The Manager's Handbook for Business Security

By George Campbell

The Manager’s Handbook for Business Security is designed for new or current security managers who want build or enhance their business security programs. This book is not an exhaustive textbook on the fundamentals of security; rather, it is a series of short, focused subjects that inspire the reader to lead and develop more effective security programs.Chapters are organized by topic so readers can easily—and quickly—find the information they need in concise, actionable, and practical terms. This book challenges readers to critically evaluate their programs and better engage their business leaders. It covers everything from risk assessment and mitigation to strategic security planning, information security, physical security and first response, business conduct, business resiliency, security measures and metrics, and much more.The Manager’s Handbook for Business Security is a part of Elsevier’s Security Executive Council Risk Management Portfolio, a collection of real world solutions and "how-to" guidelines that equip executives, practitioners, and educators with proven information for successful security and risk management programs.

• Chapters are organized by short, focused topics for easy reference
• Provides actionable ideas that experienced security executives and practitioners have shown will add value to the business and make the manager a more effective leader
• Takes a strategic approach to managing the security program, including marketing the program to senior business leadership and aligning security with business objectives

• Language: English
• Publisher: Elsevier Science
• Release date: Mar 7, 2014
• ISBN: 9780128002001

Book preview

The Manager's Handbook For Business Security

Second Edition

Contributing Editor

George K. Campbell

Table of Contents

Cover image

Title page

Copyright

Acknowledgments

Introduction

Our Vision for the Value of This Publication

1. Understanding the Business of Security

Introduction

The Security Program Review

Build the Business Case for Crafting a Measurably Effective Security Program

Highlights for Follow-Up

2. Security Leadership: Establishing Yourself and Moving the Program Forward

Introduction

Leadership Competencies

Keys to Organizational Influence and Impact

The Next Generation Security Leader

Highlights for Follow-Up

3. Risk Assessment and Mitigation

Introduction

Assessing Viable Threats

Vulnerability Assessment

Board-Level Risk and Security Program Response Research

A Risk Quantification Process

A Risk Management-Based Concept of Operations

Highlights for Follow-Up

4. Strategic Security Planning

Introduction

Strategic Security Program Focus

Eight Key Strategic Issues

The Security Planning and Program Development Process

Business Alignment and Demonstrating Security’s Value

Highlights for Follow-Up

5. Marketing the Security Program to the Business

Introduction

The Essentials

A Marketing Strategy

Brand Recognition

The Mission Statement

Policies and Business Practices

Applying Standard Security Practices to Business Objectives

Highlights for Follow-Up

6. Organizational Models

Introduction

Baseline Elements

Program Characteristics

What Organizational Model Works Best in Your Company

Alternative Organizational Models

Consolidated Service Model

Seriously Explore the Potential Advantages of a Security Committee

Unified Risk Oversight

Access Is the Fundamental Essential

Highlights for Follow-Up

7. Regulations, Guidelines, and Standards

Introduction

Typical Regulatory Elements

How Many Security Regulations Apply to Your Company?

The Legislation, Regulations, Voluntary Compliance, and Standards (LRVCS) Breakdown

The Security Professional’s Role

The Implications of Noncompliance

Highlights for Follow-Up

8. Information Security

Introduction

Critical Importance of Information Security

Core Information Assurance Requirements

Information Has Value

Information Moves at Warp Speed

Key Assessment: What Is the State of Control?

