Project Management – Atriade

8 Red Flags of Security Project Management

admin_atriade — Thu, 27 Feb 2025 19:53:04 +0000

8 Red Flags of Security Project Management

Not all project managers are built the same – especially those working in security. Security and project management require a deeper level of experience due to the unique risks, regulatory requirements, and operational impacts involved.

So before you hire a physical security project manager, be sure to watch out for these 8 red flags when assessing candidates for your security project.

1. Lack of Communication

Your security project manager should be the central point of communication, ensuring alignment among all stakeholders. And while they may not have control over every relevant stakeholder, it is their responsibility to facilitate clear and consistent communication channels. If communications from your project manager are sparse, expect confusion, unmet expectations, and misaligned goals, all of which put the project at risk.

2. Lack of Governance

Project governance is the formal framework that ensures a project is executed according to agreed-upon rules and processes. This includes setting expectations for how often meetings should occur, who needs to be involved at different stages, and how change management should be handled. Without it, roles and responsibilities become muddled and critical decisions may not be made in a timely manner. If your project manager doesn’t introduce a governance framework early on, consider it a red flag.

3. Unrealistic Timelines

Be wary of security project timelines that seem too good to be true. Many external stakeholders (and sometimes even internal ones) are likely unaware of the various forces at work within your specific environment. For example, there may be two months of design work or compliance approvals that need to take place before your project even begins. A good project manager acknowledges all applicable factors and works to ensure a more realistic and achievable schedule.

4. Not Taking a Holistic Approach

Even if your security project focuses on a single system, it is unlikely to operate in isolation. Let’s say you’re installing a new access control system. Have you thought about how your HR team will enroll new employees? Or how your IT department will manage network security? Could operations, who value occupancy data, share the budget for the new system? A skilled project manager sees beyond the immediate security impact and considers how the project will impact the organization as a whole.

5. People Pleasing

If your project manager says “yes” to everything—whether to you, internal stakeholders, or third parties—they could be putting your project at risk. While maintaining good relationships is important, avoiding tough conversations for fear of upsetting someone can quickly lead to scope creep. A strong project manager balances diplomacy with decisiveness.

6. Absence of KPI Tracking

Key Performance Indicators (KPIs) are essential for measuring the success of your security project. Years ago, project tracking was limited to Gantt charts and basic progress reports. But today’s project managers can monitor metrics such as budgets, device health, compliance adherence, and more. A project manager who does not establish and track relevant KPIs misses the opportunity to demonstrate project value.

7. Ignoring Program Management

Security project management and program management go hand in hand. While project management focuses on the tactical execution of individual initiatives, program management takes a more strategic, long-term view. Although project managers and program managers differ in their roles, project managers should still consider what happens after deployment. This includes employee training, system maintenance, and future scalability.

8. Lack of Experience

While the fundamentals of project management remain consistent across industries, security projects require a specialized approach. An experienced or certified security project manager understands the unique challenges of deploying security solutions and can help you avoid costly mistakes. Their knowledge translates directly into time and cost savings by defining realistic scopes, preventing unnecessary delays, and optimizing resources from the start.

Not sure where to start?

A qualified security project manager can make all the difference in delivering an effective solution for your organization. By understanding the red flags to look for, you can ensure that your project is in capable hands, freeing you to focus on your core business objectives.

You may be surprised to learn that many security consultants also include project management as one of their service offerings. At Atriade, our team brings deep technical and operational expertise, ensuring that every security project is executed with precision from inception to completion. You can learn more about our security project management services here.

About Atriade

Atriade is a trusted security consulting firm with decades of experience delivering tailored security solutions. We specialize in security system design for access control, perimeter protection, video surveillance, visitor management, and other advanced physical security technologies.

Our expertise also extends beyond system design to include security master planning, program development, risk assessments, professional services, and end-to-end project management.

For more than 20 years, we have partnered with Fortune 50 companies, Ivy League universities, and leading technology firms in Silicon Valley to help them navigate complex security challenges with a strategic, forward-thinking approach.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter Take A Risk

Frequently Asked Questions

What is a red flag in project management?

A red flag is an early warning sign that a project is off track, for example scope creep, missed deadlines, unclear ownership, repeated budget overruns, or poor communication and stakeholder engagement.

What are the 5 C’s of project management?

A useful 5-C framework is: Complexity (how complicated the work is), Criticality (business impact), Compliance (regulatory needs), Culture (team/organizational fit), and Compassion (stakeholder wellbeing and leadership). Use these to assess risk and priorities.

What is security risk in project management?

Security risk is the chance that project activities introduce threats to confidentiality, integrity, or availability, for example insecure designs, vendor weaknesses, data exposure, or weak access controls. These should be identified and mitigated during the project lifecycle.

What is 5.8 information security in project management?

“5.8” refers to controls in standards like ISO/IEC 27001 that require integrating information security into project management by identifying security requirements, assessing risks, applying controls, and monitoring security throughout the project.

Streamlining Physical Security Projects: The Crucial Role of Documentation

admin_atriade — Sat, 18 Nov 2023 13:06:30 +0000

Streamlining Physical Security Projects: The Crucial Role of Documentation

The complexity of technology projects is requiring businesses in the Security industry to adopt focused initiatives around program and project management. Companies, therefore, need to establish a core set of practices and standards for all types of projects to ensure the sustainability of the expected pace while delivering quality performance.

