Now, what do security risk and threat assessments mean to the executives and upper management to whom you present them? Many view them as opportunities for improvement, unwelcomed requests for even
more funding, or as inconsequential.
How you view, conduct and present security assessments determines how your upper management will perceive them and, often, whether they’ll act upon your requests and recommendations.
Many of us have conducted security assessments by showing up with a clipboard that held a series of questions with Yes and No checkboxes next to them: Are our lights working? Are the locks operational? We filled it out and we handed it to our clients (upper management or corporate executives) as our final product.
What’s the Main Goal?
If your goal is to promote the security program by adding new technology or by getting management off your back, the checklist may be the best way to do it. It’s also a good way to invite management to view security as a target for funding reductions and to view you as an inhibitor of the business instead of an enabler. This is not because security isn’t important to the business; it’s because the checklist does not speak your client’s language.If you walk up to the CEO of a bank, hand him or her the checklist and start talking CPTED, for example, you’re likely to get a polite smile or a blank stare, not because it’s not a significant issue, but because it’s not being presented in a way that enlightens the client or shows why it’s important to the business.
On the other hand, if your goal is to promote the business, improve the business, and protect the revenue stream and the company’s integrity, the checklist we’ve traditionally used is just your first step. It is a valuable tool for assessing the security of our businesses, but it should be just that – a personal data collection tool, not the final product. We still need to collect data on crime, incidents and the rationality or effectiveness of our current solutions. But then we must take that information, consider the audience we need to reach, and develop an assessment that will speak to that audience, capturing the language they will understand and inspiring action. In order to get action from our audience, our assessment must:
- Audit expectations and standards
- Adapt to business advantages
- Achieve residual security benefits from routine practices
- Align with corporate goals
- Articulate the business case
- Focus your assessment on business results.
Your final product doesn’t need to drill down to recommendations of specific technology items. Instead of presenting technology-oriented solutions, which are often viewed as unpleasantly high-cost recommendations, lay out the benefits and advantages your mitigation strategies will offer the business. For instance, can you present metrics that show how improved access controls or awareness programs would save labor or money? - Think about your audience.
Determine who has the influence to execute the actions you’re recommending. If you are the person who has that authority, then propose your personal objectives and initiatives for which you need buy-in or departmental funding. If your clients are the ones who must take the action, your assessment should be geared towards motivating them to act, explaining why they should, or focusing on how to help them do their job better. Know your audience and take them into account early on. - Watch your language.
While security professionals too often think in terms of cops and robbers, the business executives we’re trying to influence think in terms of revenue and opportunities. The language we use in our assessments has to reflect that point of view. Highlight how the security strategy can lower costs or increase efficiencies, grow or protect revenue, and retain or attract customers. - Think strategically.
When assessing your efforts and results, ask yourself if what you are communicating represents a security tactic or a business strategy. Consider the strategy before reaching for those comfort zone checklists.