Editor's Note: This article is the second installment of our three-part Security Program Design series from J. Nicole McDargh. Click here for part one — Mastering the First Step in Security Management: Get Your Facts Right — and part three — Presenting the Security Program: Win Leadership Buy-in.

In my previous article, we discussed the importance of gathering accurate facts and utilizing data effectively in security management. Now that there is a solid foundation of information, it is time to move forward and build a comprehensive security program.

This article focuses on the strategies that will help security leaders develop a successful methodology for thinking about, designing and ultimately presenting a security program to senior management. This can be applied to a project (new camera system) or a new program (deploying travel security). For ease in this article, it will simply be referred to as a “security program.”

1. Identify Key Objectives and Goals

Before diving into the details, it is essential to clearly define the objectives and goals of a security program. Consider the specific needs and challenges within an organization, such as protecting sensitive data, preventing unauthorized access, or responding to potential threats. By understanding these objectives, security leaders can tailor their programs and solutions to address the specific concerns of the organization and/or senior management.

2. Understand the Company Culture, Risk Profile and Senior Management’s Perspective

Understanding the company culture is essential to ensure that a security program proposal resonates with the organization and its employees. Different companies may have varying attitudes toward security, and it is important to gauge the existing mindset. It may be a good practice to conduct interviews, surveys or small, informal focus groups with employees to gain a comprehensive understanding of their perceptions towards security. This may help security leadership gauge whether security is already prioritized within the organization or if there is a need to advocate for a cultural shift toward emphasizing its importance.

Next, assessing the company’s risk profile is vital in tailoring the security program to the specific threats and vulnerabilities the organization faces. Identify the potential risks and compliance requirements relevant to the industry and how organizations are exposed within it. Evaluate previous incidents, breach trends and emerging threats that could impact the organization’s operations or reputation. This evaluation will help security leaders prioritize the security initiatives that align with the organization’s risk appetite and ensure resources are allocated accordingly.

Lastly, understanding senior management’s priorities and perspectives is crucial for building a security program in a way that resonates with their objectives. Engage in discussions, meetings or interviews to gain insights into what senior management values most in terms of security. Determine their concerns, pain points and areas of interest. This information will provide valuable guidance on how to frame the program’s design and focus, emphasizing the aspects that matter most to leadership and addressing any potential objections they may have.

3. Utilize the Power of Data

In the first article, we emphasized the importance of data in security management. Now it’s time to put that data to work in your needs analysis. Utilize relevant statistics, case studies and examples to build and support arguments and highlight the potential risks and benefits associated with the proposed security program. Data-driven insights not only strengthen security’s credibility, but also help senior management understand the potential return on investment in implementing robust security measures. If security leaders find they don’t have the facts necessary to support the program in a way that ultimately benefits the organization, based on the balancing of risk and reward, they may need to go back to step one and focus on a different program opportunity. Not all good ideas and programs are right for every organization.

4. Craft a Compelling Narrative

In my next article, I will focus on presenting the program, but in the building stage, security leaders must prep to ensure they will be successful in their endeavor to present. They will need to capture the attention of senior management. It is crucial to craft a compelling narrative that communicates the necessary cadence (e.g., is it urgent or can it happen over a period of years) and assess the necessity of the particular program. They will likely consider using real-life scenarios, anecdotes or recent security breaches to illustrate the potential consequences of insufficient security measures. So, make sure to have all the information, that it’s well supported, that it makes sense for the organization, and that the impact of the particular audience is understood. (More in article three).

5. Outline a Comprehensive Implementation Plan

A well-structured implementation plan demonstrates that security leaders have carefully thought through the steps required to execute the security program successfully. Break down the program into manageable phases, providing clear timelines, milestones and resource requirements. Outline the key strategies, technologies and training programs that will be employed to achieve the desired outcomes. This plan should be realistic, flexible and aligned with the organization’s broader goals.

6. What is the Return on Investment (ROI)?

Management is often interested in understanding the financial implications of implementing a security program. Therefore, it is important to really comprehend and balance the costs, and possible offsets, to a security program. One traditional way is to try to identify the potential cost savings from mitigating security incidents, minimizing downtime, avoiding regulatory fines, and preserving the organization’s reputation. This one can be complicated and may result in math constructs that require divination and crystal balls. Avoid unnecessary stretches of run rates imagining how to stop a thief and focus on actual events and losses if available. Avoid catastrophizing. Focus on insurance rates, property damage, previous losses, improved maintenance costs and others that are clearly quantified costs.

Security leaders can also incorporate qualitative metrics into an evaluation by providing contextual information on factors such as personnel comfort regarding their safety, customer engagement and satisfaction, or any other relevant measures that align with the organization’s objectives.

7. Build Cross-Functional Engagement

A successful security program requires collaboration across multiple departments and stakeholders. Highlight the importance of a cross-functional team in the implementation and ongoing management of the program. Identify the roles and responsibilities of each team member, emphasizing the collective expertise and contributions they bring to the table. Demonstrating a well-structured team will instill confidence in senior management that the program will be effectively executed.

Developing an effective security program involves a series of strategic steps aimed at educating senior management about the importance of investing in security measures. By following the sequential strategies outlined in this article, security leaders can craft a compelling solution that addresses the organization’s specific needs and challenges. Remember to leverage data, think from the perspective of senior management, and outline a comprehensive implementation plan that emphasizes the potential return on investment. Next time, we’ll think about how to deliver the message.