While always well intentioned, there are some security plans and programs that simply do not make good business sense, and may therefore be subject to budget cuts. The hiring of guards and implementation of security systems is sometimes decided on the basis of an available budget, and not necessarily congruent with an organization's actual security needs. How do you convince the organization's decision makers, and the dreaded "bean-counters" that security is a priority, and deserving of a fair allocation of resources?
Identify the #1 priority
It is imperative that you identify your #1 security priority, and be able support your conclusion as to why this need for security exists. Identify the weaknesses in the existing plan, and potential threats in order to ensure that the decision-makers understand why the security plan must be reinforced. What are your next two most important security priorities? This will give others a chance to see what other matters of importance are around, and will help them assess and focus on the #1 priority for security. Your goal is to get the management to allocate resources to where you see it needed most. After all, security is not often at the top of the list of business priorities, so your organization's management needs to be made aware of how much they have to lose if they do overlook security needs.
The risk assessment identifies potential hazards and solutions needed. The risk assessment should be performed regularly; at least once a year.
- Cost justification—Added security will always be seen by management as an additional expense, and does not bring in any income, so justifying any expense is often difficult. A smart security risk assessment process will educate key managers on the most critical risks found within the organization, and will directly provide justification for security investments.
- Productivity—With security risks covered, productivity can resume uninterrupted. By taking steps to conduct a review, reassess structure, and implement a new strategy for security, productivity can increase.
- Breaking barriers—To be efficient, security must be addressed by organizational management. The management is responsible for making decisions that relate to the appropriate level of security for the organization. The security team is responsible for making decisions that relate to the implementation of the specific security needs.
- Self-analysis—The security risk assessment must always be easy to assess, without the need for any extensive security expertise to understand the review.
- Communication—By acquiring information from multiple parts of an organization, the security risk assessment will increase communication and ensure sound decision making.