Developing a Comprehensive Security Program Developing a Comprehensive Security Program Elements, Characteristics, and Leadership Bob Hayes, Kathleen Kotwica, and Elizabeth Lancaster AMSTERDAM(cid:129)BOSTON(cid:129)HEIDELBERG(cid:129)LONDON NEWYORK(cid:129)OXFORD(cid:129)PARIS(cid:129)SANDIEGO SANFRANCISCO(cid:129)SINGAPORE(cid:129)SYDNEY(cid:129)TOKYO Elsevier TheBoulevard,LangfordLane,Kidlington,Oxford,OX51GB,UK 225WymanStreet,Waltham,MA02451,USA Firstpublished2014 Copyrightr2014TheSecurityExecutiveCouncil.PublishedbyElsevierInc. Allrightsreserved. Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans, electronicormechanical,includingphotocopying,recording,oranyinformationstorageand retrievalsystem,withoutpermissioninwritingfromthepublisher.Detailsonhowtoseek permission,furtherinformationaboutthePublisher’spermissionspoliciesandourarrangement withorganizationssuchastheCopyrightClearanceCenterandtheCopyrightLicensingAgency, canbefoundatourwebsite:www.elsevier.com/permissions. Thisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythe Publisher(otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchand experiencebroadenourunderstanding,changesinresearchmethods,professionalpractices,or medicaltreatmentmaybecomenecessary. Practitionersandresearchersmustalwaysrelyontheirownexperienceandknowledgein evaluatingandusinganyinformation,methods,compounds,orexperimentsdescribedherein. Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthesafety ofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors, assumeanyliabilityforanyinjuryand/ordamagetopersonsorpropertyasamatterofproducts liability,negligenceorotherwise,orfromanyuseoroperationofanymethods,products, instructions,orideascontainedinthematerialherein. BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary LibraryofCongressCataloging-in-PublicationData AcatalogrecordforthisbookisavailablefromtheLibraryofCongress ISBN:978-0-12-801222-2 FormorepublicationsintheElsevierRiskManagementandSecurityCollection, visitourwebsiteathttp://store.elsevier.com/SecurityExecutiveCouncil. EXECUTIVE SUMMARY Security Executive Council members are frequently asked, “What does a model security program look like?” In Developing a Comprehensive Security Program, presenter Elizabeth Lancaster answers this question by utilizing the collective knowledge of the Council’s faculty and mem- bers. This seven-minute proven practices presentation includes baseline security program elements, business-aligned program elements, pro- gram characteristics, a program maturity model, and the skills and knowledge needed by the security department. Developing a Comprehensive Security Program is authored by Bob Hayes, Kathleen Kotwica, and Elizabeth Lancaster. The information in this presentation was collected in various formats, including previ- ous Council research, interviews, strategic plan samples, and other doc- umentation from world class operations. It was also industry validated by leading security practitioners. This high-level overview of what comprises a security program can be used by security managers, busi- ness leaders, and students in security programs. WHAT ARE PROVEN PRACTICES? Proven practices are visual PowerPoint presentations with audio narra- tion that provide proven concepts and practices for security and busi- ness professionals seeking new and creative ways to understand and shape security. Proven practices have been created by experienced prac- titionersofleadingorganizationsanddescribeconceptsorpracticesthat have been successfully implemented and are proven to work. They pro- vide a framework that can be quickly customized and incorporated to meetthespecificneedsofanorganizationanditsculture. Practitioners use proven practices to learn about applications, pro- vide staff training, or create organizational awareness. Educators enhance current curriculums by adding real-world insight and work- place context from relevant practitioners who have held positions simi- lar to those students are preparing for. Proven practices can be utilized to enhance course offerings as a “guest lecture” option. Developing a Comprehensive Security Program: Elements, Characteristics, and Leadership A PROVEN PRACTICES PRESENTATION doi:http://dx.doi.org/10.1016/B978-0-12-801222-2.00001-5 ABOUT THE AUTHORS Bob Hayes has more than 25 years of experience developing security programs and providing security services for corporations, including eight years as the CSO at Georgia Pacific and nine years as security operations manager at 3M. His security experience spans the manufacturing, distribution, research and development, and consumer products industries as well as national critical infrastructure organiza- tions. Additionally, he has more than 10 years of successful law enforcement and training experience in Florida and Michigan. Bob is a recognized innovator in the security field and was named as one of the 25 Most Influential People in the Security Industry by Security Magazine. He is a frequent speaker at key industry events. He is a leading expert on security issues and has been quoted by such major media outlets as the Wall Street Journal and Forbes. Bob is currently the managing director of the Security Executive Council. Kathleen Kotwica has a PhD in experimental psychology from DePaul University and has had a career as a researcher and knowledge strate- gist. Her experience includes positions as information architecture con- sultant at a New England consulting firm, director of online research at CXO Media (IDG), and research associate at Children’s Hospital in Boston. She has authored and edited security industry trade and busi- ness articles and spoken at security-related conferences including CSO Perspectives, SecureWorld Expo, ASIS, and CSCMP. In her current role as EVP and chief knowledge strategist at the Security Executive Council she leads the development and production of Council tools, solutions, and publications. She additionally conducts industry research and analysis to improve security and risk management practices. Elizabeth Lancaster is the director of member services and projects for the Security Executive Council. She is responsible for planning, pro- cesses, and project management around the member services program. Member services are meant to help Tier 1 Security Leaderst (mem- bers) quickly maximize the value of Council participation by gaining in-depth understanding of their programs, priorities, strategies, risks to 4 AbouttheAuthors business, interests and expertise. As members’ direct communication link to development of Council strategic initiatives, member services is key to the process of helping members and their staffs make an impact in the areas of security that are important to them, their business and industry. Liz has 25 years of combined risk management, business, and con- sulting experience in investigations, access control systems, design and project management, security server finance, sales and administration, commonwealth and public/private corporation emergency response planning, uniform guard services, corporate security staff training and development, executive travel safety, and risk assessments. She has held positions with the Massachusetts Department of Correction; assigned to the Office of Investigations institutional inter- nal affairs division; Applied Risk Management LLP as a senior techni- cal consultant; Boston Scientific Corporation as manager of security integration and investigations; Astra Pharmaceuticals LP as security project leader; and Stratus Computer, Inc. in continuous availability server sales and finance. Liz holds a Master of Arts, 1995, and a Bachelor of Science, 1992, in Criminal Justice Administration from the University of Massachusetts. She is a member of the Women in Criminal Justice Organization, Risk Analysis Group Integrated Risk Solutions, Balanced Scorecard Collaborative, and ASIS International. She is also Council Staff Editorial Advisor for Security Technology Executive magazine and has authored several articles in industry trade magazines.