Why Moving To A Risk-Based Approach Helps Business

Download PDF version Contact company

Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks on a daily basis. Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business.

In order to resolve these challenges, a security leader can apply a risk-based approach to their security program. According to dictionary.com, risk is “exposure to the chance of injury or loss; a hazard or dangerous chance”. Risk is broader than a security concern and involves the entire business.

Through utilizing a 3R model - considering resources, risks and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure.

A business determines what resources it wants to protect, what risks it needs to protect the resources from and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence. Free online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach

The 3 Rs

The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure or valuable equipment, knowledge-based - such as intellectual property, or organizational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge and processes.

Second, determine what the resources need to be protected from. Anything that threatens harm to the organization, its mission, its employees, customers, partners, its operations or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime) or business risks (compliance or legal issues).

Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at riskFree online risk assessment tools are available to provide a fast, easy way to determine an organization's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organization’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment.

The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact to resources if an event does occur and also assist the organization in recovering from an impact more quickly or easily.

The first step in the 3R model is to figure out what resources need protection, this could physical such as buildings or critical infrastructure

The Path Forward

Understanding what risks a business faces in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organization’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions. Metrics can also help business leaders understand the cost/benefit of resolutions

C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk.

The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision.

Measuring Success

A risk-based approach aligns the security mission with the organization’s mission. Security leaders should have these conversations with their business leaders on a regular basis. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program

Determining a baseline of acceptance gives a foundation for security leaders to point out when the organization is not meeting its own requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries.

The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting

Defining Risks And Vulnerabilities

Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk. The approach puts the security risk decisions in the hands of the ones impacted by those risksAnd it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities.

Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.

Download PDF version Download PDF version

Author profile

Kim Rahfaldt Public Relations Manager, AMAG Technology, Inc.

Related companies
AMAG Technology, Inc.

View all news from
AMAG Technology, Inc.

Related links
Articles by Kim Rahfaldt

In case you missed it

How Have Security Solutions Failed Our Schools?

School shootings are a high-profile reminder of the need for the highest levels of security at our schools and education facilities. Increasingly, a remedy to boost the security at schools is to use more technology. However, no technology is a panacea, and ongoing violence and other threats at our schools suggest some level of failure. We asked this week’s Expert Panel Roundtable: How have security solutions failed our schools and what is the solution?

Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)

Display solutions play a key role in SOCs in providing the screens needed for individuals and teams to visualize and share the multiple data sources needed in an SOC today. Security Operation Center (SOC) Every SOC has multiple sources and inputs, both physical and virtual, all of which provide numerous data points to operators, in order to provide the highest levels of physical and cyber security, including surveillance camera feeds, access control and alarm systems for physical security, as well as dashboards and web apps for cyber security applications. Today’s advancements in technology and computing power not only have increasingly made security systems much more scalable, by adding hundreds, if not thousands, of more data points to an SOC, but the rate at which the data comes in has significantly increased as well. Accurate monitoring and surveillance This has made monitoring and surveillance much more accurate and effective, but also more challenging for operators, as they can’t realistically monitor the hundreds, even thousands of cameras, dashboards, calls, etc. in a reactive manner. Lacking situational awareness is often one of the primary factors in poor decision making In order for operators in SOC’s to be able to mitigate incidents in a less reactive way and take meaningful action, streamlined actionable data is needed. This is what will ensure operators in SOC truly have situational awareness. Situational awareness is a key foundation of effective decision making. In its simplest form, ‘It is knowing what is going on’. Lacking situational awareness is often one of the primary factors in poor decision making and in accidents attributed to human error. Achieving ‘true’ situational awareness Situational awareness isn’t just what has already happened, but what is likely to happen next and to achieve ‘true’ situational awareness, a combination of actionable data and the ability to deliver that information or data to the right people, at the right time. This is where visualization platforms (known as visual networking platforms) that provide both the situational real estate, as well as support for computer vision and AI, can help SOCs achieve true situational awareness Role of computer vision and AI technologies Proactive situational awareness is when the data coming into the SOC is analyzed in real time and then, brought forward to operators who are decision makers and key stakeholders in near real time for actionable visualization. Computer vision is a field of Artificial Intelligence that trains computers to interpret and understand digital images and videos. It is a way to automate tasks that the human visual system can also carry out, the automatic extraction, analysis and understanding of useful information from a single image or a sequence of images. There are numerous potential value adds that computer vision can provide to operation centers of different kinds. Here are some examples: Face Recognition: Face detection algorithms can be applied to filter and identify an individual. Biometric Systems: AI can be applied to biometric descriptions such as fingerprint, iris, and face matching. Surveillance: Computer vision supports IoT cameras used to monitor activities and movements of just about any kind that might be related to security and safety, whether that's on the job safety or physical security. Smart Cities: AI and computer vision can be used to improve mobility through quantitative, objective and automated management of resource use (car parks, roads, public squares, etc.) based on the analysis of CCTV data. Event Recognition: Improve the visualization and the decision-making process of human operators or existing video surveillance solutions, by integrating real-time video data analysis algorithms to understand the content of the filmed scene and to extract the relevant information from it. Monitoring: Responding to specific tasks in terms of continuous monitoring and surveillance in many different application frameworks: improved management of logistics in storage warehouses, counting of people during event gatherings, monitoring of subway stations, coastal areas, etc. Computer Vision applications When considering a Computer Vision application, it’s important to ensure that the rest of the infrastructure in the Operation Center, for example the solution that drives the displays and video walls, will connect and work well with the computer vision application. The best way to do this of course is to use a software-driven approach to displaying information and data, rather than a traditional AV hardware approach, which may present incompatibilities. Software-defined and open technology solutions Software-defined and open technology solutions provide a wider support for any type of application the SOC may need Software-defined and open technology solutions provide a wider support for any type of application the SOC may need, including computer vision. In the modern world, with everything going digital, all security services and applications have become networked, and as such, they belong to IT. AV applications and services have increasingly become an integral part of an organization’s IT infrastructure. Software-defined approach to AV IT teams responsible for data protection are more in favor of a software-defined approach to AV that allow virtualised, open technologies as opposed to traditional hardware-based solutions. Software’s flexibility allows for more efficient refreshment cycles, expansions and upgrades. The rise of AV-over-IP technologies have enabled IT teams in SOC’s to effectively integrate AV solutions into their existing stack, greatly reducing overhead costs, when it comes to technology investments, staff training, maintenance, and even physical infrastructure. AV-over-IP software platforms Moreover, with AV-over-IP, software-defined AV platforms, IT teams can more easily integrate AI and Computer Vision applications within the SOC, and have better control of the data coming in, while achieving true situational awareness. Situational awareness is all about actionable data delivered to the right people, at the right time, in order to address security incidents and challenges. Situational awareness is all about actionable data delivered to the right people Often, the people who need to know about security risks or breaches are not physically present in the operation centers, so having the data and information locked up within the four walls of the SOC does not provide true situational awareness. hyper-scalable visual platforms Instead there is a need to be able to deliver the video stream, the dashboard of the data and information to any screen anywhere, at any time — including desktops, tablets phones — for the right people to see, whether that is an executive in a different office or working from home, or security guards walking the halls or streets. New technologies are continuing to extend the reach and the benefits of security operation centers. However, interoperability plays a key role in bringing together AI, machine learning and computer vision technologies, in order to ensure data is turned into actionable data, which is delivered to the right people to provide ‘true’ situational awareness. Software-defined, AV-over-IP platforms are the perfect medium to facilitate this for any organizations with physical and cyber security needs.

