It does not matter if you run IT security, physical security, safety, or risk; in today’s world, security programs should be a fundamental expression of any proactive business philosophy. This means more than simply dealing with security incidents when they happen. It is a commitment to protect and develop an organization’s assets and to help achieve a business’s objectives. Security begins with identifying all business resources: people, property, assets, services, and information. Only after identifying these assets – and the risks associated with them – can the designing and implementation of a security program that safeguards these investments begin.
Security is everyone’s responsibility, and it is the alignment of the right collaborative mindset with the best tools possible that will create and maintain a safe, secure, and productive environment. The security group will typically lay the foundation for this type of culture, but it is a team effort to sustain it. Building a strong security culture that is pro-active and managing synergies that align with the ultimate goal of risk mitigation is ideal for any organization. Once that foundation is laid out, it must be maintained and be flexible enough to change as the industry changes.
The optimal idea is to have security fit the operation, not the other way round. Using this method allows security to get to know the business on a more intimate level, so security can initiate the appropriate collaborations and offer suggestions to help with daily operations and build the right programs, so if a problem were to arise, the team is equipped to manage it. An organization should be made up of individual leaders and accountability established to pull together any successful program. At the end of the day, we are there to mitigate risk and run a successful business andsecurity has no room for silos.
“Security is everyone’s responsibility and it is the alignment of the right collaborative mindset with the best tools possible that will create and maintain a safe, secure, and productive environment”
To draw a picture around this subject, just imagine an NFL football game, and you are the kicker on the team. Your job and your training revolve around being the best kicker possible so you can support your team in a win. Now imagine that you just kicked the ball, it was received by the opposing team and that player makes it by your entire defensive line, and they are heading to the in-zone. You now are not the kicker, but the defensive back that must tackle the receiver, or they will score on you and your team. Raising your hands and saying you are just a kicker is not the solution. Silos don’t work when it comes to security, for everyone is responsible, and the right security program and tools must be in place to support these needs.
To align the right thought process when implementing the different levels of response, it is important to clarify an understanding of categories that assess risk and the tolerance of that risk. This is a critical step in the overall design of how security supports the company’s mission. Once the areas of risk are identified, there are four approaches that may be adopted to mitigate such risks:
• Accept- Based on an understanding of the probability of impact of the threat, an organization may choose not to employ countermeasures if they are willing to take the risk.
• Allocate- Move responsibility and accountability to a third party insuring against the risk or contracting out the function or activity to move the risk away from the organization.
• Treat- Apply cost-effective and reasonable countermeasures to address the risk.
• Terminate- Apply enough countermeasures to ensure that the risk does not occur.
How risk will impact the business will determine what action, if any, will be taken. With any security program model, the security department assumes the overall leadership of the program, but every employee assumes his or her role in mitigating risk. The basis of a holistic security program is that risks will be identified, effective solutions prescribed, and then implemented according to the segment of the business involved. Each business segment must understand its risks, and security must be committed to providing the solutions to mitigate those risks. There are basic elements that will be incorporated into every program, and it is understood that due to the diversity of the applications, enhancements will be based on need. When controlling risk, some plans or techniques will be injected immediately, while others will be held in reserve, only to be used if necessary. A complete security program addresses the immediate and perceived risks, knowing that preparation is the key to success. The true goal should be to maximize strengths, reduce risks, and educate: (create pro-Active efforts but have re-active capabilities). Security programs should not be complicated, they should be effective and efficient.