Security through walking around is a growing practice that forces leaders out of their offices and onto the floors where work takes place. The FSO leaves their office and becomes engaged in relationship building activities that help increase the protection of classified information. Perhaps you have already used this term or have at least heard others refer to it on occasion. For those new to the term, it means turning off the computer and showing your smiling face. An FSO who spends most of their work day processing information at a computer does not get the full security picture. If their security policy is only a game of “gotcha” or simply conducting preliminary inquiries into violations then the organization gets just a glimpse of the value-added work of a security officer.
Security Through Walking
The FSO primarily implements and directs a security program to protect classified information. Part of that program involves collecting data, observing and improving employee activity and identifying and mitigating risks to classified efforts. Security through walking around provides a larger return on investment because it requires no additional security costs. It is not difficult to implement but the practice does require a plan. Without a plan, FSOs risk effectiveness by just milling about engaging in needless conversation and wasting everyone’s time. A purpose will keep the FSO focused as well prevent unproductive conversations. The plan doesn’t have to be complicated or lengthy. It just helps direct your purpose, attention and provides real time answers to questions about the security program’s health.
The plan should allow opportunities for the FSO to enforce the organization’s security message as well as getting to know the names and characteristics of employees, team members and executives. It also allows FSOs to get a face out there, thus creating a sense of accessibility for the very people FSOs depend on to support the security program.
FSOs should prepare to meet with staff by reviewing a prioritized list of milestones. This list could reveal a security program’s effectiveness in matters of personnel, physical, IT, privacy, proprietary and, if applicable, classified information security. FSOs should understand the policies in effect and level of security success. They should be familiar regulations and requirements that affect the company’s business and team members. If FSOs answer questions with a “best guess” or canned speech, you’ll lose credibility and cause others to doubt your abilities.
Milestones should mark success or failure indicating the security program’s effectiveness. A good resource for FSO’s use in establishing milestones is the organization’s Security Protection Plan (SPP) or the Self Inspection Handbook for NISP Contractors. Both resources describe expectations, and the walk through can be the verification. For example, suppose the SPP directs that security containers may be left open when a designated employee is available to observe it. The FSO is conducting the walk through and observes a cleared employee locking all of the security containers. The FSO greets the employee warmly. The employee says that he is unable to stick around, but is almost late for a meeting. The FSO can now validate procedures are enforced.
FSOs should anticipate both good and bad feedback. There will be some who praise security efforts and there will definitely be those who criticize or question security motives. Some criticism may be the result of an FSO personally implementing a security plan such as limiting access to formerly freely accessible areas. These objections are perfect opportunities for FSOs to explain the need for a change in security posture. For example if access has been limited, the FSO can discuss how door magnets deny unwanted and unauthorized visitors and how they reduce energy spending by $12,000 annually. Others employees may not understand having to comply with federal regulations. This is also a great time for FSOs to NOT quote regulations, but demonstrate how regulations impact the company and the benefits of compliance. If any question arises that an FSO’s research did not prepare them for, they should be candid. “I don’t know, but I’ll get back with you,” is a perfect response. The FSO should be sure to follow through and get back with the person. Likewise, if anyone requests action that the FSO can implement, they should do so in a timely manner.
FSOs should offer praise and kudos to those deserving. These acknowledgements should be offered publically and immediately. On the other hand, FSOs should avoid criticism or wry comments directed toward or about an employee who is critical, has committed violations, or just doesn’t understand security. FSOs should definitely stay away from getting into personal conversations, discussing cleared employee self-admittals, or violating privacy or Health Insurance Portability and Accountability Act (HIPAA) violations. These are better left for private, official occasions.
Security through walking around provides the FSO an excellent tool to measure the success of a security program. Asking open ended questions and developing rapport with company team members will help a security manager gain ground in selling their security program and meeting company needs. However, the FSO should plan each session in advance to prevent wasting valuable time and the loss of credibility. After the event, the FSO should write up findings, recommendations and kudos. The FSO is a manager and they represent the corporation and senior management. In this role, FSOs should keep conversations professional and avoid the temptation to get into personal conversations that violate company policy or privacy and HIPAA compliance.