Research has found that very few companies have a full security strategy in place and where they do, it is rarely seen as ‘fit for purpose’.
Recent work by Perpetuity found that only one-third of organisations had a security strategy that had been approved by the Board. Many did not have specific objectives to guide the work of the security function within the organisation and less than a third had a security strategy with measurable deliverables linked directly to organisational objectives. Furthermore according to security providers, nearly two-thirds estimated that fewer than 15 per cent of their clients had a security strategy in place. In addition where security strategies did exist most were not deemed to be fit for purpose.
It seems clear that there are many organisations without a security strategy to guide their development. Whilst the majority of organisations seemingly do not have a security strategy, many directors recognise that they should.
Why is a security strategy so important?
Without a security strategy it will often not be clear how the security function contributes to the overall aims of the organisation. Unsurprisingly then security can be marginalised, or at least it does not fulfil its potential to generate competitive advantage. A good security strategy helps an organisation to have good security management and indeed good corporate governance of the organisation. A security strategy linked directly to the wider strategy for the host organisation provides direction, and also a reference point to establish priorities and guide action. This is as important for security personnel as it is for others in the organisation who are provided, via the strategy, with insights into why security is important and how it adds value. So developing a good strategy and learning how best to implement it is crucial to successful security and good business.
Security leaders need to have at least a basic understanding of strategic planning, including its development and implementation. Strategic planning is a fundamental element of successful companies and is a crucial part of managing delivery.
"If you don't have a strategy you end up being highly responsive to events."
"If you want to make sense of the world, set a direction, manage your resources effectively and understand and evaluate your work better, you need to have a strategy in the first place."
The benefits of having a security strategy
Having a good security strategy in place can provide you, your security department and the organisation with a range of (overlapping) benefits. A security strategy can:
Provide stakeholders, including the board, shareholders, staff and partners with a clear understanding of what your security function is trying to achieve and how.
Facilitate contact with the board and encourage board support for security programmes.
Help in aligning the security function with the business priorities to achieve competitive advantage.
Improve the corporate resilience and sustainability.
Enable all staff, and not least managers of other functions to better understand why security is important and how it can add value.
Provide a means of engaging with staff and managers in the aims and purpose of the security function.
Offer a framework to guide the direction and focus of your security function, and help you to allocate resources to priorities and targets more effectively.
Help you to be proactive in your response to security anticipating security issues from emerging external threats or changes in the corporate strategy.
Help to embed security within systems, procedures and processes.
Inform budget development.
Provide you with measures from which to review the performance of your security function. (See Performance monitoring.) Enable you to gain a detailed understanding of the environment in which your organisation operates and greater awareness of the challenges and risks you face.
Demonstrate to staff that the organisation takes security seriously. It can be a useful tool for communicating to employees to make them aware of potential security threats and associated business risks and obtain buy in for the security function. (See Communicating strategy.)
Help to reduce ambiguity, provide clear management direction and commitment, and to establish agreed roles and responsibilities with regards to security.
Document the value security adds to an organisation.
Aid the development of a well-designed security management approach and thereby help to mitigate your organisation’s legal and actual level of exposure to a range of security threats. In turn this can help to protect your organisation’s profit, reputation, brand, assets, customers, suppliers and employees.
"A security strategy gives a greater awareness of the challenges you are facing, a shared platform that colleagues and other departments or divisions can discuss relevant topics. A base from which you can develop resource allocation processes, a method of evaluating your successes and failures."
"A security strategy is a useful communication tool between the security department and the rest of the organisation. It allows them to see what it is your doing, when and it’s easier to get other organisations involved in what you are doing."
"It helps me when I’m trying to put forward a case to line management. It helps to inform them about what I am thinking, and justify the reasons why."
"A security strategy can act as a guide to action, to show the company you are adding value, to bring people on board to the security message."
"A sound security strategy impacts positively and directly upon the standing of the security function and its leadership. It embeds security within the core heartbeats of the company and dispels once and for all that the function is merely a cost centre and drain on profits."