Documentation is an important part of project management as it fulfills the two most crucial components of a project management system:

Ensuring that project requirements are met
Establishing traceability

The project documentation benefits the project – beyond well-governed workflow development. We have compiled a comprehensive list of documents and the role they play in project management activities, providing essential deliverables.

Essential Project Documents

Project Charter

The project charter officially authorizes the project while also delegating planning, execution, and management to the project manager. The project charter must include:

Project purpose
Project requirements
Project budget
Scope of the work
Key deliverables
Resources
Proposed schedule
Potential risks
Feasibility study

Moreover, the project charter encourages communication, making stakeholder engagement easier – a good project charter template provides a comprehensive summary of the essence of the project.

Work Breakdown Structure

A work breakdown structure (WBS) is the foundation of project planning, and resource management, and aids in the prevention of project scope creep. The WBS organizes the work into manageable chunks, which are usually measured in time.

The WBS ensures that no aspect of the project is ignored during the planning phase. Once the WBS is created, plan the relevant information:

Start with the outcome of the project
Break each milestone down
Estimate timings
Assign task owners
Map your WBS in the desired format

Project Plan

The project management plan integrates the strategic management of the project and all the processes that are related to the venture including cost, timeline, and the scope of the project. This document serves primarily as a reference index as it includes all planning and project materials.

The project management plan must include:

A summary of the project
Budget
Expected milestones
The roles of team members
Tools to be used for management of the project
Scheduled baseline along with work breakdowns

Issue Tracker

The Issue Tracker is a project document that records and tracks all issues.

Project managers can use the issue tracker to track and manage issues, ensuring that they are investigated and well handled. Throughout the project, the project manager will encounter unexpected gaps and inconsistencies that must be addressed so they do not impact the project’s triple constraints or performance.

Risk Tracker

A risk is an unforeseen event that has a positive or negative influence on the project’s triple constraints i.e., scope, time, and cost.

Risk can exist on two levels:

At the level of individual constraints
At the level of the overall project

The Risk Tracker keeps track of both the high-level and low-level risks. Moreover, the tracker is updated with results from quantitative analysis after risks are identified – later response plans are also updated on the same tracker. Furthermore, risk analysis helps in identifying risks that one could face during PM.

Action Item Tracker

An Action Item Tracker facilitates the project team to manage the follow-on activities.

An action item is a work that is completed as a result of a project team meeting where activities, issues, and dependencies are discussed. The action is not necessary to achieve the meeting’s goals; for instance, an issue or activity can have a follow-up activity.

Status Report Tracker

A common project management activity is a “weekly status report.”

A typical Status report includes:

Overall Executive Summary Status
Weekly Highlights and Lowlights
RAG (Red, Amber, Green) assessment
Next Actions

Progress Meeting Minute Template

A well-executed meeting concludes with prompt and perfectly documented Meeting Minutes. Meeting minutes are always generated and disseminated within 24 hours – following a meeting by professionals or project managers. The minutes of a project meeting includes a list of action items as well as a summary of discussed topics during the meeting.

Project Communication Plan

A project communication plan is a framework for your project’s communication operations. The strategy should aid in getting the appropriate information to the right person at the right time in a format that works perfectly for them.

There are a few key steps to follow when preparing a communication plan:

Summarize the objectives – support remote team members and gather input from the project team
Define the target audience – the project team, key stakeholders, and relevant internal departments
Decide the required information – status, work in progress, issues, budget, and deadlines
Measure success and improve – track and analyze your plan at regular intervals

Project Close-Out

Project Close-Out is the process of finalizing all activities for the project.

The Project Manager takes center stage and verifies that all project work is done efficiently, and the project has fulfilled its objectives.

Conclusion

Pivoting to a PMO (Project Management Office) that is business-focused will be an enhanced experience to deliver effective and successful projects. Using the best practices outlined here, organizations of different services as well end users can significantly increase the quality of their project’s overall performance and successful completion.

About Atriade

Atriade is a security consulting firm. We provide security system design services for access control, perimeter protection, video and visitor management, and other physical security technologies. We also provide security master planning, program development, risk assessments, professional services, and project management.

Our client portfolio includes Fortune 50 companies, Ivy League universities, and leading technology firms in Silicon Valley.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The 7-Step Process for Successful POC Execution

admin_atriade — Mon, 12 Jun 2023 15:27:20 +0000

The 7-Step Process for Successful Proof of Concept Execution

Proof of Concept (PoC) is a crucial step in the development of new products, services, or solutions. It can be used to validate an idea, design, or technology before investing significant time and resources into its implementation.

There are 7 steps that are important to successfully creating a PoC. In this article, we will dive into each one individually.

Step 1: Identify the Parameters

An effective PoC starts with identifying the parameters of the operational business case. Your entire PoC will be measured against these parameters.

To find the parameters that are appropriate for your case:

Identify the business need. What is the problem that the PoC is intended to address? Be as specific as possible about all the elements of the problem.
Define the goals of a solution. What do you want the outcome to be? How will this be different from your current situation?
Determine the success criteria. Will you have increased efficiency, improved customer satisfaction, reduced costs, or increased revenue?
Identify the stakeholders: Who will be impacted by the PoC? Remember to include both internal and external stakeholders.
Determine the scope. What is the timeframe, budget, and resources required?

