A New Model for Assessing Corporate Security

Corporate Security — that is, what the federal government calls “Physical Security” has long been treated as a uneducated stepchild by the information technologists.  The old perception that Corporate Security is just about guns, guards and dogs is just not true anymore.   Instead, physical security has taken full advantage of the computer revolution to create security controls that run on computer networks and do amazing things like creating electronic perimeters inside hospitals (for visitor management); ID visitors and track vehicles and biometrically identify individuals.

Corporate security directors I have known are invariably smart, savvy and computer literate.   Here’s a look at the difference between the OLD physical security operations and the NEW corporate security organizations.  The OLD PS operations usually operated out a guard shack or basement office and the main activity was badging in security guards and checking badges.  The NEW PS operations are run out of a high tech command and control center and the Security Directors often have authority for not only security but also Risk and often, information security.

These Security Directors are very conscious of how to improve their department’s performance and they are getting involved with benchmarking and automating many of their functions, including their security risk assessments.  Not like the old site surveys you see on TV, where the person is walking through the dark high rise in the middle of the light, flashlight flashing. 

We have been working on a model that could easily show the main areas of corporate security and a model a company could use to track exactly where they are in the process of creating an optimum security organization.  We call it the “Corporate Security Governance Model” and it tracks twelve elements of security through five levels:

        1.  Just Starting (Incomplete) – No Commitment of resources to perform and manage this function.  No corporate sponsorship or awareness of it’s importance to the organization.       

        2.  Performing – Rudimentary start to incorporate this element into the security program.  Function may have been done once, but there is no repeatability or management commitment.

        3.  The organization has assigned a manager to create a process for this security element.  Funding  is available and management has been briefed.

        4.   The element is recognized formally in the corporate policy and has been funded. Training has been introduced and metrics identified.

        5.   The element has become part of the company culture as policy and has training and funding which occur automatically.

There are a nine elements which are tracked across the five levels above.   We need to add three more — so please send me your comments on what those should be.

As of today, here are the different elements:

1.  Access Control
2.  Compliance (Regulatory)
3.  Information Technology
4.  Loss Prevention
5.  Materials Management (looking for a better phrase for this)
6.  Personnel
7.  Policies and Procedures
8.  Risk Assessment & Management
9.  Training and Awareness

Each of these elements will be explained with the actions to be performed, or improved, at least level and the idea will be that a corporate security organization will work toward getting all 5’s across the board.  

What elements are we missing?   Please post your comments or email me directly at:  chamilton@riskwatch.com and I will send you a copy of the model, which is a work in progress.

I think a model like this can be populated and automated so that an organization can get a fast 10 minute read that gives a snapshot of the security governance of the organization under review.

The next step is creating fixes for each of the steps so that it makes moving along the continum easier and faster.