Creating Security Policies that are the Core of a Rock-Solid Corporate Security Program

Roger Goodes

Guidelines and tips for creating or modifying corporate security programs.

Share this post

Among the most essential elements of a corporate security program are the policies that define the “ground rules” and structure that guide how your security department and employees across the organization help address the risks, threats and vulnerabilities that confront your people, operations and performance.

As a former corporate director of security and Special Agent in Charge and Investigator during my 26 years with the U.S. Secret Service, I paid a lot of attention to security policies. One reason I did so was that I knew from experience that security policies — whether they were comprehensive, up-to-date, clear and even flexible — had a major impact on my ability to align and coordinate resources. This was necessary to achieve a continuous stream of positive, mission-aligned security outcomes. But I also knew — and remind clients regularly about this today — that, for many organizations and leaders, security policies are rarely fully up-to-date, comprehensive, understood by all key stakeholders and put into practice faithfully.

Whether you develop these from scratch, merge policies owned by various units within the enterprise, or simply set out to audit and improve policies already established, this can be a daunting task. Here are some recommendations that can guide you as policies grow from general responsibilities to many robust supporting documents specific to your operations and goals. These are tips and suggestions I have found useful during my career — as an executive responsible for corporate security for major enterprises and as a consultant and advisor to executives facing the same challenges I did.

1. Recognize Many Different Corporate Functions ‘Own’ Security Policies

Functions apart from the security department actually author and maintain many security-related policies. The HR department, for example, needs to have clear policies on terminations — like alerting security before confronting an angry individual and ending the organization’s relationship with them. The IT department has security-related policies such as password management or policies that require enhanced physical security measures protecting data and equipment locations. And the Legal department will likely have a strong perspective on the organization’s duty to address issues such as proximate cause, duty and standards of care.

The challenge is to avoid a “siloed” approach to disparate security policies scattered throughout the organization — in different formats, physical and electronic locations — or with conflicts, overlaps or gaps across departments, business units or geographical regions. To ensure a single point-of-view for ease of access and consistency and build protocols that clarify ownership and maintenance, we recommend clients establish a centralized, electronic and web-based Master Security Policy Manual that multiple departments maintain over time.

2. Consider the Difference between Policies and Minimum Guidelines

If you’re responsible for security for a large, complex enterprise, you know how difficult it is to define a policy and require its enforcement in exactly the same way by every business division, facility type and region or country. One example is a policy requiring specific technical system requirements in new construction or renovation of certain types of facilities. These may or may not be possible due to variances in factors that range from local conditions to construction methods and materials.

Your Master Security Policy Manual should, therefore, be clear about (1) the distinction between a policy and a minimum required standard and other guidance, like a recommendation; (2) the authority or latitude an internal user has in complying with the guidance; and (3) directions on how to suggest changes in policy or request an exemption.

The most effective policies are those, for example, that define and protect a global baseline for critical practices like shatter-proof glass in the lobbies of all major corporate centers or consistency in password composition, while providing some latitude, where necessary, for local adaptation.

There are always exceptions to rules and customizing protocols to accommodate unique circumstances is important. That’s why the format of your Master Security Policy Manual must acknowledge and reflect your need to balance standardization and specialization. But before you can determine where it’s in your interest to veer from security-related norms, you need a common baseline.

3. Remain Flexible to be a Good Partner

One of the areas often missed by security programs is being a good business partner to the rest of the company. While developing your policies, it is crucial that you don’t operate in a vacuum and only think strictly about security. It’s a good starting point, but you also need to learn and understand what the rest of the company does and determine if or how your policies may impact them and their operations.

Identify the risks, threats and vulnerabilities and then work with the business units to determine what is acceptable. You may not be able to adjust your policy to fit their needs, but it may lead to a beneficial exception process. Being a good partner demonstrates that you see and understand the big picture of what the company’s goals are, and that you support them.

4. Target Outcomes to Support Your Business with Corporate Security Goals and Objectives

A best-in-class approach to security policies and guidelines delivers the following benefits.

  • Integration: Promotes a holistic view of your organization’s security practices and integration of these across your business divisions and functions.
  • Rationalization: Advances standardization, where appropriate, across critical security risk management domains.
  • Collaboration: Helps capture, document and improve internal security risk management best practices over time.
  • Communication: Requires various internal stakeholders of security to share best practices, resolve conflicts in policy and build consensus.
  • Efficiency: Leads to efficiencies in security processes and resourcing which, in turn, helps lower costs.
  • Alignment: Drives better alignment of security with business strategy, goals and requirements.
  • Performance: Helps define security-related roles, clarify responsibilities and manage expectations.
  • Risk Management: Improves your organization’s security risk management goals from prevention to agility in response.

While no corporation can be immune to crime or acts of terrorism, and it is difficult to completely guarantee safety in every situation, adopting these guidelines will advance a security program that reduces your risk in a structured, disciplined and cost-effective manner over time.

Get in Touch

By completing the above form you have read, understood and accept our Privacy terms as well as our Cookie terms. Read our Privacy Policy.

Jensen Hughes ensures non-discrimination in all programs and activities in accordance with Title VI of the Civil Rights Act of 1964. If you need more information or special assistance for persons with disabilities or limited English proficiency, contact the Jensen Hughes Compliance Team at 410-737-8677 or 

More blog posts from Jensen Hughes

Improving Environmental, Social, and Governance Standards in Hospitals + Health Care

Apr 19, 2023

Today's business climate forces hospitals and health care organizations to face contradictory decisions. Now more than ever, they are required to save every dollar they can through cost avoidance and stewardship.

Read more
Fire Safety and Emergency Preparedness in Nursing + Health Care Facilities

Apr 7, 2023

This year marks the 20th anniversary of two particularly devastating nursing home fires that occurred in Hartford, Connecticut, and Nashville, Tennessee, claiming the lives of 31 people.

Read more
The Importance of Performing and Managing Facility Inspections, Testing + Maintenance

Mar 23, 2023

Today’s buildings are part of a modern trend of larger structures. These larger structures not only require more advanced fire protection systems but also a more considered approach towards ensuring life safety for the occupants

Read more