Excerpt: What Should Your Security Strategies Be?

Before you begin the process of defining or redefining the security organization’s strategies, you must first gain an understanding of the strategies of their business. You do this by interviewing the appropriate executives of the company: the CFO, COO, and so on. You need to know for the next five years:

” What growth do they anticipate?” Do they expect any product or service changes?” Is the expansion or reduction limited to the existing facilities or will new ones be added?” Do they expect any overseas expansions or mergers?” Are there any major layoffs or outsourcing activities planned?

Some of this information will be considered to be highly confidential, especially any mergers or layoff activity, but you need to understand these directional moves if you are to plan how they will deal with them from a security standpoint. It is not necessary for you to know all of the details; for example, you do not need to know who they plan to merge with or who they plan to outsource work to; however, you will need to know what countries are involved if your client will have any stake or ownership in the relationship. If the person performing this master plan activity is an outside consultant, the executives may prefer to only share this information with the in-house director of security or chief security officer. If there is no in-house staff, the consultant will need to discover as much of this information as possible and may need to sign a confidential disclosure agreement (CDA). (I believe a CDA should always be part of the contract with the consultant.)

The security organization’s strategies deal with all aspects of the program from policies and procedures to technology and staffing. Their strategies should be documented so that they reflect where they are now and where they are going. You have probably heard this before but I believe strongly in the saying, “If you don’t know where you are going, you won’t like where you are when you arrive!” In order to implement new security strategies, CSOs or directors of security should first address the process of change. They would prefer that everything just stay as it is. So the question the CSOs should be asking of themselves is this: “Is change a friend or foe?” The answer to this question is really quite simple: “It’s up to them!” Change is a topic that is discussed continuously in the business world. But, as the adage says, “Talk is cheap!”

As an example of implementing change I would cite the most dramatic project that I have undertaken in my career. If you have not personally been involved in a major change effort, then perhaps my experience can help you to understand the complexities of this effort. As a part of the reengineering effort in IBM, we reorganized the internal security operation in September of 1994. We took the security professionals who were managed site by site by non-security personnel and brought them into one single structure, managed by security professionals. However, this did not in and of itself make change happen. What it did do, was to provide the opportunity for constructive, consistent, and rapid change.

Over the next two years we reduced costs by approximately 30 percent, we increased customer satisfaction to 94 percent, and we significantly increased our own security employees’ morale. In September of 1997, I was awarded the Security Director of the Year recognition by Access Control & System Integration magazine. As people passed on their congratulations to me, I explained that I take credit for one thing primarily, and that is creating the environment where “change” is a “friendly” activity. The accomplishments of our organization are directly attributed to our own people embracing the concept of change and making it happen.

So exactly what did we do to create this environment? Basically, wedid three things:

” First, we implemented the use of project teams on as many different aspects of our security business as we could think of. These teams had two goals to accomplish: find the best internal or external practice for the specific area they are looking at and—even more important—increase open communications across the organization.” Second, we implemented a measurement program to find the defects in our processes. To make this successful, I declared this to be a “no fault” measurement program. The primary “failure” in this program would be if you did not find problems. The secondary failure would be if we did not fix the problem.” Third, we launched a massive campaign to do national contracts and centralized systems to eliminate as many redundancies and inefficiencies as possible. All of this combined translated into massive change for our people and our strategies in the way we implemented security.

We knew that the only way we could be successful was for our people to see this as something that would be good for them, each and every one of them—personally. To make this happen we first had to convince them that change was absolutely necessary to the survival of IBM and our jobs. You might think this would be obvious to all of us considering our company’s financial performance over the early 1990s, but some people have a way of convincing themselves that they are not part of the problem. Therefore, what we had to do was to convince them that change had to happen and we had two choices:

• Deny the need, resist the change, and FAIL, or
• Embrace the need to change and DRIVE that change!

If we, the security professionals, truly and fully accepted this, we had the power to decide our future! If we did not drive change in our organization, someone else would and we would have much less control over the outcome.

One of the primary tools that we provided to our project teams to do their analysis was the implementation of an internal benchmarking program followed up with a detailed resource and task analysis program. After implementing many of the changes and realizing the benefits of those changes, we then launched an external benchmarking effort. This data demonstrated that we were significantly more cost competitive than any of the other companies we compared with.

As any good business manager can tell you, the best resources of any company are its employees. I personally believe that this group of security professionals is the Best of the Best, but I acknowledge that I might be slightly biased on this point; however, the proof is in the results! It is important to remember that change is not something that you do and it is done. Instead, it is an ongoing process that must be continually driven from senior management down through the organization and by the employees up through the company. This is why it is essential that you create the right environment for change to flourish. A critical part of that environment is your own attitude! Your employees will know very quickly if you are just giving “lip service” to this process or if you are serious. Just as the scenery changes as you travel down a road, your business and even you and your employees must be in a continuum of change. If you are, you will not just succeed, but you will have ongoing success! It is this environment that makes it very important that you have documented, long-term strategies and that you reevaluate those strategies on a regular basis. After all, that is the map you will be using for your trip.

So, what are your client’s strategies? As I said earlier, they should cover all aspects of their programs. It would be very difficult for me to suggest any generic strategies because there are many variations depending on the business they are in. As you develop them, you should utilize the functional team, “the stakeholders” that I spoke about earlier, to assist. Here are some examples of the areas that should be addressed:

Policies

• Education and awareness programs.
• Badge wearing.
• Clean desk policy.
• Visitor and contractor controls.
• Employee involvement and responsibilities.
• When and how to have armed off-duty police officers onsite.

Investigations

• Use of hidden cameras along with determining who should be involved in the decision to use them.
• Use of a polygraph for interrogations.
• Whether or not to prosecute employees or others when a crime has been committed (even a minor crime).

Technology

Staffing

As you go through the process of helping them in documenting their strategies they will find that they are already following several strategic lines; they just may not have documented all of them before. A good example of this is the use of unarmed security officers. I personally do not like to have armed security people onsite except in rare applications such as a nuclear plant or a top secret installation. Obviously, many CSOs or directors of security feel the same way because the majority of businesses in the United States use unarmed officers. However:

• How many of these security managers or businesses have documented that decision to demonstrate it was a well-conceived strategic decision?
• Was executive management involved in or at least apprised of the reasoning for this decision?
• If a workplace violence shooting were to occur onsite, would they be prepared to defend their decision of unarmed officers in court?

Having these strategies well documented can be invaluable in situations of litigation or even when a decision about an unusual situation has to be made in a timely manner. Their documented strategies should always be their guide. ##

Timothy Giles worked at IBM for 31 years, serving as Director of Security. The book is available directly from the publisher’s site at CRC Press or on Amazon.com at How to Develop and Implement a Security Master Plan.