With this information, you will be able to establish all of your parameters and proceed with the next steps of the process.

Step 2: Establish What Data is Needed

What data do you need to make the correct business case? It is important to capture both technical and operational data. This will allow you to measure not only the technology’s effectiveness but also the user experience.

The types of data can vary based on the specific project or initiative being tested. Here are some data types to consider:

Business Data

This includes data related to the business need or opportunity that the PoC is intended to address. It might include sales data, customer data, or financial data.

Technical Data

What technology is being tested during the process of the PoC? Consider data related to hardware or software components, data storage and retrieval, network performance, or system integration.

Performance Data

This includes data related to the performance of the PoC, such as data related to response time, throughput, or scalability.

Operational Data

This includes data related to the operational aspects of the PoC. This could include data related to maintenance and support requirements, training needs, or resource utilization.

User Data

This includes data related to user behavior and preferences. This could include data related to user interactions with the PoC, user feedback, or user satisfaction.

Refer to the initial information you created when establishing the parameters for the PoC. By doing so, you can determine which elements are important to track and measure for the most accurate results.

Step 3: Create Your POC Environment

Creating a PoC environment is your next step in developing and testing a PoC. You want the environment to mimic the production environment as closely as possible. This enables you to test in a controlled and secure environment.

Define the Requirements

Determine the hardware, software, and network requirements needed to support the PoC such as identifying the necessary hardware components, such as servers, storage devices, and networking equipment.

Configure the Environment

Install and configure the required software and hardware components in the PoC environment.

Test the Environment

Test the PoC environment to ensure that it is functioning correctly and meets the requirements. Be sure to include connectivity between different components, testing the performance of the environment, and ensuring that the environment is secure.

Test the Proof of Concept

Test the PoC in the PoC environment to ensure that it is functioning as expected. Be sure to test the functionality, performance, and security of the PoC.

Refine the Proof of Concept

Refine the PoC based on the results of the testing. This could involve tweaking the code or configuration, adding, or removing components, or adjusting the environment settings.

Document the Environment

Document the PoC environment, including the hardware, software, and network components, configurations, and settings. This documentation will be useful in replicating the PoC environment in the production environment.

Step 4: Observe Everything

When you are running your PoC, it is vital to not only monitor the core technology, but all the aspects that the PoC impacts. Answers to these observation questions will provide the core of your PoC results:

Infrastructure

How does this impact the larger ecosystem outside the components directly impacted by the PoC?

Administration

How will business functionality be impacted?

Staffing

Whose job functions and roles are impacted and in what ways? Will you need additional people or different roles filled to reach your objectives?

Architecture

Do you have the right technological components in place?

Aesthetics

How is user experience changed in your PoC?

Branding

Do the results align with your big-picture business goals and positioning? Are they in line with your mission and vision?

Maintenance and Support

Are all the processes, people, and technology in place to ensure that you continue to see the positive results you want over time?

Step 5: Document the POC from Beginning to End

The best PoC test in the world will only be as good as the documentation attached to it. Every part of the evaluation, process, and observation should be included in a clear and organized format. This will be essential for making your case to leadership based on the PoC testing.

Be aware of the following:

Determine who is responsible for each part of the documentation. How will they measure and record that information?
What is the structure of the documentation? For example, what should be included in the table of contents, what sections and subsections are important, and how will those relate to the goals of the test?
How will you determine what the key information is, and how will that be documented?
Describe the environment, including the hardware, software, and network components used in the PoC, as well as the configuration and settings of these components.
Capture the process, including the methodology used, the steps taken, and any challenges encountered.
Include the results. This should include the success criteria, the performance, and the functionality of the PoC. It also must address any issues and how they were resolved.
Add screenshots and diagrams to make it easier to understand.

Not only will this documentation give you the resources to present your results, but also to replicate the testing and adjust as needed to get to your desired result.

Step 6: Create a Plan That Includes Immediate, Midterm, and Long-term Deployment

Once a PoC has been completed and the results analyzed, the next step is to create a plan based on the PoC that outlines how to move forward with implementing the solution in the production environment.

Analyze the Results

Analyze the results and determine whether the solution met the objectives and goals outlined in the PoC plan. Identify any issues or challenges that were encountered during the PoC and determine how they can be addressed.

Develop a Roadmap

Develop a roadmap for implementing the solution based on the results of the PoC. This should include a high-level plan that outlines the major milestones, deliverables, and timelines for the implementation.

Define the Architecture

Define the architecture of the solution based on the results of the PoC. This includes determining the hardware, software, and network components required, as well as the configuration and settings of these components.

Develop a Detailed Plan

Include immediate, midterm, and long-term deployment.

Identify Resources

How does this impact the larger ecosystem outside the components directly impacted by the PoC?

Develop a Budget

This should include costs for hardware, software, personnel, training, and any other expenses related to the implementation.

Once you have a detailed plan, you will be able to present the solution to leadership and create a process for implementation.

Step 7: Establish Risk Tolerance and Acceptance

The final step in your PoC process is to establish a risk tolerance and acceptance model for a fully informed business case to leadership.

Define risk tolerance based on the organization’s objectives, goals, and mission, as well as legal and regulatory requirements.
Evaluate the risks involved in the plan, including the likelihood and impact of each risk.
Develop risk management strategies to minimize the risk to the organization.
Establish criteria for determining what is an acceptable risk.
Include a process for ongoing risk management and evaluation.

Risk can change significantly over time, so developing this section of the plan will ensure that leadership is able to make informed decisions based on the PoC testing, results, and plan.

Conclusion

High-quality PoC modeling has the capacity to set a business or organization apart from the competition by enabling the best possible decision-making. Following these best practices can help your organization take advantage of opportunities and avoid pitfalls. Many businesses may not know how to effectively run a PoC. This is one area where additional support from an outside consultant can be helpful.

About Atriade

Atriade has worked on over 500+ projects, in 60+ industries, in 30+ countries. If you are ready to get expert assistance in creating your security masterplan that will set you apart from your competitors, we are here to help. Our management team carries a lifetime of experience in all areas of Physical Security and Electronic Security that we are ready to put to work for your unique business and team.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

Best Practices for Incident Management in Physical Security

admin_atriade — Thu, 16 Mar 2023 12:37:20 +0000

Best Practices for Incident Management in Physical Security

Governance is essential for incident management. When executed correctly, it provides the framework, policies, and procedures necessary to effectively respond to and manage security incidents.

How prepared is your organization to handle an incident in a timely and efficient manner?

Good governance can help ensure that an incident response plan is in place and that everyone involved knows their roles and responsibilities. It also helps to ensure that the right resources, including personnel and technology, are available to effectively respond to incidents as they occur in a timely and efficient manner.

Four ways to maximize the role of governance at your organization:

Develop Effective Communication
Build Strong Partnerships
Test, Test, and Test Some More
Commit to Continuous Improvement

Let’s review each of these aspects of governance in more detail.

Develop Effective Communication

Effective communication is a critical component of good governance, especially when it comes to incident management. Some key considerations for creating effective communication as part of governance are:

Define clear roles and responsibilities

All stakeholders, including members of the incident response team, senior management, and relevant departments, should have clear and well-defined roles and responsibilities. This will ensure that everyone knows what they need to do and when they need to do it.

Establish communication protocols

Establishing clear and effective communication protocols can help to ensure that information is shared quickly and efficiently during an incident. This may include:

Defining a chain of command
Establishing a common terminology
Providing clear guidance
Determining what types of information should be shared and with whom
Identifying a shared medium for messaging

Foster a culture of open communication

Encouraging open and transparent communication can help to build trust and ensure that everyone involved in the incident response is working together effectively. This may involve regular status updates, open forums for discussion and feedback, and a commitment to transparency in the reporting of incidents and their resolution.

Plan for external communication

In addition to internal communication, it’s important to plan for external communication, such as with customers, regulators, and the media. Having a clear crisis plan in place for how to communicate with these stakeholders during an incident can help to minimize damage to the organization’s reputation and maintain customer trust.

By incorporating these considerations into governance for incident management, organizations can ensure that communication is effective, efficient, and consistent, and that everyone involved is working together to minimize the impact of security incidents.

Build Strong Partnerships

Governance can help demonstrate to stakeholders, including customers and regulatory agencies, that the organization takes security seriously and is taking steps to protect sensitive information and assets. This can help to build trust and confidence in the organization, which is essential for maintaining a strong reputation and preserving customer loyalty.

Make sure that you are including both internal and external partnerships. Some examples of external partners to consider may include:

Local emergency responders
Sourcing providers
Business recovery sites
Backup production facilities
Local officials needed for permitting
Experts needed to problem-solve during a crisis
Local catering services
Mental health resources
Customers needing to be contacted during an incident
News media

The reality is that if the first time you ever contact these individuals and organizations is during a crisis, it will extend and even delay the time to get help and support. Building strong partnerships will make the difference between mitigating versus extending the impact of an incident. Having a clear plan in place for how to communicate with these stakeholders during an incident can help to minimize damage to the organization’s reputation and maintain customer trust.

When it comes to internal relationships, things like company events and celebrations can help connect people to one another. This should happen both informally and formally through structured introductions and internal networking.

Ask yourself the following questions:

Who are your stakeholders in the plan?
How will you build and maintain relationships with these people?
Who needs to be connected through an introduction?
How are we keeping the contact information of each of these stakeholders up to date?
Who is responsible for making changes to the governance plan when there are changes in people or roles?

Test, Test, and Test

The first time you have an incident in your business should not be the first time you are reviewing your governance plan as it relates to that incident. Whether it is a cyber incident, a physical security incident, an environmental issue, or something else, it is critical that your team has reviewed and practiced their response.

The last thing you want during a crisis is someone struggling to find a manual.

A tabletop exercise can make all the difference. In order to do this effectively, you want to get all the appropriate stakeholders in a room and review the process step by step. This can help identify possible points of failure and address them ahead of time. It will also ensure that you have all the information you need on hand when the time comes. Many businesses may not know how to effectively run tabletop scenarios, or haven’t taken the time to do it. This is one area where additional support from an outside consultant can be helpful.

Commit to Continuous Improvement

No matter how perfect your governance plan is, it will need to be updated and improved on a regular basis in order to continue to work effectively. The first step is to commit as an organization to continuous improvement. And then to take the direct steps to make it happen. This happens in three areas; people, process, and tools.

People

Who is responsible for driving the process?
Who has improvement on their job description and is able to commit the time and resources to moving this initiative forward?
Are they empowered to take the action needed?

Process

What is the process for making changes in response to both positive and negative feedback?
Is every stakeholder aware of this process and how to align it with their part of the system?

Tools

What tools exist to support the people and process? Whether it is as simple as a spreadsheet or a more advanced set of tools.
Is everyone able to access these tools?
Do these tools facilitate feedback from every level of the organization?

Summary

Governance can help build a process to ensure that incidents are documented and analyzed. This allows a business to determine the root cause of the problem and to identify opportunities for improvement.

You can take it a step further, and improve the overall security posture of the organization, reducing the likelihood of future incidents and improving the resilience of the organization in the face of future threats. This can be accomplished by developing effective communication strategies, building strong partnerships, testing your scenarios, and committing to continuous improvement. Each part of this process is vital to creating a robust and strong organization that will be able to withstand the inevitable incidents that arise.

About Atriade

Atriade Atriade has worked on over 500+ projects, in 60+ industries, in 30+ countries. If you are ready to get expert assistance in creating your governance plan that will set you apart from your competitors, we are here to help. Our management team carries a lifetime of experience in all areas of Physical Security and Electronic Security that we are ready to put to work for your unique business and team.

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The Role of People, Process and Technology in Security Program Management

admin_atriade — Fri, 17 Feb 2023 15:56:18 +0000

The Role of People, Process and Technology in Security Program Management

Success of a security program relies on striking the right balance between the robustness of the organization’s processes, the skillset diversity of its people, and the proper selection of supporting technologies.

What are some of the best practices behind the people, process, technology balance and how can you apply them to your own organization? Here is a roadmap:

People

People are the core to any business or organization – and they are where your program organization should begin as well. Start with an audit of the existing status quo to ensure that your governance is in alignment:

Vetted and set up correctly
Assigned to the correct personnel
Connected with the correct privileges

Once the initial audit is complete then the next step is to develop your governance as a tool of your wider program strategy.

Good governance programs are both cross-functional and collaborative. It is important to be aware of the larger organizational culture and goals. Most important to success is that any governance plan be supported and championed by leadership.

Your governance plan should include:

Industry best practices customized for your unique organization
Institutional knowledge at every level
Clear and concise policies
Physical space parameters
Technology solutions and details
A communication and problem resolution section
An upstream and downstream engagement plan for program buy-in

Process

The execution of the program governance is dependent on assigning roles appropriated resources to each element and stage of the program. Identify your leadership, decision making, management, supervision, administration, support and operation roles. Assign responsibilities and accountabilities to each role. This facilitates an efficient process in building the right skillsets for your organization, and adds a true best-in-class dimension to the security team.

A strong communication and escalation plan is the final step in cementing the governance of your organization. The plan should incorporate policies around decision making, business case driver, day to day operations, escalation to leadership, and feedback loops.

Central to the communication plan is both upstream engagement with leadership and downstream engagement with staff. The feedback process is central to this engagement and ensures longevity and sustainability of the people governance plan.

As in your governance plan, cross functional buy-in and collaboration is crucial for the success of the established process. The process to engage with other stakeholders of the organization, such as IT, facilities, or HR, should be organized and consistent. Steering committees, workshops, project collaborations, educational and/or recreational meet and greets are effective ways to create and maintain these relationships.

Cross functional collaborations should also follow a governance model, and engagement should be at all levels of respective organizations.

Technology

Supporting technologies in successful program management require careful vetting and selection based on unique organizational requirements. One size doesn’t fit all, and one solution doesn’t mitigate all risks. Combining effective technical solutions with the plan and process is the final piece of the program that adds further layers of risk mitigation.

Technology solutions range from the traditional access control and video management systems to innovative tools, such as Business Intelligence, Analytics, frictionless and advanced biometrics, and IoT sensor technologies.

These technologies and sensors can add considerable depth to an organization’s ability to manage security and safety of its people and assets. Sensors can provide valuable data to proactively mitigate an event, or manage office space utilization; Frictionless solutions can help enhance the authenticity of the credential, reduce tailgating, and raise situational awareness.

Business Intelligence tools can help security better manage its lifecycle. And integrations can allow security organizations to offer a better user experience by integrating employee and visitor facing apps and solutions.

These solutions can stand alone or integrate with the conventional video management and access control platforms to provide even more in-depth incident response and case management.

However, they come with risks that are important to understand, evaluate and mitigate. Each of these technologies is sensitive to the physical environments they are installed in.

Lighting, line of sights, physical contours of a space, false objects and false positives are all important limitations of each of these solutions.

Similarly, these applications require significant processing power, human intelligence, and change management to maintain their sustainability.

The most relevant best practice, therefore, is to evaluate each technology’s effectiveness in the intended environment. This ranges from whether a set of sensors can be properly installed in a curved ceiling of a lobby, to whether the network rules can accommodate a subscription based third party AI software.

Privacy and data protection, equity of skin tone detection in a facial recognition camera, robust protocols to validate the threat in case a gun detection sensor goes off are all crucial in getting the technical solutions right.

