Ok, I’m going to apologize right up front for the clichés, but if history didn’t repeat itself, all we would have is 20/20 hind-site. Some say they would rather be lucky than good, but that is what you are left with when you don’t know what you don’t know. Sorry, I think I’m done for now.
When it comes to security, clichés are the last thing you want to rely on, especially when… uh, never mind. Unfortunately, even if unintentionally, that can be the case when a security department is stuck in the status quo. There are a variety of reasons for that, but busy-ness tends to be the most common, along with limited budgets or staffing. However, when the rubber hits the road, ignorance is no excuse.
Seriously, as security professionals, it is our responsibility to know the condition and needs of our organization. Even if we are not able to act on everything, we need to have a plan, and the first place to start is with an assessment. While this effort isn’t necessarily a risk assessment, issues will likely be identified that are risks and can be addressed in the process. Also, any gap in operational capacity can be a risk, but the focus of this assessment is on establishing a baseline of the current security operations from which a developmental path forward can be developed. Personally, I believe this is the most important service I can offer, as it gives the security director knowledge and the ability to start prioritizing next steps. I’m afraid that sometimes people think that an assessment just means recommendations for spending a lot of money to replace stuff or a major organizational revamping. In reality, at least in my approach, the result of the assessment is to find the issues that can be resolved with minimal effort. It may be by using features or capabilities in a system that haven’t been developed or changing roles and responsibilities of staff to drive greater efficiencies. Yes, we also want to look at the big picture and provide valuable information that can help drive long-term goals, but as the smaller, achievable initiatives are met, the larger tasks don’t seem so far out of reach. Investing in a thorough assessment from an experienced professional can be the best money a security department spends.
It is possible that a security department could find the time to do some of their own assessments, but seldom do they have the time necessary to do a thorough review, along with their regular responsibilities. Additionally, they may not have the experience necessary to see all the gaps. The best approach is to bring in an outside perspective, in the form of a security consultant, (I might know of one or two), and have them provide a two-part service. Part 1 is the assessment to establish existing conditions and identify gaps in operational requirements. Many times, the assessment will identify hidden risks from policies or procedures that are not being met which can be resolved with some corrective measures. Part 2 is to provide a road map or Security Master Plan that describes the opportunities that can be achieved. The plan prioritizes short-term tasks that provide benefits which can be achieved with limited time and cost, and creates a phased long-range plan for improvement over a 5 to 10-year period. I recently provided these services for a regional airport and documented information that they could tackle on their own and provided options where I could help them work through more involved activities. The bottom line is that they are better informed to take action on the items I addressed.
While security consultants offer many services to support an organization, they should always begin with some level of assessment. After all, no one wants to get caught barking up the wrong tree. With a good understanding of your security environment and a road map in hand, you can have a great deal of confidence in charting a course for the future.
Knowledge is power.