The identification and understanding of these inputs it is critical to ensuring that the future Security Program is customized specifically to the organizational environment, providing a balance between risk reduction and efficient operations.
Below, we will refer to these inputs as “Drivers.” Once collected, these drivers will become the primary inputs for the planning of the security office, specifically the development of the mission, mandate, and structure. They can be distilled into two distinct parts: Internal and External Drivers. The Internal drivers are components that are directly connected to and influenced by each of the lines of Within an organization, these are aspects of the organization that provide impetus and political gravity that would allow for the acceptance and support of a Security Program. These items also represent elements of the organization’s Core Value Chain; this alignment allows for the Security Program to work in concert with the primary objectives of the business, not as a hindrance. A firm understanding of these elements is mandatory for the success of this initiative.
The components that should be reviewed during a discovery process include:
The Primary Business Driver: This is the overriding reason that your organization began the Security Program Initiative. This is an important input because it provides insights into the motivations and expectations of the stakeholders; suggesting the potential short-term objectives.
Business Sensitive Processes Core Value Chain(s): These are the means by which the organization generates revenue and value to customers. These are an important input since they identify business processes that will need protection. Further, they must be handled in a delicate manner so as not to hinder their function.
Organization Culture: This is the means by which the constituents of the organization interact, and the rules and mechanisms by which they engage each other. In order for the Security Program to gain the widest level of acceptance and practice it must conform to the rules and mechanism of the organization.
Political Climate: This is an overview of the distribution of power and authority within the organization. It is an essential input in that it determines the manner and means by which all things are accomplished.
Organization Structure: This is the formal representation of reporting relationships and their interaction with each other in achieving the Core Value Chain(s). This input is vital to the development of the Security Program in that it determines territory and ownership of existing assets and business practices that need protection.
Technical Environment: This is the infrastructure of deployed technologies within an organization. This helps determine the level of sophistication and the ability to provide technical controls by the Security Program.
Technical Culture(s): These are the sub-cultures that arise as a result of developing and supporting specific technologies. This provides a necessary input in determining the proper means of communication with technical groups and solutions that would be deemed acceptable by them.
Internal Audit Environment: This is the means by which the organization measures the effectiveness of controls and processes and identifies needed corrections. This input is necessary in aiding the Security Program to work in concert with Audit.
After a review of the Internal Drivers, you should then examine considerations associated with external influences. For our purposes, the External Drivers will be limited to those items that are beyond the control of the organization. They are the influences that cannot be ignored and in most cases will mandate compliance. The components that should be analyzed during your discovery process and their importance to an initiative include:
Regulatory Environment: The laws that the organization is bound to uphold and abide by. This is a required input in order to safeguard the organization from potential litigation.
External Audit Environment: This is the means by which the organization measures the effectiveness of controls and processes and corrects any deficiencies. This input is necessary in aiding the Security Program to work in concert with Audit.
Industry or Business Partner Regulations: These are regulations in specific industries or requirements of business partners. Like government regulation, these elements must be acknowledged and complied with in order to maintain the organization in a state of good standing.