The Manager's Handbook for Business Security
()
About this ebook
- Chapters are organized by short, focused topics for easy reference
- Provides actionable ideas that experienced security executives and practitioners have shown will add value to the business and make the manager a more effective leader
- Takes a strategic approach to managing the security program, including marketing the program to senior business leadership and aligning security with business objectives
Read more from George Campbell
Measures and Metrics in Corporate Security Rating: 0 out of 5 stars0 ratingsMeasuring and Communicating Security's Value: A Compendium of Metrics for Enterprise Protection Rating: 0 out of 5 stars0 ratings
Related to The Manager's Handbook for Business Security
Related ebooks
Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5The Manager's Handbook for Corporate Security: Establishing and Managing a Successful Assets Protection Program Rating: 0 out of 5 stars0 ratingsPhysical Security Strategy and Process Playbook Rating: 0 out of 5 stars0 ratingsThe Chief Security Officer’s Handbook: Leading Your Team into the Future Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Success: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsWorkplace Security Essentials: A Guide for Helping Organizations Create Safe Work Environments Rating: 0 out of 5 stars0 ratingsEffective Physical Security Rating: 3 out of 5 stars3/5Building a Corporate Culture of Security: Strategies for Strengthening Organizational Resiliency Rating: 0 out of 5 stars0 ratingsFacility Security Principles for Non-Security Practitioners Rating: 0 out of 5 stars0 ratingsNine Practices of the Successful Security Leader: Research Report Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Business Continuity: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSecurity Operations Management Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsInformation Protection Playbook Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsEffective Security Management Rating: 0 out of 5 stars0 ratingsSecurity And Risk Management Tools A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsDesigning and Building Security Operations Center Rating: 3 out of 5 stars3/5Security Metrics Management: Measuring the Effectiveness and Efficiency of a Security Program Rating: 0 out of 5 stars0 ratingsFrom Corporate Security to Commercial Force: A Business Leader’s Guide to Security Economics Rating: 0 out of 5 stars0 ratingsSecurity Careers: Skills, Compensation, and Career Paths Rating: 0 out of 5 stars0 ratingsThe Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsWorkplace Security Playbook: The New Manager's Guide to Security Risk Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsFISMA Compliance Handbook: Second Edition Rating: 5 out of 5 stars5/5Security Leader Insights for Information Protection: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSecurity Metrics A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCISSP For Dummies Rating: 4 out of 5 stars4/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5
Strategic Planning For You
The Art of War: A New Translation Rating: 4 out of 5 stars4/5Start Your Own Business: The Only Startup Book You'll Ever Need Rating: 3 out of 5 stars3/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5How to Grow Your Small Business: A 6-Step Plan to Help Your Business Take Off Rating: 4 out of 5 stars4/5The 10X Rule: The Only Difference Between Success and Failure Rating: 5 out of 5 stars5/5Time Management (The Brian Tracy Success Library) Rating: 5 out of 5 stars5/5Scaling Up: How a Few Companies Make It...and Why the Rest Don't (Rockefeller Habits 2.0 Revised Edition) Rating: 4 out of 5 stars4/5Strategy Skills: Techniques to Sharpen the Mind of the Strategist Rating: 4 out of 5 stars4/5Rocket Fuel (Review and Analysis of Wickman and Winter's Book) Rating: 5 out of 5 stars5/5Hagakure: The Book of the Samurai Rating: 4 out of 5 stars4/5The One Page Business Plan (Review and Analysis of Horan's Book) Rating: 5 out of 5 stars5/5Creating a Business Plan For Dummies Rating: 3 out of 5 stars3/5Summary of The 33 Strategies of War: by Robert Greene - A Comprehensive Summary Rating: 0 out of 5 stars0 ratings7 Powers: The Foundations of Business Strategy Rating: 5 out of 5 stars5/5Start with Strategy: Craft Your Personal Real Estate Portfolio for Lasting Financial Freedom Rating: 0 out of 5 stars0 ratingsBusiness Plan Checklist: Plan your way to business success Rating: 5 out of 5 stars5/5Both/And Thinking: Embracing Creative Tensions to Solve Your Toughest Problems Rating: 0 out of 5 stars0 ratingsThe Ultimate Sales Machine (Review and Analysis of Holmes' Book) Rating: 4 out of 5 stars4/5Primalbranding: Create Belief Systems that Attract Communities Rating: 4 out of 5 stars4/5Signing Service Secrets Revealed: A Guide On How To Start Your Own Signing Service Service Company Rating: 0 out of 5 stars0 ratingsRewired: The McKinsey Guide to Outcompeting in the Age of Digital and AI Rating: 5 out of 5 stars5/5Good Strategy Bad Strategy (Review and Analysis of Rumelt's Book) Rating: 3 out of 5 stars3/5New Sales. Simplified.: The Essential Handbook for Prospecting and New Business Development Rating: 4 out of 5 stars4/5The AI Factor: How to Apply Artificial Intelligence and Use Big Data to Grow Your Business Exponentially Rating: 0 out of 5 stars0 ratingsSummary of Blue Ocean Strategy: by W. Chan Kim and Renée A. Mauborgne | Includes Analysis Rating: 4 out of 5 stars4/5Summary: Made to Stick: Review and Analysis of the Heath Brothers' Book Rating: 0 out of 5 stars0 ratingsThe Checklist Manifesto (Review and Analysis of Gawande's Book) Rating: 0 out of 5 stars0 ratingsThe Nonprofit Strategy Revolution: Real-Time Strategic Planning in a Rapid-Response World Rating: 4 out of 5 stars4/5
