window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-141226144-1');
(416) 550 8458,       (905) 612 1672        [email protected]      

Training a security program

Auuthor –  Bill Edwards
Security program development (SPD) and design is a process that doesn’t happen overnight. Security professionals face a complex environment that requires a dedicated and sustained approach in a constantly evolving landscape. Physical vulnerabilities coupled with those in the “digital domain” have created greater complexity as to how security programs are designed and developed into an operational working model.

In simple terms, a security program has five phases that form the foundation:

  1. Assessments
  2. Technology design
  3. Policies and procedures
  4. Standard operating procedures (SOPs)
  5. Operations

In a typical security program, the director will methodically establish a process and system to provide the organization with a means to train the program, beginning first with exercising policies, procedures, and standard operating procedures.

These documents should nest with the purpose of the business and the reason for its existence. Every security director should think about the end state of the security program when they set out to develop or refine it. This is called vision.

How to develop a successful security program

Security programs are linear in planning and cyclical in execution. The goal is to plan, coordinate resources, implement risk mitigation measures, implement technology to support, train staff, rehearse, and, finally, establish a tabletop exercise program. The exercise program is the “icing on the cake” and should have a dedicated rhythm throughout the year that tests current policies, procedures, and SOPs to assess their value.

As a reminder, all these documents are living documents that may require adjustments as the threat environment evolves and the business model changes. There should be a dedicated proprietary staff teammate that owns the updating process so that continuity can become a norm. Keep this in mind as an additional duty.

Keeping documentation relevant and up to date should be a task that has leadership emphasis for many reasons, not the least of which is meeting the business’s duty of care responsibility to its staff and patrons.

Additionally, exercise or operational testing programs built to support the overall security program must have a dedicated budget and time on the calendar to be freely conducted with complete stakeholder involvement. This includes external stakeholders that will require coordination with external agencies. The importance of solidifying the budget is simply a good business practice and allows for leadership to see the importance.

Lessons learned while planning tabletop exercises

During my Army career, I had the distinct honor to lead all exercise planning, coordination, and execution for specific tactical ground units in the United States European theater as they prepared to deploy into various conflict zones around the globe. This was a monumental task that required coordinating across all Department of Defense (DoD) services, contract support elements, coalition partners, and the deploying unit.

One of the techniques I used was to establish a series of planning events that led up to the initial tabletop exercise. This exercise set the conditions for a full operational exercise that put all the systems into play against realistic scenarios.

So how can security leaders set conditions for tabletop exercises that support the exercise program and become the bridge to full operational testing of the security program?

First, establish a linear milestone checklist that shows progression to the first tabletop exercise. This is the preliminary step. Some items to include in milestone development are:

  1. Determine objectives for the exercise. What does the team want to achieve?
  2. Create a list of realistic and proportional security problems that are unique to the business.
  3. Determine internal and external stakeholders who should participate in the exercise.
  4. Establish a model of “hip pocket” training for on-duty staff to accomplish as part of the day-to-day operations. This is a great way to bridge individual security tasks associated with a tabletop exercise.
  5. Secure time and funding to execute the exercise.
  6. Review existing documentation to include policies, plans, procedures, emergency operations, and crisis response.
  7. Begin to establish a framework to plan all exercise components, including consideration of a third-party moderator.
  8. Create an open environment for learning and growth. Underwrite mistakes so that both internal and external stakeholders feel comfortable sharing concerns about areas that may need special emphasis.

Once these initial milestones are envisioned and achieved, they should be assigned to a proprietary security team member that has the additional duty of “Exercise Planner.” This allows the security director to maintain focus on the bigger vision of the security program and oversee the daily operations while keeping leadership informed on progress and requirements for additional support to keep the program viable.

The next step is to design the tabletop exercise to train or test the program. This is done by focusing on a realistic security problem that forms the requirement to exercise the business plans against the scenario.

A good example of Training a security program is the fast evolution of commercial drone technology or the concern of insider threat activity that deals specifically with the protection of intellectual property.  A simple framework to get started might look like this:

  1. Start the exercise plan based on the milestone glide path.
  2. Determine logistics and administrative needs, such as location, equipment, preparatory material, and scenario development.
  3. Set the exact day and time — a good rule of thumb is to limit tabletop exercises to a maximum of three hours.
  4. Invite and confirm stakeholder involvement.
  5. Build the scenario by establishing an initial problem. Create follow-on injects to support further training.
  6. Come together and set the ground rules for the event.
  7. Execute the exercise.
  8. Determine a dedicated note-taker for the event.
  9. Conduct an after-action review (AAR).
  10. Produce a report that outlines definitive outcomes and the way ahead.
  11. Update policies, procedures, and emergency/crisis response plans.
  12. Plan for the next exercise.

Tabletop exercises are a good way to test, evaluate and reevaluate all aspects of a security program. Keep in mind that security program development takes energy and sustained focus.

Threats, vulnerabilities, and critical assets are constantly in flux and therefore require a dedicated “exercise program” embedded in the Training and a security program plan to help the security team and overall enterprise deal with long-term viability and business continuity.

Planned tabletop exercises give security leaders the ability to see the program through a different lens and provide adequate time to make changes where needed. Remember, security is linear in planning and cyclical in execution, and execution requires exercise. Let’s keep the conversation going.

2023-05-14T23:10:19-04:00

Share This Post With Others!

FacebookXLinkedInPinterestEmail

Related Posts

Securing public spaces without a perimeter
Securing public spaces without a perimeter

Securing public spaces without a perimeter

April 15th, 2024 | 0 Comments
Enhancing retail security: Combating insider theft
Enhancing retail security: Combating insider theft

Enhancing retail security: Combating insider theft

March 30th, 2024
Phishing attacks are destroying SMBs
Phishing attacks are destroying SMBs

Phishing attacks are destroying SMBs

March 1st, 2024
Security executive interview preparation
Security executive interview preparation

Security executive interview preparation

February 1st, 2024

Title

This website uses cookies and third-party services to ensure that we give you the best experience on our website, that may analyze your use of this site. you can edit your preferences. Settings Ok

Required Cookies

These cookies and tracking technologies are required to help our Websites work correctly or required to comply with the law (e.g., security requirements of data protection law). For example, these cookies allow you to navigate our Websites and use essential features, including secure areas and shopping baskets. We do not need to obtain your consent in order to use these cookies.

Analytics Cookies

These cookies and tracking technologies help us understand how customers and visitors interact with our Websites. They provide us with information about areas of our Websites visited, time spent on our Websites, transactions performed, and any error messages you receive. These cookies allow us to improve the performance of our Websites. They may collect your IP address but only for the purpose of identifying general locations of visitors and identifying fraudulent or spam traffic.

Functional Cookies

These cookies and tracking technologies allow our Websites to remember choices you make to give you better functionality and a personalized experience. For example, when you select a specific currency on one of our Websites, we will remember your currency selection when you return.

Advertising Cookies

These cookies and tracking technologies allow us to deliver content, including advertisements, relevant to your specific interests. This content may be delivered on our Websites or on third party websites or services. They allow us to understand and improve the relevancy of our advertisements. They may track personal information, including your IP address.
Go to Top