Core Program Practices: Assess, Implement and Monitor

This column will focus on some of the most fundamental components of an effective Security Program, namely the skills and competencies required by the security leader to implement a successful program. These traits, sometimes called the ‘soft skills’ of security management, are increasingly important as security risk management becomes a predominant Board room conversation.

Readers may assume that if not otherwise documented, the references are derived from the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008]. I will draw from and summarize the salient points as well as give contributor attribution as appropriate so readers can pursue the entire text. Other sources will be similarly referenced for the readers’ information.


Establishing a Security Program that meets the needs of your organization is a daunting task. Successfully embedding the principles of the Security Program into the very DNA of your organization is even harder.

Having said that, it can and has been done. But as successful leaders will attest, it can only be accomplished through a comprehensive approach that includes the organizational, managerial and operational aspects of your business.

This multi-faceted approach can be condensed into three high-level areas:

1) assess

2) implement and

3) monitor (as the figure below indicates)

Further, each major area can be broken down into sub-components as follows:

  • I. Assess
  • a. The culture of the organization
  • b. The business alignment
  • c. Management commitment
  • d. The risks
  • II. Implement
  • a. Hire a qualified security professional
  • b. Based on the business drivers
  • c. Develop and Sell a strategy
  • d. Policy, Standards and Processes
  • III. Monitor and Measure
  • a. Measure effectiveness

We begin with assessing the culture of the organization.


The Culture of your organization

Few things are more frustrating than trying to fit a square peg into a round hole. Thus, it’s important to know where you stand, from an organizational perspective, before launching an initiative as potentially impacting as a Security Program.

It is appropriate to lay the foundation with a focus on assessing the culture of the organization and its importance in implementing security that is appropriate to the environment. Don Saracco, Ed.D., a principal of the firm MLC & Associates, is an expert in organizational development. In his chapter (Chapter 10 in aforementioned text) entitled “Why and How Assessment of Organization Culture Should Shape Security Strategies,” Dr. Saracco says, “Failure to align with culture is the hallmark of ‘programs of the month’ that come and go and end up on the trash heap of good intentions badly executed.” Working within the confines of an organization’s culture gives you an edge. Leaders, says Saracco “…have an obligation to provide leadership by aligning the Security Program with the cultural reality of your organization.”

As common sense as one would think, many security professionals have not recognized this alignment is an imperative. An organizational assessment should be standard practice and security experts such as Harry DeMaio (former president and CEO of a wholly owned subsidiary of Deloitte & Touche – Deloitte & Touche Security Services, LLC.) agree. As DeMaio reinforces in Chapter 4, “‘… adapt the look, fit, and feel of your code to local practice…”

Security is a change agent and admittedly, most people (and their organizations) are by nature not conducive to change. In most organizations, security must accomplish the job by way of influence, with minimum resources, within matrix organizations, with little or no authority, yet the accountability and responsibility to ensure a standard of due care. That in itself is a tall order.

Further, security requires an allocation of funding and resources, which many organizations would prefer to spend on increasing the bottom line rather than risk management. Moreover, it is highly unlikely that a security program will be awarded unlimited funding and resources. Nor is it appropriate to spend more on security than the risks bear out.

Therefore, as Saracco emphasizes, “Effective alignment with the culture and the needs of the business, enables security managers to design and implement necessary and sufficient security…”

So, where to begin? First, a security professional must appreciate the link between the his/her program and the culture; second, s/he must understand how to go about assessing the organization’s culture in order to link the assessment outcomes to appropriate security strategies. Not so easy, as I daresay most security professionals don’t have a degree in organizational development.

Saracco ably walks one through the necessary steps including

  • Selling the assessment
  • Choosing the right assessment method
  • Interviewing protocols
  • Interpreting results

As one would expect, there is an abundance of work effort that must go on to achieve desired results. This is well explained throughout Saracco’s chapter.

In summary, a successful cultural assessment requires:

  • Support from the most senior levels of the organization
  • A method for classifying organizational cultures
  • A comprehensive survey or interview methodology
  • A logical connection between the classification system and the specific security strategies
  • An effective presentation of the assessment results and recommendations

Post a Comment

Your email is never published nor shared. Required fields are marked *