Reviews for The Manager's Handbook for Business Security
0 ratings0 reviews
Book preview
The Manager's Handbook for Business Security - George Campbell
The Manager's Handbook For Business Security
Second Edition
Contributing Editor
George K. Campbell
Table of Contents
Cover image
Title page
Copyright
Acknowledgments
Introduction
Our Vision for the Value of This Publication
1. Understanding the Business of Security
Introduction
The Security Program Review
Build the Business Case for Crafting a Measurably Effective Security Program
Highlights for Follow-Up
2. Security Leadership: Establishing Yourself and Moving the Program Forward
Introduction
Leadership Competencies
Keys to Organizational Influence and Impact
The Next Generation Security Leader
Highlights for Follow-Up
3. Risk Assessment and Mitigation
Introduction
Assessing Viable Threats
Vulnerability Assessment
Board-Level Risk and Security Program Response Research
A Risk Quantification Process
A Risk Management-Based Concept of Operations
Highlights for Follow-Up
4. Strategic Security Planning
Introduction
Strategic Security Program Focus
Eight Key Strategic Issues
The Security Planning and Program Development Process
Business Alignment and Demonstrating Security’s Value
Highlights for Follow-Up
5. Marketing the Security Program to the Business
Introduction
The Essentials
A Marketing Strategy
Brand Recognition
The Mission Statement
Policies and Business Practices
Applying Standard Security Practices to Business Objectives
Highlights for Follow-Up
6. Organizational Models
Introduction
Baseline Elements
Program Characteristics
What Organizational Model Works Best in Your Company
Alternative Organizational Models
Consolidated Service Model
Seriously Explore the Potential Advantages of a Security Committee
Unified Risk Oversight
Access Is the Fundamental Essential
Highlights for Follow-Up
7. Regulations, Guidelines, and Standards
Introduction
Typical Regulatory Elements
How Many Security Regulations Apply to Your Company?
The Legislation, Regulations, Voluntary Compliance, and Standards (LRVCS) Breakdown
The Security Professional’s Role
The Implications of Noncompliance
Highlights for Follow-Up
8. Information Security
Introduction
Critical Importance of Information Security
Core Information Assurance Requirements
Information Has Value
Information Moves at Warp Speed
Key Assessment: What Is the State of Control?
Organizing the Information Security Program
Information Security Infrastructure and Architecture
Day-to-Day Operational Security
Cyber Incident Response Planning
Highlights for Follow-Up
9. Physical Security and First Response
Introduction
Your Objective: An Integrated Solution
Physical Security at a Glance
Alignment with the Threat
Security Operations
The Quality of First Response
All Space Is Not Created Equal
Physical Security as a Force Multiplier
Equipment Removal and Value of Risk Assessments
Security Riding on the Corporate Network
A Note on Convergence
Highlights for Follow-Up
10. Security Training and Education
Introduction
Objectives of Security-Related Training and Education
Training Options
In-House Training
Certificate Programs
Academic Programs
Development Plan
Contractors and Vendors
Training Business Units in Security-Related Responsibilities
Tracking Training Administration
Highlights for Follow-Up
11. Communication and Awareness Programs
Introduction
Strategies
Tactics
Security Awareness Approaches
Tailoring the Message
Highlights for Follow-Up
12. Safe and Secure Workplaces
Introduction
Predictability of Risk
The Policy Framework
Workplace Violence Policy
Protecting Key Executives and Key Individuals
Highlights for Follow-Up
13. Business Conduct
Introduction
Know Your Adversary
Corporate Hygiene
Learning from Business Conduct Cases
High-Level Policy or Guideline Statement
Checklist for Conduct of Internal Misconduct Investigations
Highlights for Follow-Up
14. Business Resiliency
Introduction
Your Focus
High-Level Policy or Guideline Statement
Track Business Continuity Readiness
NFPA Standard 1600
National Response Framework
Regulatory Requirements
Highlights for Follow-Up
15. Securing Your Supply Chain
Introduction
An Example of the Elements of Supply Chain Risk Oversight: Customs Trade Partnership Against Terrorism, Shipment Guard (C-TPAT) Security Criteria for Importers
A Focus on Supply Chain Security Has Multiple Benefits
Highlights for Follow-Up
16. Security Measures and Metrics
Introduction
What Are Measures and What Are Metrics?
What Are the Key Objectives for Our Metrics?
Why Measure? What Are the Benefits of Measures and Metrics?
Roles and Responsibilities
It’s about Communication and Risk Management
Where Do I Find the Data for My Measures and Metrics?
Business Alignment—Demonstrating Value to Management
Pitfalls to Avoid
Five Metrics You Might Consider
Conclusion
Highlights for Follow-Up
17. Continuous Learning: Addressing Risk with After-Action Reviews
Introduction
After-Action Review (AAR) and Incident Post-Mortem
Know Your Audience
Outline for the Incident Post-Mortem Management Plan and Briefing
Highlight for Follow-Up
Appendix A. Risk Review Elements
Business Risk Environment
Policy Framework
Threats
Location Risk
General Data
Business Continuity Incidents
Internal Risk
Information Security
Hazardous/Dangerous Material Issues
Base Building Risks
Owned Properties
Contractors
Background Investigation
Data Management
Business Continuity Planning
Emergency and Crisis Management
Security Awareness
Appendix B. Security Devices, Equipment, and Installation Labor Costs
Appendix C. Request for Proposals for Contract Security Services at [Specific Company Location(s)]
Introduction
Instructions to Bidders
Proposal Contents
Selection Criteria
General Conditions of the RFP
RFP Timeline
Appendix D. Workplace Violence Incident Response Guideline
Introduction
Workplace Violence Prevention Program Template
Some Critical Elements to Consider In Determining Dangerousness
Appendix E. Code of Business Conduct and Ethics Template
Company Assets
Compliance with Laws and Regulations
Confidential Information
Conflict of Interest
Dealing with Public Officials
Environmental Protection
Equal Employment Opportunity
Financial Records
Gifts, Gratuities, Favors: Giving and Receiving
Insider Trading
Intellectual Property Rights
Political Contributions
Workplace Safety
Reporting Violations and Policy Enforcement
Certification
Appendix F. Corporate Incident Reporting and Response Plan
Planning Philosophy
Corporate Emergency Plan
Corporate Emergency Response Team
Appendix G. Considering the Essentials: Questions for People and Program Development
Focus
A Suggested Approach
About the Contributing Editor
About Elsevier’s Security Executive Council Risk Management Portfolio
Index
Copyright
Elsevier
225 Wyman Street, Waltham, MA, 02451, USA
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
Originally published by the Security Executive Council, 2009
Copyright © 2014 The Security Executive Council. Published by Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Campbell, George, 1942-
The manager’s handbook for business security / George K. Campbell. – Second edition.
pages cm
ISBN 978-0-12-800062-5
1. Business enterprises–Security measures. 2. Risk management. I. Title.
HD61.5.C36 2014
658.4′7–dc23
2013045269
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-800062-5
For more publications in the Elsevier Risk Management and Security Collection, visit our website at store.elsevier.com/SecurityExecutiveCouncil
This book has been manufactured using Print On Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate.
Acknowledgments
Concept: Bob Hayes
Content: Security Executive Council members, faculty, and staff
Contributing Editor: George K. Campbell
Development Editor: Kathleen Kotwica
Introduction
The Manager’s Handbook for Business Security represents the collective knowledge of the Security Executive Council’s members, faculty (former security executives and subject matter experts), and staff. It has been developed to provide current best practices in security for new security managers, current security managers who are in transition from public to private or one corporate profile to another, and business executives with an interest in or responsibility for corporate security. We have sought to provide the reader with short, focused topics with a view to validate, fine-tune, or overhaul existing programs; create new programs; and assist in their growth.
While it is nearly impossible to cover the subject matter here without some clear recollection of the available literature, this is not a rehash of the many fine, comprehensive security management publications that are available through a variety of qualified sources. Instead, we have sought to provide a series of short subjects that we hope will assist readers to lead and inspire more effective security programs within their organizations.
Our goal is to challenge readers to critically evaluate their programs, better engage their business leaders, provide tools for planning and enhancing security programs, pass along some lessons learned, and, we hope, generate value-added ideas.
Our Vision for the Value of This Publication
The Security Executive Council seeks to serve current and emerging corporate security leaders with knowledge-based tools that will enhance their abilities to positively influence their companies’ protection. This book contains many examples from strategic initiatives the Council has undertaken and the experiences of established security leaders. It is intended to guide the security manager with actionable essentials that our experience has shown will add value to the company and aid in the perception of the incumbent as an effective leader.
Every enterprise has its own unique culture and expectations for management and leadership. This book represents the experiences of several of your predecessor colleagues, who believe passing this knowledge on is a way to stay engaged in the profession in which we have invested much of our lives.
If you find here a lesson or two or three that help you better navigate the often stormy corporate waters, achieve an objective, or adeptly avoid a hazard, we have more than accomplished our mission.
Sincerely,
George K. Campbell
Contributing Editor
1
Understanding the Business of Security
This chapter addresses the need for understanding the corporate structure and how the security organization fits within the overall corporate organization. It provides coverage of the organizational constituents, assessing current security structure and processes, and developing and implementing a corporate structure best suited to the specifics of the particular organization.
Keywords
Security organization; constituents; risk-based program; board-level risks; program elements; cost and resource requirements; risk management and service-level objectives; regulatory driven; product/brand; corporate culture; return on investment (ROI); measurably-effective security program
Introduction
There is an old saying about new leaders: For the first six months you are part of the solution, and after that you are part of the problem. Management expects you to identify the strengths and weaknesses in the security program. If you immediately get caught up in the minutia, you will invariably lose the opportunity to craft an objective assessment and set goals for reinforcement and improvement. You need to understand where your program stands in management’s plus and minus columns.
Unless you have spent significant time inside the company, you need to get grounded early on in a thorough understanding of the business. How does management convey the company mission and values, what makes it succeed, what risks could impact its value, and what metrics does it use to measure its performance?
If you fail to understand what really moves your business and its top management, you risk assessing and defining the wrong security mission and priorities.
Who Are the Key Constituents?
To succeed, there are several relationships you need to understand and develop. Who are your customers? What moves them? How do they view security? Your definition of service begins with the perceptions of these often conflicting constituencies:
• public and investor relations
• shareholders and customers
• board of directors
• senior management
• line business unit managers
• chief financial officer
• chief information officer
• general auditor
• legal counsel
• chief compliance/ethics officer
• chief risk officer
• chief marketing officer
• facilities and real estate
• employees
• security teams
• third-party vendors
• supply chain participants
• insurance carriers
• regulators and law enforcement
Many of these offices may have conflicting views of the mission and value of the security function. It is this diversity of perception that must be understood and managed.
What Issues Move Your Constituents?
All corporate organizations have a history, both pro and con. Outstanding service is an expectation, but you need to understand how prior engagements with the business have framed opinions of the competency of your team and their mission within the enterprise.
Don’t miss the potentially long-held bias from a prior incident that left a bad taste. You may start out with a label that, while admittedly undeserved, requires a new understanding going forward. This is your program. Regardless of history, establishing your style versus your predecessor’s is critical.
Each of these constituents has a different perspective and agenda regarding security, which mark their individual views of the following:
• What could bite? What keeps them awake at night, and what role does security play in their comfort or discomfort?
• What are the regulatory and situational environments that may impact their view of protecting the brand, the supply chain, and shareholder interests?
• What is their perspective on corporate culture, what is right,
and the shared view of corporate integrity.
• How does security influence or fail to influence its contribution to business value?
• What are the costs of security programs versus the measurable return?¹
• Do they see themselves as a champion or sponsor of an internal corporate service model that includes security?
• How might security be tied to their success?
Regardless of your industry or risk profile, there is a daunting array of relationships that you will have to develop and maintain to understand your constituents’ needs and to know who can be your go to
customers. It’s important to understand who has no clue about security but should, who is a supporter and mentor, and who would welcome the program’s untimely end—and to establish relationships with all these individuals.
Knowing if your venture has an enterprise risk management (ERM) framework may prove helpful to you in building partnerships and gathering insights from others with the same charge but a different discipline. Understanding the scope and boundaries of the security function and where it fits into an ERM framework would be helpful. Security would likely fall into the operational risk bucket of an ERM structure, as in the model depicted in Figure 1.1.