The effectiveness of all these solutions greatly depends upon the type of environment they are installed in; and how thoroughly the solution was vetted and physically tested for that environment. Pilots and proof of concepts that validate the deployment of these solutions, policies around managing them, and incident response measurements are vital to select the right solution.

Finally, the physical design of the space matters equally in addressing the overall risk.

Lines of sight, clarity of evacuation paths, digital signage, subtle but robust perimeter protections are design aspects that must be discussed with a risk minded approach towards safety and security. Design of these spaces is also very important on how the aforementioned technologies work, and therefore, must be worked out hand in hand with the security solutions under consideration.

Conclusion

Developing and managing a security program requires an organized approach, inclusive of the stakeholders, processes and supporting technologies. A documented governance plan defines the people and policies of the security organization.

An engaged process creates the right tools for communication, escalation, decision making and cross functional collaboration. Properly vetted technologies that meet the right functional requirements can provide effective protection and proactive risk mitigation.

The right balance of people, process, and technology can therefore help build, manage and sustain an effective security program for a security organization that has leadership buy-ins, employee engagement and sustained longevity through its lifecycle.

About Atriade

Visit us online at Atriade.com

Connect with us on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

The 7 Elements of an Effective Security Plan

admin_atriade — Thu, 21 Apr 2022 10:49:29 +0000

The 7 Elements of an Effective Security Plan

Part 1: People Strategy, Process, and Governance

While every security plan will have its own nuances, given the unique details and challenges found in different organizations, our extensive experience in the security field has led us to the conclusion that any good security plan must have seven elements: people strategy, process, governance, awareness, training, technology and lifecycle management.

Before moving into specifics, let’s start with some overarching thoughts about security plans in general.

All organizations, no matter what size, will benefit from having a cohesive, forward-looking security plan. In our experience, however, we find many plans are not up-to-date or practical, and they have been siloed, meaning there is not actually an orchestrated plan in place.

It’s rare for organizations to have all seven pieces of a good plan in place — most times there are gaps — and often the plan goals are misaligned.

For example, mitigating risk should be at the core of any security plan, rather than focusing on any one element, such as installing cameras.

In this 3-part series, we will define the seven key elements an effective physical security plan should contain.

01: People Strategy

When we say, “people strategy,” we mean two things: a plan for onboarding, growth, and offboarding as well as a staffing model that includes requirements and resources.

We commonly find organizations do not have data to indicate what staffing levels they need, and they lack workload calculations to inform decision-making.

A data-driven staffing model is an excellent tool to drive people-focused decisions, since it will forecast operations, measure workloads in time (frequency x resolution time), and identify capacity in time by resources.

To create this model, the data needed include a task inventory — frequency of the task, task resolution time and resource impact of the task — and the capacity of resources administrative and human time.

The organized data collection process required for this effort has three stages:

Define Your Scope

Ensure you’re gathering valuable data points that are relevant to your business
Define measurements carefully and clearly to get useful metrics
Identify and/or develop quality data sources that can be leveraged as needed in the future
Use segments to simplify your analysis and avoiding flawed correlations

Develop an accurate task inventory

Task data — criticality, resources impacted, systems used
Time to resolve each task
Frequency of each task over time

Collect data

Establish a consistent timeframe to gather task frequency
Conduct time trials and capture challenges
Build data collection into operations to make it part of the team’s culture
Use all available data sources and make sure they are valid

We have gained many insights from seeing this process roll-out, starting with the importance of starting small and evolving while standardizing data collection.

And when it comes to workload measurements, we suggest taking the time to collect large enough data sets to provide more accurate mean values and identify outliers that may potentially skew your results.

Beware of capacity traps!

When trying to calculate human capacity, remember that an eight-hour workday does not equal eight hours of capacity. You need to account for several possibilities including lunch, breaks, meetings, email, and think time. People are not machines moving uninterrupted from task to task and will never provide a full eight hours of capacity.

We also recommend using external resources to assist with the modeling process, as that objectivity can be invaluable, and focusing on holistic solutions to issues that arise in the areas of process and technology.

02: Process

The process is defined as a series of operations to achieve the desired goal in a consistent fashion. A good process requires structured and holistic thinking, as well as an objective, resources, actions, and timing.

We commonly find organizations have processes that are not well defined, and they are often not helpful to the people who need them. It is critical to developing a formalized process management plan, so the right people get the right information when it is needed.

While every organization is different, we often recommend that processes be approached in two ways: Process Planning and Process Delivery.

Process Planning

Process planning has four elements: inventory, assessment, change management, and feedback. These four elements help take a holistic approach to process planning.

Inventory involves category, process data, priority/criticality, timing and form. Having a clear picture of your processes helps you understand their value and measure their impact. It also helps keep a review cadence and prioritize process needs.
To ensure the security process is continually improved upon, a formalized assessment strategy should be implemented. This strategy should include evaluating all elements of a process from value to performance. Value tests should determine whether the process aligns with the mission, mitigates risk or adds value. Performance tests should consider functional success, support by stakeholders, as well as what kind of feedback it generates. Those deemed to be failing can be updated with new steps, retired as legacy processes or transferred to another team.
Managing change is critical to operational success. Business requirements and risks change over time and the security operation and process needs to align accordingly. The change management process should not be limited to technologies. Changes made to process should be carefully considered. Organizations should formalize this effort and consider process onboarding and offboarding, approvers and approvals.
The people who utilize your processes will understand them best. Particularly where they succeed and fail. Often your best sources of information aren’t involved in strategy meetings, so it’s important to develop an effective feedback process. Create a feedback strategy and mechanism that is transparent and inclusive. In cases where anonymity is preferred, allow that as an option.

