Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementPhysicalSecurity Leadership and ManagementSecurity Education & TrainingPhysical Security

Education & Training

The essential pieces for measuring security program maturity

Governance, culture and technology enable security teams to measure their effectiveness and better assess risk.

By Rebecca Sherouse, Contributing Writer
measure their effectiveness and better assess risk

Wipada Wipawin / iStock / Getty Images Plus via Getty Images

July 13, 2023

There are many ways to measure the maturity of a security program. Whether a security leader conducts routine internal reviews or an external stakeholder conducts an assessment of a program, it is important to always keep in mind that the scope and functions of a program are largely dependent on the priorities and needs of the business it is supporting.

While no two security programs are the same, security operations take into account end-to-end risk management processes. Risk, as it’s used here, means the likelihood and impact of a threat event occurring. In simple terms, a mature security program should be able to effectively identify, assess and mitigate risks posed to company assets in a timely manner.


1. Identify

The first step in the risk management lifecycle is to identify a direct or indirect threat posed to the organization it is protecting. To do so, the security function needs to have a clearly documented and approved threat register that outlines the scope of threats that the business is hoping to mitigate against. These can be obvious threats like violence against employees and/or industry-specific threats like toxins entering a water source or pilfering of expensive engineering equipment.

Once a program has a clearly defined scope, it can begin to build out the various avenues leveraged to monitor for and identify threats. Examples of these tools include, but are not limited to, accessible employee hotlines, proactive threat monitoring via intelligence platforms, keyword and social media monitoring, tailored threat identification training for Human Resources representatives, and well-established relationships with local law enforcement and intelligence agencies.


2. Assess

From large to small, security leaders are continuously assessing a wide range of threats posed to an organization. Once a security program is able to effectively identify threats, it is imperative that the security team has the ability to assess the likelihood and impact of those threats occurring in a timely, effective manner. This assessment process is the key to developing sound and risk-based recommendations for leadership on how to manage threats posed to the business.

To properly assess the impact of a threat, security professionals should be equipped with the tools to analyze the intent and capability of a threat actor, determine the effectiveness of the controls in place to mitigate against those threats, the consequence of a threat event occurring, and the recoverability mechanisms in place to respond to an incident should it occur.

In short, a mature security function should be able to answer the following questions when assessing a threat:

  • How likely is it that an indirect or direct threat will occur?
  • If it does occur, do we have the controls in place to prevent it?
  • If not, what is the impact of that event occurring?


3. Mitigate

Once a security team is able to assess the risks posed to an organization, the next step is to mitigate against those risks. In traditional risk management, an organization will consider one of the four T’s: Tolerate, Transfer, Treat or Terminate. Security professionals should have the know-how, support and resources to deploy a risk mitigation strategy quickly and efficiently so as to decrease residual risk to a palatable level.

In some cases, mitigation of a threat may mean simply assigning additional roving guards to a perimeter access point, while in other cases it may mean evacuating a building or ceasing business operations in a particular market. We can think of mitigation tactics as levers a business can pull to decrease the likelihood of a threat event impacting their people, operations and reputation.


What’s needed: Security program tools

To maintain all of the above capabilities, a mature security program will require a variety of important foundational tools to operate effectively and efficiently. In particular, a security organization looking to develop or maintain a mature program should aim to equip operators with robust program governance, a top-down security culture supported by senior leadership, and the tools and technology to enhance day-to-day program operations.


Governance

Put simply, governance is the documentation through which security organizations apply structure and direction to their operations in a formal way. Governance suites include policies, frameworks, standards, procedures and templates that define and enable the operating requirements for running a security function. Beyond streamlining security operations, a governance suite is critical to ensure security functions have key risk controls in place to meet legal and regulatory obligations.


Culture

The security culture of an organization is defined as the ideas, customs and social behaviors of a group that influence its security. Security organizations often rely on non-security stakeholders to identify and report threats, conduct routine security activities like site assessments and visitor management activities, and engage cross-functionally to manage complex incidents as they occur.

Mature security programs make active and consistent efforts to increase security awareness through internal security campaigns and to train employees on positive security behaviors while conducting day-to-day business related activities. With a well-established and constantly evolving security culture, security teams can count on vigilant employees to enhance enterprise security and act as an additional line of defense instead of inadvertently increasing or exposing easily exploited vulnerabilities.


Tools and technology

Finally, without effective tools and technology security practitioners are limited in their ability to maintain any of the risk-management pillars mentioned above. When considering the appropriate tools and technology to support a mature security function, it is important to revisit the scope of the program and tailor solutions to address the most notable security exposures first.

When possible, leaders should ideally target technology solutions that touch on more than one of the tenants mentioned above. Additionally, while complex, highly intricate solutions may seem attractive, it is important not to overlook tools that are easy to use, provide effective workflow management and day-to-day program support, and that integrate or replace existing tools and infrastructure.

Tools that can automate some of the identification, management and mitigation of security threats allow for practitioners to focus on complex problem solving instead of getting overly bogged down in repeatable tasks.

Taking a holistic approach to security program measurement and implementing the necessary foundational tools to identify, assess and mitigate risk can provide security leadership with the information they need to make better decisions about the health of the organization.

KEYWORDS: risk assessment risk management program risk mitigation security culture security program evaluation

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Rebecca sherouse

Rebecca Sherouse is the Director of Account Management and Security Advisory at HiveWatch, where she is focused on providing end-to-end lifecycle account management support to users. Previously, Sherouse was a Director of Security Risk Consulting at Control Risks, a leading global security consulting firm. She is particularly interested in the development of technology-led security functions, with an eye towards quantitative risk modeling and data-enabled security solutions.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • security benchmarking

    How do security leaders measure program maturity?

    See More
  • SEC0820-Operations-Feat-slide1_900px

    How CISOs Can Effectively Measure and Report Security Operations Maturity

    See More
  • building a strong security program

    Strategies for developing an effective security program: Build the right solution

    See More

Related Products

See More Products
  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

See More Products

Events

View AllSubmit An Event
  • September 25, 2024

    How to Incorporate Security Into Your Company Culture

    ON DEMAND: From this webinar, you will learn how to promote collaboration between IT and physical security teams to streamline corporate security initiatives.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing