So, what do I actually do when I start a new contract? It depends on the type of contract. I do shorter engagements where there is a specific requirement, such as audit security at a particular installation – perhaps ‘short’ is the wrong description, a review of the security of a company’s ocean-shipping facility can take a reasonable amount of time – but those are quite rare and usually part of a longer engagement. Short engagements usually last from a few days to a few weeks – anything more than a month and my daily rate goes down a bit to reflect the length of the contract. So, the brief for a short engagement might be something like: ‘Review the security of the corporate offices and make recommendations to improve…’
A longer – the reas engagement, such as the one I’m doing here in Kazakhstan will probably improve a more thoroughgoing review of all of an organisations security measures and organisation, often as is also the case here, including the requirement to recruit and train a new security manager. Whether it’s a long or short engagement, the first step is always the same: learn as much about the business as is possible, which, of course, depends on the time available, an hour or so briefing for a shorter engagement up to a full week of in-depth briefs for an engagement like the one I’m in now. Then you can start.
Policy reviews are a pain in the, erm, fundament. When I got here the security policy was 51 pages long. How many people do you think read it? It is now 11 pages long and of those you only have to read five. The rest are annexes with detail that you only need occasionaly – it’s enough if people know where to find what they need. You also need to make sure that the polices make sense. I also review crisis and business continuity plans and when I came to look at the plan for the aftermath of an earthquake, (Almaty is in an active seismic zone,) the first action to be taken was timed for ‘On hour after the Earthquake.’ So, I asked myself, which of us is going to be thinking about business one hour after a major earthquake…
Then there are the physical security reviews, as I was doing down in Uzbekistan last week and usually the easiest part of any job. I have a number of tools I’ve developed over the years, but at my stage of the game I can usually walk through a facility and come up with a pretty good overview of its security, using the tools to make sure I didn’t miss stuff. Then there’s Information security – don’t get me started, supply chain, security arrangements with business partners and suppliers – confidentiality agreements, securing our own intellectual property and proprietary information when it has to be released to third parties, executive protection, travel security… The list goes on and it’s all important, but when all the basics have been looked after, the really important work starts…
Boadicea's Chariot 
Very interesting indeed.
Hopefully there will be a part III?
I’ll second that – or is it third?
OZ
Keep it coming, Bravo! ๐
Thanks for this – very interesting.
I was particularly struck by your comment that the “security policy was 51 pages long. How many people do you think read it?”
I had so many arguments when I was writing reports with people who seemed to think that quantity (more pages of waffle) was better than than quality (short and to the point). I always reckoned people took one look at the size of their reports and stuffed them to the back of the cupboard.
In the days when software manuals were published in hard copy rather than on disk, I knew some people used to buy software products based on the height of the pile of instruction manuals. The lower the pile the more likely it was to be purchased.
Bravo, I expect that in your biz like most others, people only read the manual after something has gone awry! Scary.