Process Delivery

Process delivery should be focused on delivering the right content to the people who need it at the time they need it. The content delivery ecosystem should be easy to use and we recommend considering three areas of focus:

Categorize Information

Create and categorize information into layered content to ensure it is delivered to the right audience.
Strategic and tactical information should be available to leadership and managers who are leading or driving the organization.
Task data should be made available to the users conducting day-to-day operations.
Division of content can help create “need to know” channels and also ensure that people see what they need to see and are not overwhelmed by information that isn’t relevant to them.

Content Management Process

Develop an organized content management process to maintain accuracy and consistent access to information.
Creating a single, consistent source of processes limits search time.
Developing policy and version control to ensure no rogue versions of processor documentation circulates is important for the consistency of information.

Appropriate Tools

Utilize appropriate process tools to deliver data quickly and efficiently.
Prior to tool selection, ensure you complete a comprehensive requirement gathering exercise to ensure that the technology you select works for all team members.
Focus on creating a good user experience to limit workarounds generated by inconvenience or poor access control.
Make sure any technology you select is appropriate to your team’s skillset to ensure they can use it effectively.

Ultimately, the process should be well planned and delivered in a way that aligns with the organization’s requirements and culture. Creating a formalized process strategy that accounts for proper planning, assessment, change management, and an effective delivery will result in a flexible and efficient execution.

03: Governance

Having the right people and processes in place is a good start, but without proper governance, things can go awry.

We commonly find issues involving poor or non-existent collaboration, a vague understanding of who does what, and the lack of a unified message.

The focus of governance should be transforming siloed groups into a collaborative organization, clearly documenting roles and responsibilities, and using communications best practices.

Also important are defining security’s seat in the C-Suite and implementing role-appropriate task management.

Steps to build good governance include cross-functional collaboration across various departments and stakeholders; steering committees to discuss multi-disciplined goals and objectives, and vertically aligned organizational structure to provide uniform communication and escalation means.

Organized Program

Creating an organized and strategic program to share information across disciplines helps align organizational priorities, reduce redundant efforts, and collaborate on projects jointly. It builds the necessary trust to execute operations and projects efficiently.

Steering Committees

Steering committees add a layer of executive buy-in and drive long-term objectives. They provide the security management organization an opportunity to build strategic programs with proactive executive adoption and sponsorship.
Steering committees can also help the security leadership to be in tune with the organization’s objectives.

Vertical Alignment

Vertically aligned organizations are important in developing a uniform set of policies, communication, and escalation procedures.
Once combined with cross-functional collaboration and steering committee structure, a properly vertically aligned security organization can really achieve effective and efficient means to share information, transfer knowledge and resolve issues.

Key Takeaways

IoT can be invaluable when dealing with changes to a device state, as having an integrated work order solution and knowledge base with FAQs can result in streamlining the work order generation process. This may facilitate the ability to move tickets between categories, assign tickets to specific staff members, link or split requests based on their subject, and do a mass reply to multiple requests. Integrating alarm response with work order ticketing is rare today, but we consider it to be a solid strategy with next-generation solutions.

People Strategy

Develop a clearly defined strategy for staffing that takes into consideration not just skillsets but a balanced, measured workload to ensure resources are utilized efficiently

Process

Create a process ecosystem that delivers the right information to the right people when they need it. Change management for processes should be well designed and properly implemented.

Governance

Use governance models to transform siloed groups into collaborative teams. Develop clear communication paths and create value to be shared across the organization.

Having the right plan in place will do more than reduce risk; it will bring an organization closer together, working toward a common goal.

Part two in this series will focus on awareness and training, and part three covers technology and lifecycle management.

Part 2: Awareness and Training

In the second part of this three-part series on the 7 elements of an effective security plan, we drill down into awareness and training.

04: Awareness

With respect to a good security plan, awareness involves having an aligned culture, formal process, smart content, and regular outreach. At its core, it provides a blueprint on how to behave in emergency and non-emergency situations.

Formalizing an awareness plan consists of identifying your target audience, behavior types, messaging, and timing. It’s especially important to know your audience, so you are communicating in a way that will make sense and resonate with them.

Other aspects of awareness are:

Type of end-users and physical portfolio
Developing partnerships
Recruiting executive sponsors
Determining content delivery via traditional channels, digital and social media, and event signage

Your all-encompassing goal should be to establish a culture of safety, not surveillance. Negative sentiment can make it difficult to develop relationships and establish and maintain partnerships.

Getting buy-in from leadership is extremely important to help gain consensus and adoption.

05: Training

Any security plan will experience challenges if team members haven’t been appropriately trained in what their roles are with respect to organizational safety. When training does take place, it often isn’t done with a lot of specificities, and that is a mistake.

It’s critical to customize all training to the specific audience since not all risks apply to everyone.

