Evaluating Your Security Program
Many security managers are so caught up in their daily jobs that they sometimes lose track of just exactly what the purpose of their company’s security program is.
Security Operations Assessment
Many security programs have simply been “pieced together” over time, with new security procedures often added to address specific security problems that have occurred over the years.
In many cases, the security manager has inherited a security program that was designed by his or her predecessor, and may not know the reason why many of security procedures being followed were instituted in the first place.
At least once a year, the security manager should pause and objectively reevaluate the company security program. Some of the questions to be asked include:
- What company assets (people, property, information) are the most important to protect?
- What are our greatest threats?
- Who are our most likely attackers?
- What would be our “worst nightmare”?
- What do senior management and our employees expect from the security program?
- If our security program could accomplish only one thing, what would it be?
- What are the limitations of our present security program? Are this limitations understood by employees and management?
- Does our security program focus on protecting our most important assets?
- Are our security procedures and systems responsive to the current level of risk faced by the company?
- How can the present security program be improved?
Security Risk Assessment
If it has been a long time since a complete evaluation of the security program has been conducted, it is often helpful to conduct a formal “security assessment”. The “security assessment” is a structured process for analyzing a company’s security program.
Although the security assessment can be conducted by the security manager, it is often beneficial to use an outside security consultant to conduct the security assessment. A qualified security consultant has extensive experience in conducting security assessments and can offer an unbiased outside opinion.
Often, senior management will be more inclined to implement recommendations made by an outside consultant than they would be to implement recommendations made by the security manager.
A formal security assessment should be conducted at least once every three years. Other times when a security assessment should be considered are:
- When a major facility renovations are being considered.
- When a new facility is being designed.
- When the company is planning a significant increase in the work force.
- When the company is entering a new line of business.
- When the organization is about to go through downsizing or restructuring.
- After a significant security incident or major loss has occurred.
For more information, please see Security Assessments.