Why Moving To A Risk-Based Approach Helps Business

Download PDF version

Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks on a daily basis. Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business.

In order to resolve these challenges, a security leader can apply a risk-based approach to their security program. According to dictionary.com, risk is “exposure to the chance of injury or loss; a hazard or dangerous chance”. Risk is broader than a security concern and involves the entire business.

Through utilizing a 3R model - considering resources, risks and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure.

A business determines what resources it wants to protect, what risks it needs to protect the resources from and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence. Free online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach

The 3 Rs

The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure or valuable equipment, knowledge-based - such as intellectual property, or organizational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge and processes.

Second, determine what the resources need to be protected from. Anything that threatens harm to the organization, its mission, its employees, customers, partners, its operations or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime) or business risks (compliance or legal issues).

Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at riskFree online risk assessment tools are available to provide a fast, easy way to determine an organization's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organization’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment.

The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact to resources if an event does occur and also assist the organization in recovering from an impact more quickly or easily.

The first step in the 3R model is to figure out what resources need protection, this could physical such as buildings or critical infrastructure

The Path Forward

Understanding what risks a business faces in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organization’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions. Metrics can also help business leaders understand the cost/benefit of resolutions

C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk.

The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision.

Measuring Success

A risk-based approach aligns the security mission with the organization’s mission. Security leaders should have these conversations with their business leaders on a regular basis. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program

Determining a baseline of acceptance gives a foundation for security leaders to point out when the organization is not meeting its own requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries.

The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting

Defining Risks And Vulnerabilities

Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk. The approach puts the security risk decisions in the hands of the ones impacted by those risksAnd it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities.

Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.

Download PDF version

Author profile

Kim Rahfaldt Public Relations Manager, AMAG Technology, Inc.

Related companies
AMAG Technology, Inc.

View all news from
AMAG Technology, Inc.

Related links
Articles by Kim Rahfaldt

In case you missed it

Is A Massive U.S. Recall Of Burglar And Fire Alarms Possible?

Could millions of burglar and fire alarm control units be recalled by the U.S. Consumer Product Safety Commission? That could be the upshot when the independent agency of the U.S. government rules on a 'Complaint of Non-Conforming Products' investigation requested on behalf of a consultant/forensic expert who says he has identified non-compliance dangers and vulnerabilities related to the devices. Breaching security standards Jeffrey Zwirn, an alarm and security forensic expert, says he has identified problems with the alarm devices and has posted online a series of videos confirming that they do not operate in conformance with Underwriters Laboratories (UL) 985 and 103 and NFPA 72 (National Fire Alarm and Signaling Code) Standards. Specifically, the single data-bus circuits of the hardwired devices can be short-circuited and become either fully or partially non-functional. The U.S. Consumer Safety Product Commission is tasked with promoting the safety of consumer products by addressing “unreasonable risks” of injury, such as risk of fire, chemical exposure, electrical malfunction or mechanical failure.The U.S. Consumer Safety Product Commission is tasked with promoting the safety of consumer products Typically, the CSPC evaluates such requests and determines what corrective action, if any, is appropriate, in this case possibly by the end of the year. IDS Research & Development Inc. (Zwirn’s company) and Connaughton Group LLC, a product integrity consulting firm, sent a request to the CSPC on Sept. 20 asking for an investigation of products across the North American household fire and burglar alarm control units and commercial burglar and fire alarm control panel category. Recalling alarm control units The request estimates that “hundreds of millions” of the units were sold and installed across the United States. They include products sold under brand names such as Honeywell, DSC, NAPCO, ELK Products, and Interlogix. If the recall were to happen, it would be the largest recall in the history of the alarm industry. The request states: “It is our expert opinion that these non-conforming control panels present a foreseeably dangerous and serious public safety hazard and risk to all of the unsuspecting consumers, their families and business owners who have these control panels installed in their homes and businesses.”These non-conforming control panels present a foreseeably dangerous and serious public safety hazard" Zwirn has also submitted the products for investigation by UL and Intertek Testing Services Inc., which respectively provide the UL and ETL certification marks and are Nationally Recognized Testing Laboratories (NRTL). Outcomes of those investigations are forthcoming. Jeffrey Zwirn also promotes and sells a product, The Interceptor, that would address the vulnerability. It is a microprocessor designed to protect the data-bus and auxiliary power output wiring installed throughout a protected premises.

