Questions To Consider For Advancing A Security Program

In the same discussion that led to the creation of the playbook for force multiplying security, we also chatted about the known, yet unofficial, rules of fighting:

• Always improve your fighting position
• Exploit all technical and tactical advantages
• Push SA (situational awareness)
• In the absence of orders or direction in the battlefield take charge and lead

While those rules are already factored in when I wrote the Security Program Philosophy, I think that, given the current times the world of security finds itself in, it’s time to add some questions that can be used to move the program forward, improving the fighting position, utilizing all advantages, and pushing situational awareness forward.

The questions to ask would be:

1. What are the most significant risks facing the company/organization/world today?
2. How do we maximize our ability to mitigate those risks?
3. And, where should we invest and where should we cut to maximize our smaller and smaller budgets to succeed in mitigating risk while making security more nimble, less complex, and efficient?

Think about it, one of the basics of a security program is to systematically uncover, track, and minimize risk, and we are constantly being asked to do a lot more with less. It’s critical then that we go through the OODA loop of risk management faster so we can gain that situational awareness we need, while at the same time be able to orient the program where it needs to go, utilizing the right people with the right tools, and force multiplication.

Asking these three questions is the first step to get to the next stage of your program, especially if it’s slow moving and stuck in a compliance-led approach.

Ask the questions, take notes, and then use common sense.

Yes, you read that right, common sense. Yeah... It’s not that common anymore.