When developing a master plan, security managers should consider strategic objectives that have proved to be effective in the past:
The ability to recognize and then mitigate emerging threats, both natural and man-made, can be enhanced through a variety of initiatives. Surveillance systems, credentialing programs, access control technology, and decision support tools can significantly enhance risk management functions.
Making certain that a security strategy includes clear, unambiguous guiding principles and objectives will contribute significantly towards cultivating a security culture.
In order to focus resources on the most relevant security challenges, managers must guide their enterprises away from the notion that security spending is only an expense to be minimized. To develop a culture of security, master plans should support security initiatives as an investment, not an expense.
Positioning a business to take advantage of all available technology resources, including emergent breakthrough solutions, provides security managers with open access to critical resources that can have a force multiplier effect.
Training and exercise programs continue to provide a good return with regard to risk mitigation. Developing a standard training program, based on security best practices, is key to optimizing security posture and increasing security awareness.
Risk cannot be eliminated, only managed, and no security program is foolproof. Security command and control centers, data management and information sharing capabilities, and technology tools that facilitate decision-making all contribute towards the response and recovery process.
Security initiatives should be managed on a continual basis. Security professionals should aggressively pursue investments and initiatives that optimize their security posture and provide a positive return on investment.
An effective master plan requires that existing security capabilities and resources are directly aligned with strategic objectives. Participation and buy-in from relevant stakeholders are essential.
By focusing on continual, incremental improvement, any firm can develop a solid foundation for responding to security incidents.