Building comprehensive security programs with little to no budget and little to no staff is a monumental task. But it’s not a “chicken or the egg” scenario. Security leaders tasked with building a security function, raising the profile of security within an organization, or tackling specific risks can implement low-cost, high-impact initiatives that will not only holistically elevate security’s position in the organization, but go a long way in increasing safety and security as well.
Before moving to Amazon Studios where Duncan Turner is Head of Physical Security Operations, Turner spent his career building security and risk mitigation programs at a number of organizations, including Walt Disney Studios, Snapchat and Hulu. At Hulu, Turner had his chance to practice and hone building security risk management programs in a sustainable, scalable way to achieve maximum impact with minimal resources.
The challenge for so many security managers struggling to build their security programs, he says, is that outsourcing is not typically the answer — at least not on a large scale because the cost is so high. And yet, there are so many programs to build, including threat identification, intelligence, investigations, executive protection, business continuity, emergency response, incident management, workplace violence, security awareness and many more. Of course, not all roles and responsibilities are applicable to individual organizations, but the point is — there are many shoes to fill.
Regardless of whether they have no team members or little budget, Turner says there are a number of practical steps and strategies security leaders can start with to build solid security programs.
1. Focus on policies.
One of the low-hanging fruits of building out a security function is focusing on policies: either creating or revamping them. “Policies cost nothing and can be a very high-impact way of introducing security to an organization,” Turner says.
For example, security management can work together with HR and legal to take a look at workplace violence or harassment policies and procedures. Mapping out policies, reporting, responses, and — perhaps most importantly — identifying the necessary stakeholders to be included in development, delegation and response is an inexpensive way for security teams to focus on risks and pain points within the enterprise.
2. Don’t forget training.
While security-related training can have a significant impact on an organization’s response and business continuity and resiliency, training can also be done with very little cost if managers are willing to think outside the box.
“Training is something you don’t necessarily need to outsource,” Turner says. For example, with solid relationships in place, local police departments or public agencies may allow security leaders or their team members to participate in planned annual trainings, such as active shooter or emergency response exercises. Some public agencies have outreach programs for which they do “train the trainer” sessions on particular topics. Security managers can identify and attend a targeted seminar or training session on a particular subject for minimal cost.
In any of these cases, security managers can then bring lessons learned and applicable materials back to their organization to train everyone else.
3. Be judicious with technology.
Technology can be a force multiplier for any security program, but security leaders with small budgets need to do their homework before selling such an investment to leadership. “Though technology may be one of your highest cost items, it can be easy to justify to leadership if you’ve done your homework. Tell them the consequences of not having such a technology,” Turner recommends.
First, security managers should take inventory of any existing technologies and determine whether those can be integrated with new technology, as well as seeing if one solution can be leveraged for additional purposes.
When choosing a technology, security leaders should ensure the solution will be able to expand in the future with minimal replacement costs, Turner says. For example, if the organization is implementing gunshot detection, find out if the solution is easily scalable by adding additional sensors or devices in the future without having to rip and replace an entire system.
In addition, technology placement should be focused and deliberate in order to keep costs down. If the organization can only afford three sensors, for example, focus on those areas with the highest negative impact potential.
4. Build a culture.
Beyond training and policies, having an embedded, strong security culture within an organization is particularly important for small security teams with limited staff. By getting everyone on board and familiar with security initiatives and making it a part of the culture, security leaders will have a much easier time mitigating risk and proving value to the greater organization.
There are a number of strategies for building a security culture with limited resources, but perhaps the most fruitful, according to Turner, is leveraging other people within the organization. He recommends utilizing employees from cross-functional groups to form threat assessment teams or emergency response teams to boost ideas, support and headcount.
He has also turned to departments such as brand awareness, marketing, internal communications and even facilities, utilizing their existing infrastructure, skills and fresh ideas to make security awareness videos, activities and signage.
“Synergy points across the organization are huge for small security teams. If you can leverage those relationships at the right time and execute them in a really effective way, you will make a big impact,” Turner says.