How to create a strong security program using the 4 P’s

For anyone looking to further improve their security setup

To properly secure your workplace, it’s not enough to have top security equipment and enforcement in place. Many companies only focus on prevention measures, using layers of technology as their protective armor.

However, even the best electronic locks, cameras, alarms, and visitor management systems will not be effective if you don’t have a policy in place that guides people towards the right behaviors and responses to workplace security.

One of the most important parts of your security strategy is keeping your people safe. This requires a policy that is integrated into, not only the physical workspace, but also the unique culture of your company.

To create a strong security program which integrates both prevention and response use the 4 P’s: policy, procedure, plan, and practice.

Policy

Your policy should embody the core principles of your security program and layout the mentality your company takes towards security.

This should include any compliance and regulation measures you must follow, such as fire safety requirements. It should also outline any industry specific regulations. If you’re a tech company, this could be any security protocols you must follow regarding the handling of user information. If you work in the manufacturing industry, this could be worker safety regulations.

Beyond external measures, your policy should include your company’s specific governing security rules and do’s and don’ts. This statement should guide your company’s beliefs and mentality towards security, therefore, it should align with your company’s culture and values.

If providing great customer service is one of your values, emphasize your company’s commitment to keeping client’s personal data safe through your security policy. If innovation and creativity are your company’s trademark, focus on the need to create a secure work environment for ideas to flourish and grow.  

Finally, it’s important to highlight how important your employees’ cooperation is to a successful security program. Everyone plays a role in keeping the workplace safe.

When drafting your policy, make sure to address:

  • Why you need a policy
  • Industry specific compliance and regulation measures
  • Governing company security policies and do’s and don’ts
  • How your security policy ties to your company’s culture and values
  • How people’s awareness and actions contribute to a safer work environment

As your policy contains your core security principles, it only needs to be reviewed once a year.

Procedure

If your policy is what you believe in, your procedure is how you carry it out. This part of your security program should detail exactly how to carry out your security policy on a day to day basis, including how to report incidents, access control/visitor policies and end of day checklists.

Procedures should be as detailed as possible, informing everyone how they should respond in a given situation. If someone is expecting a visitor, how do they let security know? What information will they need to provide? Does someone have to be responsible for meeting and signing them in at the door?

These are all questions that, if left unanswered, can easily lead to a security gap.

Make sure to identify who is responsible, when this procedure should be used and the steps that should be followed. For example:

Your access control policy should include

  • A procedure for entering the building after hours
  • How to keep codes and keys safe from theft
  • Who to report lost or stolen keys to

Your visitor policy should include:

  • Who is responsible for signing visitors in
  • How and where the procedure takes place
  • Any security procedures visitors and their hosts must follow while in the building

Your security procedure should be a living document that is continuously audited to account for the discovery of any new gaps, risks or updates in technology. Make sure to inform your employees and staff when an update has been made.

The best way to remain consistent is to keep a record of the dates on which your procedure was last updated and tested within the document.

Keep in mind, no exceptions can be made, even and especially for the executive level. Making even one exception can lead to a more relaxed response to security procedures. To ensure safety measures are taken seriously, it’s imperative that the executive level, not only endorses your security program, but also leads by example.

Plan

Your plan outlines the steps to take in the event that an incident does occur. Depending on the specific situation and the team or location involved, you may have different contingency plans in place, however, there are two common questions which must be answered:

  1. What is the escalation path and who has the ultimate decision-making authority?

The time it takes to resolve an incident is directly related to the time it takes to reach the right decision-maker. There should be one point of contact who is charged with taking ownership of your security policy. This means ensuring the plan is being carried out correctly and providing answers to any security questions.

        2. If necessary, where should people be relocated to?

In the event that people need to be evacuated to another part of the building or off site to a secure location, it’s essential that everyone knows where they need to be in an emergency.

Having a clear plan and designated authority in place will help to keep the situation calm and under control.

Practice

The final step you need to really drive home your policy, procedure and plan is practice. It’s not enough to have your security program written out. When a situation happens, panic can sometimes cloud people’s response and decision-making ability. That’s why physically going through the steps in an unstressful simulation can prepare people for the real thing.

Practicing allows you to:

  • Ensure everyone knows what the procedure and contingency plans are, how to follow them and who to go to in the event of an emergency.
  • Identify any gaps in the security program.
  • Demonstrate to your employees and staff how seriously security measures should be taken.

Develop a training curriculum to familiarize employees and staff with the skills they need to prevent and handle emergencies. Ensure these learnings stay fresh in people’s minds by running security drills on a bi-annual or yearly basis.

Following the 4 P’s will help you create a strong and effective security program. Once this is in place, it’s important to keep communicating regularly with your people about security. Send out advisories and let them know if policy or procedure changed for any reason. Remind them early and often how vital their participation is in helping keep the company safe.

Michael Ginty
Vice President of Security at Bannerman
Mike Ginty has  dedicated  his  career  to  safety  and security. He started out as a Special Agent and Officer in the  US  Air  Force,  investigating  felony  level  crimes  and matters  of  national  security,  as  well  as  providing anti-terrorism support to force protection overseas.  After leaving the military, he spent time as a contractor with the Department of Homeland Security before beginning his career in corporate security.

Mike  is  a  veteran  of  both  the  security  and  technology industry. He managed Security Operations at Apple, and was  the  founding  member  of  the  safety  and  security team  at  Uber  and  helped  keep  employees,  riders  and drivers  safe  while  the  company  scaled  from  60  to  280 cities worldwide. Mike then became the Head of Safety, Security, and Facilities at AltSchool, where he rolled out a whole new vision of keeping kids safe in and out of the classroom.

Mike  possesses  a  keen  ability  to  evaluate  risk  and implement  right-sized  security  solutions.  He  prides himself  on  a  technology  forward  approach  to  security and  as  such  has  distinguished  himself  as  a  security industry  leader  in  Silicon  Valley. He  has  advised numerous  properties,  organizations,  and  companies,  as well  as  private  organizations  and  family  offices.  He regularly publishes and speaks on topics regarding safety and security.

Mike  as  has  a  BA  from  Boston  College,  and  MA  in National  Security  from  the  Naval  Postgraduate  School, and an MBA from the University of San Francisco.