Security isn’t always simply security. You have to consider what you’re possibly securing against, as well as what you’re doing about it. “Depending on how you arrived at the list of your services,” advises the Security Executive Council, “the issue may be you are only providing discrete security services and not an overall comprehensive security program.”
Definitely, there are key distinctions between security services and a security program. “Do you really have a security program and are you managing program results?” is the Executive Council’s key question.
A security program has to do with what management actually desires and the means to accomplish it. Security services, by contrast, are the “day-to-day activities that employees or contractors deliver to customers in support of security risk mitigation.” They may, or may not, be sufficient. ID badges for employees, or pre-hire background checks, for example, may well not be sufficient.
It all comes down to how risk-tolerant an organization is – once the organization fully understands the risks of not being wary enough. Read on in the Security Executive Council’s post for a deeper understanding of true site security.