Strategic Planning: Program Life Cycle
By: Security Executive Council
The Security Executive Council (SEC) is the leading research and advisory firm focused on corporate security risk mitigation solutions.
The following is an abbreviated portion of the Security Executive Council's (SEC) strategic planning process that can be used to assist building your security strategic plan. The process represents a compilation of methods successfully used at several companies we have collaborated with. It should be noted that your situation will be unique and, therefore, you should make the needed modifications to make it fit with your organization's risk profile, corporate culture and policies.
SECURITY PROGRAM LIFE CYCLE
The Security Program Life Cycle is a process whereby security improvements are reviewed on a continuous basis. The following provides a summary of each of the segments in the image:
• Senior Management Input. The cycle begins with a meeting between the security leader, senior executives and business unit leaders. The purpose is to gain insight into the management philosophy, the culture of the business, the long and short-term objectives and management’s expectation of security needs.
• Crime Risk Assessment. In order to understand the physical environment in which business will be conducted, it is imperative that a review of crime statistics in the surrounding area be conducted. This is best accomplished by a direct interface with local, state and federal public safety officials. Country assessments may also be considered.
• Peer Company Benchmarking. Because no one company has all the answers to security issues, it is a good idea to benchmark with peer companies to determine the successes and failures they have encountered when identifying and applying security solutions. However, recognize that your organization will be unique to your peers so benchmarking gives only a portion of the picture.
• Organizational Security Risk Assessment. This is designed to assess the security posture at the organization; identify risks that impact both the short and long term survivability of the organization; and provide cost-effective solutions to reduce or eliminate identified risks.
• Baseline Security. In order to ensure that all operations maintain an acceptable level of protection, minimum-security guidelines should be developed. These guidelines ensure that the organization meets an acceptable baseline level of security.
• Enhanced Security. Solutions to security risks beyond the baseline risks should be measured on a scale. The scoring system is used to measure progress toward the implementation of security solutions identified in the security risk assessment.
• Security Systems Design. The results of Baseline Security and Enhanced Security processes provide the foundation for a security plan that is customized for the organization, based on its needs and risks. This security system is designed to reduce risks without impeding business operations.
• Security Program Plan Design. The resulting security plan is a living process that will recycle itself through continued risk assessments and benchmarking efforts. Costs and restrictions that impede the business operation will determine the degree of risk that management is willing to accept.
• Validation Review. To achieve operational excellence - regulatory compliance and civil liability reduction validation or audits - are no longer optional in a professionally run security program. The need to validate the controls, notification and the response for programs, systems and mitigations strategies is imperative.
A PDF file of this article is available below.
If you would like to learn more about this process, contact us at: firstname.lastname@example.org.
Copyright Security Executive Council. Last Updated: November 22, 2016.