Any security strategy will be driven by the business needs of an organisation and will therefore be an essential aspect of the business cycle, particularly insofar as budget and risk are concerned. It is important, therefore, to demonstrate that the strategy is proportional to the organisation’s needs and operation, as an over-emphasis on security will be costly and will influence the perceptions and attitudes of customers, clients and employees, and could adversely impact upon the effectiveness of an organisation in delivering its core business product.

In order to ensure that there is no ambiguity or uncertainty, the strategy should clearly articulate the organisation’s culture and approach to security. The culture will reflect organisation practices and allow all parties to understand that security requires good communication across the organisation, with an opportunity for engagement and consultation. The security strategy should be driven by the senior management team, with support throughout the management structure. The security strategy should be agreed and signed off by the most appropriate level in the host organisation, ensuring that all risks are understood and the risk of non-compliance is clearly demonstrated.

The service delivery can then be managed against measurable outputs geared toward the business plan of an organisation. Any security strategy should ultimately reflect the organisation’s needs and be cost effective, while being sufficiently robust to counter the threats. A considered process of planning and consultation will ensure that security is proportional and that unnecessary and restrictive measures are not imposed upon the organisation, facilities, building construction and subsequent operation. Equally, it will ensure that security reflects the organisation’s profile and culture while remaining compliant with regulatory requirements.