Figure 1.1 Enterprise Risk Management (ERM) Structure.
An example of an ERM structure with security as part of the operational risk bucket.
Where to Start?
Whether you have come from within the organization or just arrived from a prior job, you must thoroughly examine the organization you are leading and assess where the program is headed and where you and your constituents think it should be.
The need to assess the strengths and weaknesses of the security organization.
Research by the Security Executive Council (SEC) has highlighted key areas that define a leading-edge security program, as listed below:
• The program is risk based.
• Services provided correspond with risks of concern to senior management and the board of directors (board-level risks).²
• Comprehensive program elements have been defined.
• The program has definitive costs and resource requirements that may be tracked to specific risk management and service-level objectives.
Programs are driven by at least four or more of the following defined catalysts:
• regulations
• products or brand
• incidents
• sponsors
• geography
• corporate culture
• return on investment (ROI) or value
• combinations of the above
The desired maturity model of your program needs to be consistent in all markets, business units, and functions; be sustainable in leadership³ and executive support; provide for measurable security programs; and provide access to executive management and the board of directors when necessary. Periodic peer review assessment and validation is highly desirable. The guiding service-delivery strategy should incorporate the elements of Unified Risk Oversight (URO)™. URO is a method of approaching risk whereby any corporate peril is identified by a team of executives or managers who represent the company’s various business units and is then managed with the best interests of the business and its goals in mind. By corporate risk
we mean not just the compiled risks of individual business units, but also the new picture created when different departments’ risk considerations are brought together and compared, combined, and prioritized.
URO does sound similar to another popular term—enterprise risk management (ERM).⁴ However, there is one crucial difference: oversight. While ERM identifies all risks that may impact the corporation at the board level, URO is about who or what entity is watching over it all. It calls for one centralized overseer, a component that is not necessarily an integral part of enterprise risk management. When risk is managed by the URO method, all decisions to transfer, avoid, mitigate, or accept risk are made in full consideration of their impact on all business units. Of course, this means not every decision will reflect what you may feel is the best option for security, but every decision will take security into account and seek to provide the best possible outcome for the business as a whole.
What Is the Real Cost of Security?
There are potentially significant security-related costs across the company, which are not directly attributable to your oversight. These costs tend to be obscured and accountability can be diluted. You should endeavor early on to probe and understand the scope and ownership
of these expenses. They may more appropriately be under your control, or perhaps you should at least have some policy-based input. However, you may be perfectly happy having these expenses elsewhere, if this lowers your visible expense profile. Use Table 1.1 to calculate these costs as closely as possible. Seek out support from a trusted colleague in risk management, internal audit, or the CFO’s office to capture these budgeted items.
Task Assignment: Assess Where Your Program Is and Where You Want It to Be
1. What clues on top management’s assessment of the security program did you gather from the interview process? What expectations were expressed and how do you intend to get to the bottom of these perceptions?
2. Is there a discernable legacy that you perceive and/or are expected to address?
3. What are the key stakeholders’ views of security? List your major security functions and rank their level of support among knowledgeable consumers. Are there common threads of positives and negatives?
4. To what extent are security programs integrated into strategic business planning?
5. How well does your—and others’—early assessment view the ability of the program to anticipate and respond to the risks it is expected to understand and address?
6. To what extent is your department proactively assessing risk and using the results of these assessments to influence policy and modify behavior?
7. What do you know of the competencies and needs of your key subordinates? What are the priorities here?
8. If you use contract services, how competent and responsive are they, both from the record and from your knowledgeable constituents’ opinions? Are they cost-effective?
9. If you were told to reduce your budget by 10% or 25%, which programs would you select to cut with what anticipated consequences? If you could increase your budget by 10% or 25%, what programs would you create or enhance, and what positive results would you anticipate?
10. Given your understanding of the business and the risks confronting it, what issues most need attention in your early days? Would your conclusion surprise senior management? If so, build the business case for addressing it.
11. The security program is one of many business enablers; and, to some extent, it may serve as a guardrail. What does top management see as the culture they want to create or maintain? What is the tone they want to set?
12. How do you assess your program’s ability to deliver services that contribute to management’s vision in growing the business, setting behavioral standards and tone, and clearly defining a risk appetite?
13. How well does your staff understand what they are doing, how they are doing, and why they are doing it?
14. Armed with your results, what is your plan for addressing your program’s shortcomings and optimizing its strengths?
Table