At the risk of stating the obvious, the first step to effective security risk management is to have a strategic plan. It doesn't have to be complex, but it does have to be contextually relevant.
A Strategic Security Risk Management Plan is really a foundation document that serves to communicate the issues that are important to the organisation from a security risk management perspective; and how you plan to address them. It should link the security program very clearly to wider corporate (or government) strategies. Such linkages can be crucial in justifying budget allocations, and the plan should form the basis for operational security planning and decision making. Figure 1 shows an example in a government context (education).
Figure 1 - Strategic Linkages
So what goes into a Strategic Security Risk Management Plan?
As noted above, the content of each plan is driven by context. There are loads of great books on the subject of strategic planning and I would encourage you to draw on those resources. But most importantly, locate the highest level strategic plan that has been adopted within your organisation. You need it to establish the linkages discussed above, and you should look to replicate the approach.
If your organisation's overall strategic plan uses terms like "Strategic Direction 1" or "Strategic Theme 1", then you should adopt the same phraseology. Be careful with layout and don't try to get too fancy. The most important aspect of the plan is the content - the window dressing can be applied later.
That being said, a typical Strategic Security Risk Management Plan might include:
- A Foreword written by someone important that cares about the plan (e.g. CEO, Chairman of the Board)
- A Vision statement or Aim for the plan
(it is important to have a succinct strategic outlook)
- A Mission Statement
- Principals and Values that underpin the implementation of the plan
- Context statement or Illustration
- Small number of Strategic Directions / Themes / Pursuits / Goals
(likely more than 2 and probably less than 10)
Other contents that you might want to include, depending on whether they appear in other strategic plans in your organisation:
- An introductory section giving some background and history about the plan
- Assumptions that have been incorporated into the plan
- Outline of stakeholders, roles, responsibilities, expectations
- Guidance for implementation and review (e.g. year by year priorities)
It is important to note that a strategic plan is just that; strategic. Operational plans with much more detail will be needed to put the strategic directions into practice. Again, these don't need to be complex to be effective.
Can I see an example?
The following example is adapted from a strategic security risk management plan I wrote for an education department over a decade ago; with a few tweaks it could work in similar contexts today. I am happy to put some time into adapting a complete version for public consumption if anyone is interested (contact me via linked in or QR2id.com or Plot & Audit).
Having written many of these plans, I hasten to add that you really need to understand your context and avoid tapping a square peg into a round hole; someone will notice! The plan I am using for this example had five strategic directions:
1. Safe and Secure Environments
2. Focus on Security
4. Fiscal Responsibility
5. Best Practice
For illustration purposes, we will take Strategic Direction 3: Awareness. The outcomes described for this strategic direction might be stated as:
All stakeholders are made conscious of, and accept, their roles and responsibilities in reducing the risks to people, information and physical assets. ©
The plan then describes a number of objectives to achieve the described outcomes. Strategic responsibilities for the various objectives are also assigned and there is a need to document the process that will be used to measure success in achieving each objective.
Figure 2 - Example Strategic Direction
There are several more objectives that might be relevant to achieving the outcome described for the above example. For example, providing access to resources and support, or integrating security risk management into the professional development curriculum. In drafting your strategic security risk management plan, you need to work through what is needed in your context.
If you need a reason beyond the obvious, a strategic security risk management plan buys you time to get other critical documentation in place that is essential for addressing regulatory compliance and potentially defending litigation. Initiating a draft plan with even just the first strategic direction sets you on the path to more effectively aligning your security programs with the goals and objectives of your organisation.
If you are in the business of delivery security related services for your clients and don't have your own strategic security risk management plan, you might want to think about doing so. Not only will it be a valuable contribution to your business planning, it can serve to demonstrate to your clients that you are serious about the management of security related risks.