Organizing the Information Security Program

Information Security Infrastructure and Architecture

Day-to-Day Operational Security

Cyber Incident Response Planning

Highlights for Follow-Up

9. Physical Security and First Response

Introduction

Your Objective: An Integrated Solution

Physical Security at a Glance

Alignment with the Threat

Security Operations

The Quality of First Response

All Space Is Not Created Equal

Physical Security as a Force Multiplier

Equipment Removal and Value of Risk Assessments

Security Riding on the Corporate Network

A Note on Convergence

Highlights for Follow-Up

10. Security Training and Education

Introduction

Objectives of Security-Related Training and Education

Training Options

In-House Training

Certificate Programs

Academic Programs

Development Plan

Contractors and Vendors

Training Business Units in Security-Related Responsibilities

Tracking Training Administration

Highlights for Follow-Up

11. Communication and Awareness Programs

Introduction

Strategies

Tactics

Security Awareness Approaches

Tailoring the Message

Highlights for Follow-Up

12. Safe and Secure Workplaces

Introduction

Predictability of Risk

The Policy Framework

Workplace Violence Policy

Protecting Key Executives and Key Individuals

Highlights for Follow-Up

13. Business Conduct

Introduction

Know Your Adversary

Corporate Hygiene

Learning from Business Conduct Cases

High-Level Policy or Guideline Statement

Checklist for Conduct of Internal Misconduct Investigations

Highlights for Follow-Up

14. Business Resiliency

Introduction

Your Focus

High-Level Policy or Guideline Statement

Track Business Continuity Readiness

NFPA Standard 1600

National Response Framework

Regulatory Requirements

Highlights for Follow-Up

15. Securing Your Supply Chain

Introduction

An Example of the Elements of Supply Chain Risk Oversight: Customs Trade Partnership Against Terrorism, Shipment Guard (C-TPAT) Security Criteria for Importers

A Focus on Supply Chain Security Has Multiple Benefits

Highlights for Follow-Up

16. Security Measures and Metrics

Introduction

What Are Measures and What Are Metrics?

What Are the Key Objectives for Our Metrics?

Why Measure? What Are the Benefits of Measures and Metrics?

Roles and Responsibilities

It’s about Communication and Risk Management

Where Do I Find the Data for My Measures and Metrics?

Business Alignment—Demonstrating Value to Management

Pitfalls to Avoid

Five Metrics You Might Consider

Conclusion

Highlights for Follow-Up

17. Continuous Learning: Addressing Risk with After-Action Reviews

Introduction

After-Action Review (AAR) and Incident Post-Mortem

Know Your Audience

Outline for the Incident Post-Mortem Management Plan and Briefing

Highlight for Follow-Up

Appendix A. Risk Review Elements

Business Risk Environment

Policy Framework

Threats

Location Risk

General Data

Business Continuity Incidents

Internal Risk

Information Security

Hazardous/Dangerous Material Issues

Base Building Risks

Owned Properties

Contractors

Background Investigation

Data Management

Business Continuity Planning

Emergency and Crisis Management

Security Awareness

Appendix B. Security Devices, Equipment, and Installation Labor Costs

Appendix C. Request for Proposals for Contract Security Services at [Specific Company Location(s)]

Introduction

Instructions to Bidders

Proposal Contents

Selection Criteria

General Conditions of the RFP

RFP Timeline

Appendix D. Workplace Violence Incident Response Guideline

Introduction

Workplace Violence Prevention Program Template

Some Critical Elements to Consider In Determining Dangerousness

Appendix E. Code of Business Conduct and Ethics Template

Company Assets

Compliance with Laws and Regulations

Confidential Information

Conflict of Interest

Dealing with Public Officials

Environmental Protection

Equal Employment Opportunity

Financial Records

Gifts, Gratuities, Favors: Giving and Receiving

Insider Trading

Intellectual Property Rights

Political Contributions

Workplace Safety

Reporting Violations and Policy Enforcement

Certification

Appendix F. Corporate Incident Reporting and Response Plan

Planning Philosophy

Corporate Emergency Plan

Corporate Emergency Response Team

Appendix G. Considering the Essentials: Questions for People and Program Development

Focus

A Suggested Approach

About the Contributing Editor

About Elsevier’s Security Executive Council Risk Management Portfolio

Index

Copyright

Elsevier

225 Wyman Street, Waltham, MA, 02451, USA

The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK

Originally published by the Security Executive Council, 2009

Copyright © 2014 The Security Executive Council. Published by Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Campbell, George, 1942-

The manager’s handbook for business security / George K. Campbell. – Second edition.

 pages cm

ISBN 978-0-12-800062-5

1. Business enterprises–Security measures. 2. Risk management. I. Title.

HD61.5.C36 2014

658.4′7–dc23

2013045269

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-800062-5

For more publications in the Elsevier Risk Management and Security Collection, visit our website at store.elsevier.com/SecurityExecutiveCouncil

This book has been manufactured using Print On Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate.

Acknowledgments

Concept: Bob Hayes

Content: Security Executive Council members, faculty, and staff

Contributing Editor: George K. Campbell

Development Editor: Kathleen Kotwica

Introduction

The Manager’s Handbook for Business Security represents the collective knowledge of the Security Executive Council’s members, faculty (former security executives and subject matter experts), and staff. It has been developed to provide current best practices in security for new security managers, current security managers who are in transition from public to private or one corporate profile to another, and business executives with an interest in or responsibility for corporate security. We have sought to provide the reader with short, focused topics with a view to validate, fine-tune, or overhaul existing programs; create new programs; and assist in their growth.

