Among the most essential elements of a corporate security program are the policies that define the “ground rules” and structure that guide how your security department and employees across the organization help address the risks, threats and vulnerabilities that confront your people, operations and performance.
As a former corporate director of security and Special Agent in Charge and Investigator during my 26 years with the U.S. Secret Service, I paid a lot of attention to security policies. One reason I did so was that I knew from experience that security policies – and whether they were comprehensive, up-to-date, clear and even flexible – had a major impact on my ability to align and coordinate resources. This was necessary to achieve a continuous stream of positive, mission-aligned security outcomes. But I also knew – and remind clients regularly about this today – that, for many organizations and leaders, security policies are rarely fully up-to-date, comprehensive, understood by all key stakeholders and put into practice faithfully.
Whether you develop these from scratch, merge policies owned by various units within the enterprise, or simply set out to audit and improve policies already established, this can be a daunting task. Here are some recommendations that can guide you as policies grow from general responsibilities to many robust supporting documents specific to your operations and goals. These are tips and suggestions I have found useful during my career – as an executive responsible for corporate security for major enterprises and as a consultant and advisor to executives facing the same challenges I did.
1. Recognize Many Different Corporate Functions ‘Own’ Security Policies
Functions apart from the security department actually author and maintain many security-related policies. The HR department, for example, needs to have clear policies on terminations – like alerting security before confronting an angry individual and ending the organization’s relationship with them. The IT department has security-related policies such as password management or policies that require enhanced physical security measures protecting data and equipment locations. And the Legal department will likely have a strong perspective on the organization’s duty to address issues such as proximate cause, duty and standards of care.
The challenge is to avoid a “siloed” approach to disparate security policies scattered throughout the organization – in different formats, physical and electronic locations — or with conflicts, overlaps or gaps across departments, business units or geographical regions. To ensure a single point-of-view for ease of access and consistency and build protocols that clarify ownership and maintenance, we recommend clients establish a centralized, electronic and web-based Master Security Policy Manual that multiple departments maintain over time.
2. Consider the Difference between Policies and Minimum Guidelines
If you’re responsible for security for a large, complex enterprise, you know how difficult it is to define a policy and require its enforcement in exactly the same way by every business division, type of facility and construction, and region or country. One example is a policy requiring specific technical system requirements in new construction or renovation of certain types of facilities. These may or may not be possible due to variances in factors that range from local conditions to construction methods and materials.
Your Master Security Policy Manual should, therefore, be clear about (1) the distinction between a policy and a minimum required standard and other guidance, like a recommendation; (2) the authority or latitude an internal user has in complying with the guidance; and (3) directions on how to suggest changes in policy or request an exemption.
The most effective policies are those, for example, that define and protect a global baseline for critical practices like shatter-proof glass in the lobbies of all major corporate centers or consistency in password composition, while providing some latitude, where necessary, for local adaptation.
There are always exceptions to rules and customizing protocols to accommodate circumstances unique to a given set of circumstances is important. That’s why the format of your Master Security Policy Manual must acknowledge and reflect your need to balance standardization and specialization. But before you can determine where it’s in your interest to veer from security-related norms, you need a common baseline.
3. Remain Flexible to be a Good Partner
One of the areas often missed by security programs is being a good business partner to the rest of the company. While developing your policies, it is crucial that you don’t operate in a vacuum and only think strictly about security. It’s a good starting point, but you also need to learn and understand what the rest of the company does and determine if or how your policies may impact them and their operations.
Identify the risks, threats and vulnerabilities and then work with the business units to determine what is acceptable. You may not be able to adjust your policy to fit their needs, but it may lead to a beneficial exception process. Being a good partner demonstrates that you see and understand the big picture of what the company’s goals are, and that you support them.
4. Target the Outcomes You Require to Support Your Business Objectives
A best-in-class approach to security policies and guidelines delivers the following benefits.
- Integration: Promotes a holistic view of your organization’s security practices and integration of these across your business divisions and functions.
- Rationalization: Advances standardization, where appropriate, across critical security risk management domains.
- Collaboration: Helps capture, document and improve internal security risk management best practices over time.
- Communication: Requires various internal stakeholders of security to share best practices, resolve conflicts in policy and build consensus.
- Efficiency: Leads to efficiencies in security processes and resourcing which, in turn, helps lower costs.
- Alignment: Drives better alignment of security with business strategy, goals and requirements.
- Performance: Helps define security-related roles, clarify responsibilities and manage expectations.
- Risk Management: Improves your organization’s security risk management goals from prevention to agility in response.
While no corporation can be immune to crime or acts of terrorism, and it is difficult to completely guarantee safety in every situation, adopting these guidelines will advance a security program that reduces your risk in a structured, disciplined and cost-effective manner over time.