Editor's Note: This article is the first installment of our three-part Security Program Design series from J. Nicole McDargh. Click here for part two — Strategies for developing an effective security program: Build the right solution — and part three — Presenting the security program: Win leadership buy-in.
This three-article series will explore what I argue are the three fundamentals that form the bedrock of effective security management principles:
- Get Your Facts Right
- Build the Right Solution
- Present the Program for the Win
In this initial installment, we will delve into the intricacies of the first pillar, Get Your Facts Right, encompassing strategies for data utilization, proper sourcing, critical analysis and rigorous fact-checking.
As security professionals, arming ourselves with accurate information and a discerning mindset is imperative for creating robust security programs that can adapt to the constantly evolving landscape of threats and challenges. However, there are some challenges and pitfalls that can cause us to stay stuck in mediocre programming or which can lead to embarrassment and back-pedaling. Here are four important steps to take when thinking about the data which should inform security and safety program decision-making.
1. Use data effectively
In a data-driven era, leveraging information to its maximum potential is quintessential for security management professionals to stay ahead of emerging risks. Effective data utilization entails employing methods to collect comprehensive data from various sources, analyze it holistically and embrace cutting-edge analytics tools. This enables security teams to extract valuable insights that inform proactive decision-making, enhance risk assessments and optimize resource allocation. By utilizing data effectively, security professionals gain a comprehensive understanding of the threats they face, enabling them to develop and implement targeted security measures.
2. Source properly and read beyond the headlines
In an age inundated with an overwhelming amount of information and clickbait, accurately sourcing information becomes paramount for security management professionals. Relying on trusted sources, cross-referencing multiple outlets and delving beyond attention-grabbing headlines are essential practices in the pursuit of reliable information.
Security practitioners should prioritize accessing information from reputable sources such as government agencies, academic institutions, industry associations and trusted news outlets. However, the responsibility for sourcing information does not stop there. It is crucial to engage in critical thinking and conduct further research to verify the credibility of sources. By assessing the qualifications and expertise of authors or organizations, evaluating data collection methods, and scrutinizing potential biases, practitioners can discern the reliability and accuracy of the information at hand.
Reading beyond headlines is equally important. Headlines often serve as teasers, designed to capture attention and generate clicks. It is essential to delve into the full article, report or study to gain a more nuanced and comprehensive understanding of the issue at hand. By avoiding hasty judgements based solely on headlines, security professionals can ensure their decision-making is well-informed and based on substantive knowledge
3. Actively avoid confirmation bias
Confirmation bias, an inherent cognitive tendency to seek and interpret information that supports existing beliefs, poses a considerable threat to unbiased security management. Recognizing and mitigating the effects of confirmation bias is of utmost importance for security professionals striving to make objective and evidence-based decisions, which will lead to program strategy and design.
One strategy to counter confirmation bias involves actively seeking diverse perspectives. Engaging with individuals who possess different backgrounds, experiences and viewpoints can challenge ingrained notions and shed light on aspects that may have been overlooked. Encouraging team members to express dissenting opinions promotes a culture of critical thinking and prevents groupthink from clouding judgement.
Promoting a culture of critical thinking is another vital step in mitigating confirmation bias. This can be achieved by encouraging rigorous debate, fostering an environment that values constructive criticism, and emphasizing the significance of evidence-based decision-making. Implementing fact-checking protocols and subjecting assumptions and assertions to scrutiny ensures that the decision-making process is grounded in objective analysis rather than personal biases.
4. Fact-check and question everything
In an era where misinformation can spread rapidly and widely, fact-checking becomes an indispensable strategy for maintaining the integrity of security management efforts. Fact-checking involves a process of cross-examining information from multiple reliable sources and engaging subject matter experts to validate data.
Developing fact-checking protocols and establishing a system that promotes collaboration and accountability is crucial. Fact-checking aligns with the age-old adage “trust but verify” — it ensures that the information upon which security decisions are based is trustworthy and accurate. By rigorously examining claims, questioning assumptions and consulting reliable sources, security professionals can detect misleading or false information before it influences critical decisions.
Sometimes incorporating subject matter experts into the fact-checking process may be critical to enhancing the overall accuracy and reliability of information. Experts bring deep knowledge and experience in their field, enabling them to identify common fallacies, discern biases and provide valuable insights that contribute to decision-making. Their involvement adds an additional layer of scrutiny that promotes thoroughness and rigor in the information verification process.
Security professionals have the privilege and responsibility to inform, advise and maybe even build programs which can and will impact people, places and things. Building an excellent program, however, shouldn’t just be left to intuition, gut feelings and experience. In order to ensure that security leaders are well informed and bolstered in their understanding of the problem, they have the responsibility to check under every rock to see if the problem is as they think it is, because it may not be.
Next month, we will dive into some strategies to help security professionals take what they’ve discovered to be the issue, and use it to build a solution that is right based on the threat to, and culture of, their institution.