While it is nearly impossible to cover the subject matter here without some clear recollection of the available literature, this is not a rehash of the many fine, comprehensive security management publications that are available through a variety of qualified sources. Instead, we have sought to provide a series of short subjects that we hope will assist readers to lead and inspire more effective security programs within their organizations.

Our goal is to challenge readers to critically evaluate their programs, better engage their business leaders, provide tools for planning and enhancing security programs, pass along some lessons learned, and, we hope, generate value-added ideas.

Our Vision for the Value of This Publication

The Security Executive Council seeks to serve current and emerging corporate security leaders with knowledge-based tools that will enhance their abilities to positively influence their companies’ protection. This book contains many examples from strategic initiatives the Council has undertaken and the experiences of established security leaders. It is intended to guide the security manager with actionable essentials that our experience has shown will add value to the company and aid in the perception of the incumbent as an effective leader.

Every enterprise has its own unique culture and expectations for management and leadership. This book represents the experiences of several of your predecessor colleagues, who believe passing this knowledge on is a way to stay engaged in the profession in which we have invested much of our lives.

If you find here a lesson or two or three that help you better navigate the often stormy corporate waters, achieve an objective, or adeptly avoid a hazard, we have more than accomplished our mission.

Sincerely,

George K. Campbell

Contributing Editor

1

Understanding the Business of Security

This chapter addresses the need for understanding the corporate structure and how the security organization fits within the overall corporate organization. It provides coverage of the organizational constituents, assessing current security structure and processes, and developing and implementing a corporate structure best suited to the specifics of the particular organization.

Keywords

Security organization; constituents; risk-based program; board-level risks; program elements; cost and resource requirements; risk management and service-level objectives; regulatory driven; product/brand; corporate culture; return on investment (ROI); measurably-effective security program

Introduction

There is an old saying about new leaders: For the first six months you are part of the solution, and after that you are part of the problem. Management expects you to identify the strengths and weaknesses in the security program. If you immediately get caught up in the minutia, you will invariably lose the opportunity to craft an objective assessment and set goals for reinforcement and improvement. You need to understand where your program stands in management’s plus and minus columns.

Unless you have spent significant time inside the company, you need to get grounded early on in a thorough understanding of the business. How does management convey the company mission and values, what makes it succeed, what risks could impact its value, and what metrics does it use to measure its performance?

If you fail to understand what really moves your business and its top management, you risk assessing and defining the wrong security mission and priorities.

Who Are the Key Constituents?

To succeed, there are several relationships you need to understand and develop. Who are your customers? What moves them? How do they view security? Your definition of service begins with the perceptions of these often conflicting constituencies:

• public and investor relations

• shareholders and customers

• board of directors

• senior management

• line business unit managers

• chief financial officer

• chief information officer

• general auditor

• legal counsel

• chief compliance/ethics officer

• chief risk officer

• chief marketing officer

• facilities and real estate

• employees

• security teams

• third-party vendors

• supply chain participants

• insurance carriers

• regulators and law enforcement

Many of these offices may have conflicting views of the mission and value of the security function. It is this diversity of perception that must be understood and managed.

What Issues Move Your Constituents?

All corporate organizations have a history, both pro and con. Outstanding service is an expectation, but you need to understand how prior engagements with the business have framed opinions of the competency of your team and their mission within the enterprise.

Don’t miss the potentially long-held bias from a prior incident that left a bad taste. You may start out with a label that, while admittedly undeserved, requires a new understanding going forward. This is your program. Regardless of history, establishing your style versus your predecessor’s is critical.

Each of these constituents has a different perspective and agenda regarding security, which mark their individual views of the following:

• What could bite? What keeps them awake at night, and what role does security play in their comfort or discomfort?

• What are the regulatory and situational environments that may impact their view of protecting the brand, the supply chain, and shareholder interests?

• What is their perspective on corporate culture, what is right, and the shared view of corporate integrity.

• How does security influence or fail to influence its contribution to business value?

• What are the costs of security programs versus the measurable return?¹

• Do they see themselves as a champion or sponsor of an internal corporate service model that includes security?

• How might security be tied to their success?

Regardless of your industry or risk profile, there is a daunting array of relationships that you will have to develop and maintain to understand your constituents’ needs and to know who can be your go to customers. It’s important to understand who has no clue about security but should, who is a supporter and mentor, and who would welcome the program’s untimely end—and to establish relationships with all these individuals.

Knowing if your venture has an enterprise risk management (ERM) framework may prove helpful to you in building partnerships and gathering insights from others with the same charge but a different discipline. Understanding the scope and boundaries of the security function and where it fits into an ERM framework would be helpful. Security would likely fall into the operational risk bucket of an ERM structure, as in the model depicted in Figure 1.1.

