By Resolver Modified April 17, 2020
This article is the last in a four-part series as a follow up to our sponsored webinar in partnership with ASIS titled “How to Prove the Value of Corporate Security Investments”. Tim McCreight contributed to this article. Read Part 1. Read Part 2. Read Part 3.
Forward-thinking organizations with mature risk programs are starting to engage corporate security earlier in their project or program planning to ensure that they’re mitigating risk and capturing potential opportunities. As this occurs and you expand your role and influence within the organization, there are a couple of considerations to keep in mind as you develop an enterprise security risk management program.
A common problem that many organizations share is that their security programs are not properly linked to an enterprise risk management strategy. Risk managers are sometimes buried and siloed in their own work that there is a common misconception that security teams start and end with a security guard – not realizing that the security team can actually build an entire security risk-based program. As security professionals, you need to be proactive in getting in front of the people responsible for the ERM program at your organization to find common ground and collaborate with them to see if there is a security angle that can be explored for any identified risks.
When an organization starts to think about the security aspects of business risk decisions, it can create a, sometimes uncomfortable, cultural change in the organization and employees who may be resistant to new security practices. Your security team will need to create an awareness campaign on new security processes on what it means to be a risk-based company and educating employees on what it means to start accepting, and mitigating, risks at all levels of the organization.
Sometimes it’s not the executive team that you need to convince to get your security program off the ground – it’s employees in other departments. Consider the risks that these departments may face and determine if there is a way that your new security program can help mitigate them. If you can show the benefits of your program to these departments, there will be less hesitation and pushback once the program is launched and new controls are put in place.
While it is important to collaborate with other departments, corporate security teams need to have the authority and independence to seek out threats and conduct risk assessments across the entire enterprise. Another team may run the day-to-day operations, but your security team should have oversight into the entire process. For example, facilities might be responsible for keeping in contact with building management to ensure that all employee access cards are working, but the corporate security team should be the one to develop that process, roll-it out, and conduct regular audits to make sure the control is working properly.
There are situations where a corporate security team doesn’t have all the answers. Sometimes, investigations need to be conducted alongside other departments. If an employee was harmed on company grounds, what can the security team do to prevent it from happening again, how can human resources provide support for that employee, and what, if any, are the legal ramifications of this incident? In another example, if an employee steals company data, you may want to bring in the IT team or your developers to see if there is a control that can be put in place in the interim while a more sustainable long-term solution is built into the security program. These are just some of the cross-departmental considerations that security teams should keep in mind when developing an efficient security program.
Corporate security, as a whole, is moving towards a more risk-based approach. We’ll always have the reactive components of security, like incident response and investigations, but proactive work, like risk assessments and organizational awareness, is becoming more relevant and important to the overall success of the business.