In Focus: Proactive Security Planning Avoids Fire-Fighting
Jeff Smith, CPP, CDT Security Systems Project Manager, TEECOM Design Group (Jun/Jul 08)
Successful corporate security executives recognize that today's security systems are growing into large, complex systems interfaced with other internal business units systems (HR, IT, facilities). But with many organizations, especially with mid-sized companies, an incident often occurs before security problems are addressed. If security execs want to evolve with their management teams, they must learn proactive planning techniques to avoid reactionary behavior - or "fire-fighting."
The first step in proactive planning is securing buy-in from the "C"-level suite on the importance of security in protecting the assets of the company. Today's successful security projects are always comprised of a team that includes a member from "C"-level management, IT, security, facilities, and the user. Without input and signoff by this team, the project will face challenges during and after implementation.
How can corporate security executives plan accordingly? Executives should begin with development of a risk/threat assessment matrix that list potential threats, their probability of occurring, and their cost impacts to the organization. The same common-sense approach is then used to develop short-, medium-, and long-term projects and associated budgets targeted to address the organization's risk with the appropriate amount of resources and urgency. Formal risk assessment process is too often ignored by organizations today, forcing them to expend valuable resources on tasks with little long-term impact. Executives must assign costs, budgets, and timeframes, and analyze cost impact, while planning how to address problems in advance.
If you're planning security management and only address the complex problems that are likely to do the most damage (but have a low probability of occurring), you're ignoring the fact that most problems stem from poorly executed basic security measures. Take the risks from your matrix that have the highest probability of occurring and implement security measures that mitigate them. For example, the simple act of outlining rules in a security policies and procedures manual sets expectations and fosters security awareness throughout the organization. Basic security, if executed well, provides the best protection for the organization by allowing time for planning solutions to complex or unique security issues your organization may face when you are no longer putting out fires.
As security systems grow more complex, it's increasingly important to look for integrated, open security systems that push actionable information to the person monitoring the system wherever business needs dictate. Today's security systems provide great flexibility for operations - for example, changing guard locations based on staff, rotating monitoring stations based on work hours, e-mailing security alerts, and supporting physical and logical access. Nowadays, facilities can provide more security for lower cost by leveraging their existing corporate IT infrastructure. Security is no longer forced to provide a separate network.
Overall, successful security planning involves identifying risk/threats, development of accurate budgets, prioritizing projects, and selecting the correct team members. It's about being proactive and planning out in-depth strategy before problems occur. When you take away the fuel, the fires can't start, and you save the time and hassle of fighting them directly.Jeff Smith is a senior design engineer and security systems project manager for TEECOM Design Group, an Oakland, California-based engineering firm specializing in providing telecommunications, security, and systems consulting. He can be reached at (510) 337-2800. Visit the company's website at www.teecom.com.