Figure 1.1 Enterprise Risk Management (ERM) Structure.

An example of an ERM structure with security as part of the operational risk bucket.

Where to Start?

Whether you have come from within the organization or just arrived from a prior job, you must thoroughly examine the organization you are leading and assess where the program is headed and where you and your constituents think it should be.

The need to assess the strengths and weaknesses of the security organization.

Research by the Security Executive Council (SEC) has highlighted key areas that define a leading-edge security program, as listed below:

• The program is risk based.

• Services provided correspond with risks of concern to senior management and the board of directors (board-level risks).²

• Comprehensive program elements have been defined.

• The program has definitive costs and resource requirements that may be tracked to specific risk management and service-level objectives.

Programs are driven by at least four or more of the following defined catalysts:

• regulations

• products or brand

• incidents

• sponsors

• geography

• corporate culture

• return on investment (ROI) or value

• combinations of the above

The desired maturity model of your program needs to be consistent in all markets, business units, and functions; be sustainable in leadership³ and executive support; provide for measurable security programs; and provide access to executive management and the board of directors when necessary. Periodic peer review assessment and validation is highly desirable. The guiding service-delivery strategy should incorporate the elements of Unified Risk Oversight (URO)™. URO is a method of approaching risk whereby any corporate peril is identified by a team of executives or managers who represent the company’s various business units and is then managed with the best interests of the business and its goals in mind. By corporate risk we mean not just the compiled risks of individual business units, but also the new picture created when different departments’ risk considerations are brought together and compared, combined, and prioritized.

URO does sound similar to another popular term—enterprise risk management (ERM).⁴ However, there is one crucial difference: oversight. While ERM identifies all risks that may impact the corporation at the board level, URO is about who or what entity is watching over it all. It calls for one centralized overseer, a component that is not necessarily an integral part of enterprise risk management. When risk is managed by the URO method, all decisions to transfer, avoid, mitigate, or accept risk are made in full consideration of their impact on all business units. Of course, this means not every decision will reflect what you may feel is the best option for security, but every decision will take security into account and seek to provide the best possible outcome for the business as a whole.

What Is the Real Cost of Security?

There are potentially significant security-related costs across the company, which are not directly attributable to your oversight. These costs tend to be obscured and accountability can be diluted. You should endeavor early on to probe and understand the scope and ownership of these expenses. They may more appropriately be under your control, or perhaps you should at least have some policy-based input. However, you may be perfectly happy having these expenses elsewhere, if this lowers your visible expense profile. Use Table 1.1 to calculate these costs as closely as possible. Seek out support from a trusted colleague in risk management, internal audit, or the CFO’s office to capture these budgeted items.

Task Assignment: Assess Where Your Program Is and Where You Want It to Be

1. What clues on top management’s assessment of the security program did you gather from the interview process? What expectations were expressed and how do you intend to get to the bottom of these perceptions?

2. Is there a discernable legacy that you perceive and/or are expected to address?

3. What are the key stakeholders’ views of security? List your major security functions and rank their level of support among knowledgeable consumers. Are there common threads of positives and negatives?

4. To what extent are security programs integrated into strategic business planning?

5. How well does your—and others’—early assessment view the ability of the program to anticipate and respond to the risks it is expected to understand and address?

6. To what extent is your department proactively assessing risk and using the results of these assessments to influence policy and modify behavior?

7. What do you know of the competencies and needs of your key subordinates? What are the priorities here?

8. If you use contract services, how competent and responsive are they, both from the record and from your knowledgeable constituents’ opinions? Are they cost-effective?

9. If you were told to reduce your budget by 10% or 25%, which programs would you select to cut with what anticipated consequences? If you could increase your budget by 10% or 25%, what programs would you create or enhance, and what positive results would you anticipate?

10. Given your understanding of the business and the risks confronting it, what issues most need attention in your early days? Would your conclusion surprise senior management? If so, build the business case for addressing it.

11. The security program is one of many business enablers; and, to some extent, it may serve as a guardrail. What does top management see as the culture they want to create or maintain? What is the tone they want to set?

12. How do you assess your program’s ability to deliver services that contribute to management’s vision in growing the business, setting behavioral standards and tone, and clearly defining a risk appetite?

13. How well does your staff understand what they are doing, how they are doing, and why they are doing it?

14. Armed with your results, what is your plan for addressing your program’s shortcomings and optimizing its strengths?

Table