaders must focus on putting out the proverbial day-to-day fires.

“The beginning is often spent addressing immediate needs and focusing on the actual security response to events rather than touching base frequently with the master plan,” Roberts says. “In fact, not attending to those immediate security issues right away is a mistake — they will take up the predominant amount of time. But it’s important to have an idea of what a scaled program looks like. And, over time, as you plan where you want the program to go and are able to communicate the goals of the plan and elements needed to meet those goals, you will be able to focus on that program oversight.”

Even singular security teams will find ways to grow a program with proper planning, according to Roberts — but the whole process will be made a lot easier if that security leader possesses two important characteristics: versatility and the ability to speak multiple languages.

A security leader versed in security operations, screening, intelligence, information security, budgets and contracts, for example, will make the entire process of scaling a security program more seamless than a leader who is only versed in strategy. “When you have someone with a variety of skills in their wheelhouse, it doesn’t matter how small that program is,” he says. “It’s a very important element that will work to the organization’s advantage. Scaling is very people dependent.”

The other important backbone for scalability is having a leader who can speak the language of security while also speaking the language of business. Roberts says, “If you can articulate your master plan and the people, processes and technologies needed to do that to the stakeholders who will allocate those funds, then you can work toward building that plan whether you have one person or a whole team.”