Securing Mobile Vehicles: The Cloud and Solving Transportation Industry Challenges

Securing Intelligent Transportation Systems (ITS) in the transportation industry is multi-faceted for a multitude of reasons. Pressures build for transit industry players to modernise their security systems, while also mitigating the vulnerabilities, risks, and growth-restrictions associated with proprietary as well as integrated solutions. There are the usual physical security obstacles when it comes to increasingly integrated solutions and retrofitting updated technologies into legacy systems. Starting with edge devices like cameras and intelligent sensors acquiring video, analytics and beyond, these edge devices are now found in almost all public transportation like buses, trains, subways, airplanes, cruise lines, and so much more. You can even find them in the world’s last manually operated cable car systems in San Francisco. The next layer to consider is the infrastructure and networks that support these edge devices and connect them to centralized monitoring stations or a VMS. Without this layer, all efforts at the edge or stations are in vain as you lose the connection between the two. And the final layer to consider when building a comprehensive transit solution is the software, recording devices, or viewing stations themselves that capture and report the video. The challenge of mobility However, the transportation industry in particular has a very unique challenge that many others do not – mobility. As other industries become more connected and integrated, they don’t usually have to consider going in and out or bouncing between networks as edge devices physically move. Obviously in the nature of transportation, this is key. Have you ever had a bad experience with your cellular, broadband or Wi-Fi at your home or office? You are not alone. The transportation industry in particular has a very unique challenge that many others do not – mobility Can you trust these same environments to record your surveillance video to the Cloud without losing any frames, non-stop 24 hours a day, 7 days a week, 365 days a year? To add to the complexity – how do you not only provide a reliable and secure solution when it’s mobile, traveling at varying speeds, and can be in/out of coverage using various wireless technologies? Waiting to upload video from a transport vehicle when it comes into port, the station, or any centralized location is a reactive approach that simply will not do any longer. Transit operations require a more proactive approach today and the ability to constantly know what is going on at any given time on their mobile vehicles, and escalate that information to headquarters, authorities, or law enforcement if needed; which can only occur with real-time monitoring. This is the ultimate question when it comes to collecting, analyzing, and sharing data from mobile vehicles – how to get the video from public transportation vehicles alike to headquarters in real time! Managing video data In order to answer this question, let’s get back to basics. The management and nature of video data differs greatly from conventional (IT) data. Not only is video conducted of large frames, but there are specific and important relationships among the frames and the timing between them. This relationship can easily get lost in translation if not handled properly. This is why it’s critical to consider the proper way to transmit large frames while under unstable or variable networks. The Internet and its protocols were designed more than two decades ago and purposed for conventional data. Although the Internet itself has not changed, today’s network environments run a lot faster, expand to further ranges, and support a variety of different types of data. Because the internet is more reliable and affordable than in the past some might think it can handle anything. However, it is good for data, but not for video. This combination makes it the perfect time to convert video recording to the Cloud! Video transmission protocol One of the main issues with today’s technology is the degradation of video quality when transmitting video over the Internet. ITS are in dire need for reliable transmission of real-time video recording. To address this need a radical, yet proven, video transmission protocol has recently been introduced to the market. It uses AI technology and to adapt to different environments in order to always deliver high quality, complete video frames. This protocol, when equipped with encryption and authentication, enables video to be transmitted reliably and securely over the Internet in a cloud environment. One of the main issues with today’s technology is the degradation of video quality when transmitting video over the Internet Finally, transportation industry has a video recording Cloud solution that is designed for (massive) video that can handle networks that might be experiencing high error rate. Such a protocol will not only answer the current challenges of the transportation industry, but also make the previously risky Cloud environment safe for even the most reserved environments and entities. With revolutionary transmission protocols, the time is now to consider adopting private Cloud for your transportation operations.