Companies are always interested in saving money, but in our economic climate, more of them are trying anything and everything to raise their bottom line. Some are undergoing massive corporate restructuring, some are firing and hiring, and many are asking individual business units to make do with less. These types of situations often call for the re-engineering or from-scratch development of a security program.

Of course, companies that are not struggling also have a periodic need for a fresh approach to security. Some need a formal security program where there has never been one before. Some require security to start over when they shift departmental responsibilities and move it either out of or into the authority of another function. Some just recognize that their current programs are not adequately securing the organization and ask for a new plan, from either the existing security leader or a new one.

If you are that security leader, you have a big job on your hands. If you have been through this before, you are lucky enough to have experience — good or bad — to guide you. But if you have never been asked to develop a program, or if you are simply uncertain how to proceed, it can be difficult to find the kind of guidance you need.

Consider basing your development process on a three-phase plan that has proven itself worthwhile in several corporate redesigns. In most organizations and in most situations, you will have a good chance of success by breaking your design or redesign into four phases: inventory, interview, assessment and action.

What Do You Have to Work With?

First, you have to find out what you have to work with. If there is a program already in place, catalog the resources you have available to you. Note that this phase is important even if you have led the security function at this company for years. You may feel you know your assets inside and out, but writing them down in a document or spreadsheet should help you arrange and prioritize assets, remind you of items you have forgotten or under-used and point out any redundancies in the use of those assets.

Take a look at the existing systems, policy, personnel, culture, budget and the environment to digest change. What is the main focus of the security department now? What is the reporting structure? What is the budget and where does the money go? Does the function have any advocates within management or among the staff? Who are the primary stakeholders? Is the department outsourcing any of its processes?