When I speak with security executives privately about their challenges, one that I often hear is the pressure of time, budget and resources. They often find themselves in a situation where their budget is not aligned with their perceived risk. This leads to tactical decisions with no fundamental strategy or plan in place to mitigate this gap. Too often this may be a persistent problem leading to years of a Band-Aid approach to how they organize their people, their processes and how they deploy technology.
A recent case study at The Great Conversation delivered by one of the most respected hospitals in the country provided us insights into how this might happen.
Hospitals have customers. The customers are provided a value proposition, implied or explicit, that they will be provided the best possible care. “Care” is not limited to the medical approach taken, but also to the customer’s safety and security during their stay. Therefore, all the employees, processes and technology in a hospital must serve this over-arching value proposition. Value propositions in any business are the result of the intersection of risk and opportunity. How this is navigated will impact the brand, culture, and profit of the organization.
How security and safety address the opportunity of the business is a strategy. How that strategy should be deployed is a plan. How it is executed is a methodology based on that plan or roadmap.
In this hospital, they found their brand and value proposition were stimulating exciting growth. But as most CEOs know, growth has its own risks. In this case, the growth was causing both IT and Security to react without a strategy or a plan. The result was both organizations had developed silos of technology that did not interoperate. As well, they were not leveraging the expertise, budget or resources of the other. Because of this, their internal brand was at risk as well as their alignment with the mission and objectives of the hospital.
Fortunately, the two departments recognized this and began to take steps to fully assess the situation using external and internal teams. These teams outlined the gaps in how they were deploying their people within the core processes and policies of the hospital. This provided insights into the opportunity security had to provide customer services while providing safety and security policies: a double win for the organization.
Once the value proposition was in place and the use cases for how people could be deployed to save time while meeting the need, then they could begin to look at the technology that would allow them to continuously improve over time.
To provide a long-term, sustainable plan for the technology, a scorecard had to be developed that included the IT standards for an integrated architecture that was highly available, reliable, defensible and maintainable. This scorecard was then used to assess technology partners and guide the implementation roadmap.
The new team, composed of IT, Security and a security risk management services (SRMS) provider as well as vetted technology vendors in access control, video surveillance and critical communications, became a virtual steering committee. This committee guided, measured and implemented the strategy, planning and implantation of the hospital’s security and safety program.
This is the template for the future of our industry: knowing before doing, planning before tactics, and aligning disparate internal and external teams with the value proposition of the organization.