What is the Conversation You're Having in Your Security Department?
Posted on Wed, Nov 09, 2011
By Geoff Kohl, Editorial Director/Associate Publisher, Cygnus Security Media & SecurityInfoWatch.com
Is it a small conversation? Is it the usual chatter about who has time off coming, or whether we’ll have funds to add more lighting for the cameras at the loading dock? Is it about whether you’ll have to cut overtime to trim funds this quarter? Those are the conversations that must happen. If they don’t, the little details aren’t taken care of and little problems become big issues.
But besides those little conversations, are you also having “the great conversations”? Are you starting to think about greater issues than whether Alex or Dawn will be supervising the weekend shift?
I’ll admit, we all get caught up in the small conversations, but let’s talk about those bigger conversations, because if we aren’t having bigger conversations, then does security really matter? And, yes, we know security matters, so let’s have those great conversations!
Naturally, you sometimes must seed these conversations to get them started in your company. By that I mean that left to our own devices, we will talk about baseball scores, whose kids are getting ready for college, office issues, technical problems and the like. Unless we push the discussions beyond these issues, your conversations will stay on these small issues.
So let’s hit upon three seeded conversation starters:
Organizational resiliency. This is a big one, and it doesn’t have to be 10-miles-high out of this world concept. Tackle the reasonable situations first. Start with a question: If we had a major property crime, break-in, fire or life safety accident at our facility, how would that impact our employees and productivity? Ask the natural follow-on questions. Would employees still need to come into work? Who would still come in? If some employees couldn’t come into this facility, where would they work? Do we have provisions for them working remotely, off our secure network? Do we have a contingency plan to rent space? Do we even know a commercial broker that can be called to find us that space? What is the security of that facility? Do we have a contract security provider on call to provide round-the-clock patrols while our home facility is compromised?
Merged security operations. Used to be someone stole your equipment. Now they want to steal your data. Sometimes you can’t say that an issue is an IT one and walk away. Maybe we used to be able to do that, but now we have to collaborate. Gone are the days of the security manager who operated in a silo. Today you work on a team with operations, IT, HR, facilities, finance and anyone else deemed to be a continuity player. You can’t just ignore the team-leveraged responsibilities and say, that’s IT’s issue. Nor can you think security can’t do anything unless the facility guys get that repaired. Start the conversation: What are the likely scenarios where the conversation moves beyond the security department? What is your role in assisting that other department chief?
What does identity mean? It used to be, the security department owned the card office. And that was also the “identity office” for all accounts and purposes. If you go to a lot of big campus operations, there still is the card office. It traffics the background checks, handles card issuance, card replacement, etc. It often is staffed with a security department employee or sometimes a contract security employee. Almost never will you see HR or IT hanging out in the office (unless they lost their card). Why is that? Begin the conversation. Who owns identity? I don’t mean at the simplistic level, because we each own our own identities and have a level of duty to protect that. Rather, in the corporate setting, who “owns” the identity management process. Is identity really only a function of access control cards and badges? Where else can identity be used beyond the old “key card” concept? Does it makes sense to inextricably link badge “identity” (security) with network “identity” (IT) with financial “identity” (HR/accounting), and if so, how do we even begin to measure the cost and the return that such a functional change would create?
Start the conversation. Join us in the conversation. What is the great conversation you want to have?