From a user engagement perspective, you’ll be best served by employing a variety of training channels, such as:

Town halls
Social and digital media
Social and digital media
Social events

Using a mix of traditional and modern tools—apps, messages and notifications, and events and programs—ensures your training efforts will reach all audience members.

It’s also invaluable to create a feedback and refresh loop, to gather insight and ensure safety-related information is available on an ongoing basis.

While technology has its advantages, especially in a distributed workforce, some training still must be conducted in person. This is the case with fire evacuation and other types of life safety training, including workplace violence and first aider training. These situations require a person to be able to clearly navigate different elements in their environment and to potentially help others during high-stress situations.

Ensuring that team members are present to participate in these types of trainings are critical to emergency response.

Key Takeaways

Awareness

Develop an awareness model that leverages directed content and regular outreach to create a culture of safety and security.

Training

Create useful training that empowers employees and is tailored to the audience to help improve performance metrics.

Having the right plan in place will do more than reduce risk; it will bring an organization closer together, working toward a common goal.

Part one in this series focuses on people strategy, process, and governance. Part three will cover technology and lifecycle management.

Part 3: Technology and Lifecycle Management

In the third part of this three-part series on the 7 elements of an effective security plan, we drill down into technology and lifecycle management.

06: Technology

The biggest issue when it comes to technology in a security plan is how to choose and deploy the right system.

Shopping without clearly defined requirements can result in purchases being made that are not necessarily aligned with specific needs.

To avoid making an unfortunate—and likely expensive mistake, your journey to a technology purchase should begin by understanding your current state and developing your functional requirements.

You want to ensure you leverage existing systems and parallel efforts and align your goals with business and technical roadmaps. It’s important to understand market trends and eliminate noise as you evaluate and validate new technologies as well as establish a short- and long-term roadmap.

Some questions to ask yourself along the way include:

What are my risks?
Can my existing portfolio mitigate these risks?
What is my risk tolerance?
What are my peers doing? Will it work in my environment?
How do I responsibly deploy it?

Rather than getting overwhelmed by the bells and whistles available, it’s invaluable to make a data-driven business case based on actual incidents. Once you have that deep knowledge in hand, you’ll be able to choose technology with surgical placement in mind. Metrics always resonate.

Technology trends to watch for include consumer trends like mobile, cloud, frictionless, health and wellness, identity and access management, the truth about privacy, and user experience.

Once you have made your decisions an informed five-year deployment plan that consists of technology elements, costs, and a specific rollout schedule will be critical to your success moving forward.

07: Lifecycle Management

Atriade conducted a poll on LinkedIn asking: “What Lifecycle Management Process Do You Use?”

Because the management of the security technology lifecycle poses a substantial challenge for many organizations, we wanted to understand how they were approaching the process itself.  We see this gap causing budgeting challenges and difficulties in making business cases for upgrades.

The results of our poll reinforced our understanding of the current marketplace for security technology lifecycle management. 

A majority of respondents (65%) are using a formalized tool, but a significant portion of the marketplace (35%) are using a manual process or have nothing at all. 

Perhaps the rarest component of a good security plan is lifecycle management. If it’s done at all, it’s usually done poorly; current practices often use an Excel spreadsheet and rely solely on discoverable assets.

Given the significant investment made in security technology, it is surprising how many organizations experience challenges in this area, when a small investment of $20,000–$30,000 would ensure forward-thinking data is available.

An in-depth lifecycle plan has three components:

Importance

Mission-critical
Awareness of current state
Proactive planning of future state
Funding and administrative roadmap

Elements

Technology
Maintenance
The useful life of technology
Licenses
Policies
Funding pipeline

Future State

Facilities management
Inventory management

To provide a simplistic example of necessary future thinking, if you plan to replace your technology every five years, and it takes one year to get funding, the actual lifecycle of your equipment is four years.

Asset management is a built-in cost of doing business, and in an area like security, where falling behind can inherently be unsafe for the organization, it’s well worth investing in.

Key Takeaways

Technology

Invest the time to clearly define requirements and develop a clear plan for deployment that considers risk and is appropriate to the culture of the organization. Deploy technology responsibly.

Lifecycle Management

Create an operationalizable lifecycle management plan to help keep technologies secure and provides budget forecasting to maximize value to the organization.

Having the right plan in place will do more than reduce risk; it will bring an organization closer together, working toward a common goal.

Part one in this series focuses on people strategy, process, and governance. Part two covers awareness and training.

If you’d like to have the full series of 7 Elements of an Effective Security Plan as an ebook, click here.

Learn more about how Atriade can help mitigate your security risks.

Follow our company page on LinkedIn

Subscribe to our LinkedIn Newsletter: Take A Risk

Connect with us on LinkedIn

Mohammed Atif Shehzad

Reese Huebsch – CERT Insider Threat Certified

Saif Nomani

Additional Reading

Understanding Insider Threats and Mitigation Techniques

Best Practices around Security through Environmental Design

Designing and Building an Effective SOC That Meets Your Unique Needs

How To Get Camera Coverage Right

How To Construct a Well-Written RFI to Make Informed Decisions

How To Effectively Use a Proof of Concept

Are You Managing Your Asset’s Lifecycle Effectively?

Replay of Webinar: The 7 Key Elements to Build an Effective Physical Security Plan