Security and Continuity Convergence
Scott Hayes, LL.M., CPP, ABCP
Security Management | Business Continuity Planning | Transforming challenges into triumphs |
Most organizations of any appreciable size will recognize the importance of having security plans and procedures in place in the event of emergencies and will establish some type of business continuity plan to ensure their critical services and functions are maintained. But if you are a security manager in one of these organizations, do you have your own security related Business Continuity Plan (BCP), and have you exercised it? If you have that’s great! but I wouldn’t be surprised if the answer is no.
?
The BCP is often misunderstood and usually underappreciated…right up until the time you need it. I get it though, because my own foray into the world of continuity planning wasn’t due my recognition of its importance. In fact, I had never heard of business continuity planning until I was out for a coffee with the big boss at my office one day, when he mentioned the words “business continuity plan”.? I asked, “What’s business continuity planning?” to which he replied, “Funny you should ask, you are going to be the BCP coordinator for the office”. In my world, we commonly refer to this as being “volun-told”. Even in the public safety world where providing 24/7 service is the raison d'etre, continuity planning is not very well understood and therefore not really appreciated. Having been responsible for writing or advising on this type of plan, it’s my experience that many public safety managers aren’t sure what a BCP is, let alone how to write it. This can translate into poorly identified critical services, and a lack of realistic and workable recovery plans to ensure those critical services can be provided within the “maximum allowable downtime” (aka recovery time objective). As the emergency services are to the general public so is the security team to it's organization, ensuring safety and security during critical interruptions even if the interruption isn’t due to an emergency as though of in the traditional sense.
?
The security team, just like the BCP, can be misunderstood and under-appreciated, right up until it’s needed.? While business continuity and “disaster recovery” are different but with some overlap, in a more practical sense it could be thought of as contingency planning, and the “disaster” is just any significant service disruption. While it could be an actual disaster in the traditional sense, it doesn’t have to be. Really, it's anytime you can’t conduct business as usual due to some significant event or circumstance. It also doesn’t have to be directly occurring to your own office/property: there’s a fire in the building on your block and property access is impossible; there’s a massive protest on the street; you have no water due to a main break; or the electrical grid for your neighbourhood is out. ?
?
Critical services are decided by the senior leaders of the business, who will naturally tend to focus on how they keep providing the product or service that keeps money flowing in. Unless you work for a very security-centric business, the security team might not have made that list. Whether you were included or not, it’s important to ensure the most critical functions of your team can be performed and that you have planned for this eventuality.? The point of this article is not to do a deep dive on continuity planning for security teams, but broadly you should consider the following factors:
?
1.??????? What are the most critical functions your team will need to perform during a significant disruption event?
?
2.??????? What are the functions your team WON’T do during a significant event?
领英推荐
?
3.??????? What are the physical resources you need to perform these functions?
?
4.??????? Write it down! The plan is no good if it just lives in your head. Even if everyone on the team knows what to do, during an event something important may be missed if you don't refer to the plan. Make sure you can access your plan if you can’t get into your building, or your internal computer systems are down.
?
5.??????? Test your plan. You don’t have to do a full-blown simulation. Run a tabletop exercise and see if your security team can still perform their critical functions when curve balls are thrown into the mix.
?
6.??????? Revise and re-visit. Put a task in your calendar to look at your plan in six months or a year later to verify your critical functions and assumptions are still valid. If you need to use the plan in the meantime, do an after-action review to determine if something needs to be changed/modified. While you should review the plan at a regular interval, it’s a living document. If you notice a shortcoming, fix it and document it now.
?
I know the Business Continuity Plan can seem arduous, but as the security professionals in the organization, you are the ones who need to be proactive in ensuring you are able to adequately respond. When some type of business interruption event occurs, the C-suite is going to rely upon you even if they didn’t think of it when developing their enterprise BCP. When your continuity plan is good, there will rarely be accolades for handling it properly. There will almost always be criticism when it goes poorly.
Great to see you sharing your expertise through articles on LinkedIn. Looking forward to reading your insights on business continuity and security.
Campus Security Professional & Crisis Intervention Guard; Founder & Coach, SDR Security Consulting
11 个月Wonderfully written. I have spent my security career wishing that security was more involved in BCPs, if not their creation at least in their implementation. Unfortunately, as you noted, a lot of places don’t remember about the integral role security plays until they need them. As a result, guards are not equipped and ready to act. Recently I have made a personal decision to take my passion for the security industry, and help coach and mentor guards, and work with clients who employ security teams, to ensure that security is part of the BCP, and at the very least ensure that the guards themselves are equipped to acknowledge and act to the best of their abilities should the need arise.