Assessing The Risk Of Violence And Designing Workable Solutions

The task of protecting shared spaces, such as offices and schools, has become increasingly complex, particularly with ever-rising political tensions and the difficulties of assessing threats for schools, workplaces and law enforcement. Given the randomness of when and where a violent person may strike, those who manage facilities need an emergency plan, as well as robust training, detection and awareness. To gain more insights into dealing with such threats, we interviewed John Torres, President of Security and Technology Consulting, Guidepost Solutions. Guidepost Solutions is a global team of investigators, security and technology consultants, and compliance and monitoring experts. They provide security design and consulting, investigations, and compliance and monitoring leadership for critical client needs. Torres has extensive investigative and security experience. Previously, he served as the Special Agent in Charge for Homeland Security Investigations in Washington, D.C. and Virginia. His background includes more than 27 years of experience providing investigative and security management for the U.S. Departments of Homeland Security and Justice, including serving as the Acting Director and the Deputy Director of U.S. Immigration and Customs Enforcement. Q: Why is it difficult for schools, workplaces and law enforcement to assess threats of violence? How can they differentiate between a threat and a non-threat? Torres: With mobile technology and social media, threats are more than just physical. Schools are often not screening student social media accounts and are restricted in what they can and cannot monitor due to privacy laws. Proactive business and educational institutions are working closely with law enforcement, providing training and increasing awareness of potential threats or abnormal behavior. Proactive business and educational institutions are working closely with law enforcementEmerging tools include software that allows monitoring of students’ school-issued email and file storage accounts. Communications software and apps provide real-time notification of emergency messages to students, parents, employees and the community to provide critical instructions during an emergency. The combination of training and new tools has enabled trends and threatening language to be identified and appropriate authorities notified. Q: What tools and/or insights can Guidepost Solutions add to the mix? What are the elements of a “comprehensive risk assessment?” Torres: Comprehensive risk assessments include adopting a tiered approach to assessing the school or office and the surrounding environment. A typical approach includes site perimeter review, identifying gates, fencing, vehicle barriers etc., the parking lot, building exterior, interior paths of travel and individual classroom measures. Review and observation of systems including mass notification, video surveillance, access control, intrusion and visitor management, etc. are critical to ensure that they are equipped to maintain functionality in the event of power loss etc. As an insight, always engage with people, they have the knowledge of each unique facility. Elements we can add to the mix include assessments, physical security improvements and mass notification systems, as well as emergency response training, operational policies and procedures, and behavior analysis. Q: How can the elements of a risk assessment be translated into recommendations of specific technologies or processes (such as video surveillance and/or access control)? Torres: Risk assessments often drive and identify the need for technologies to be implemented into the security programs of schools, business or places of mass gathering, such as stadiums, convention centers and houses of worship. Risk assessments often drive the need for technologies to be implemented into places of mass gatheringRisk assessments help identify weaknesses in security procedure and then often support phased security enhancement programs as funds become available for investment. Each entity is different, and stakeholders should be included. For example, video surveillance may be a priority at one location but controlling the main point of entry may be more important at another. Technology and process recommendations must meet the operational needs and support the goals of the security team and operational managers. Q: How can the risk of an incident be mitigated and lives protected? Torres: While multiple steps are helpful, all of them in combination are key to implementing a comprehensive security plan. They include: Assessments – physical, cyber and procedural Physical Security Improvements – visitor management, fencing and barriers, locks and cameras Emergency Response Training – law enforcement coordination; muscle memory response Mass Notification Systems – current software, clear concise directives, testing Operational Policies and Procedures – termination, evacuation, communication, intervention Behavioral Analysis. Q: What are the elements of behavior analysis? Torres: They include things like changes in appearance and behavior, including social media behavior, and isolation from family or friends. They also include studying or taking pictures of potential targets, and real or perceived bullying. An individual may advocate violence or hate, and/or consume violent extremist information/propaganda. He or she may talk about traveling to places that sound suspicious, and/or have an obsession with weapons. Q: What is the role of training? Torres: Training is critical regarding emergency situations in schools, be it a fire drill, earthquake, lockdown, active shooter situation, etc. Training and drills educate those present, including employees and staff, with information about actions that may save lives and reduce casualties in a real emergency. Training should hold people responsible and set standards for acceptable behavior. Training is critical regarding emergency situations in schoolsThere should be a plan that is implemented, including practice and drills. You should also provide training and communication skill building classes. Develop intervention strategies. Work with HR and legal (and others as appropriate). Finally, document everything. Q: What challenges still remain? Torres: Cultural and behavioral change remains at the forefront of schools and businesses when addressing safety and security measures. A large percentage of violent acts may be preventable if a bystander shares his/her concerns with the proper authorities. According to the FBI, perpetrators exhibited behavioral indicators in 93% of incidents. And bystanders had prior knowledge in 81% of school attack incidents and 80% of terrorist-inspired behaviors or activities before an attack. Q: What progress are you seeing? Torres: With each tragedy that occurs, leaders are engaging with safety and security head on. There is a shift in schools and businesses to engage with professionals that can help them understand what they do not know. Simple things such as improved communication and enforcement of policies and procedures can have a tremendous positive impact on an organization’s security posture. Assessments and technology upgrades are important and effective, but it all starts with acknowledging the need to provide and maintain safe and secure environments for students, employees and the community.

Making The Shift From Manufacturer To Service Provider

The jury is in: traditional security is out — and it’s being replaced with service-based solutions. The bottom line is: if you’re not embracing it, you’ll soon be left behind. XaaS — the collective term referring to the delivery of anything as a service — includes all services made possible through the use of the cloud. Security-as-a-Service (SaaS), which encompasses any type of system from access control to video surveillance, has paved the way for users to gain significant functionality and scalability not previously experienced with more traditional methods. Complicated IT functions SaaS allows manufacturers to provide numerous benefits to their customers As such, there is a marked transition for manufacturers from simply designing and building products to providing a service rooted in a partner- and customer-centric focus. This change hasn’t come easily. Some are still holding out and waiting for the “fad” to pass. However, the potential advantages for all parties involved far outweigh the perceived negative points. First and foremost, SaaS allows manufacturers to provide numerous benefits to their customers. An “as-a-service” model shifts the burden of data maintenance and infrastructure spending to an integrator/dealer partner or service provider. This relieves the end user of the expertise necessary to implement complicated IT functions to keep networked and on-premise solutions up-to-date. Traditional security systems Additionally, end users demand solid customer service. For some end users, traditional security systems are so similar in features and functionality that the key differentiator is the ability of the integrator or manufacturer to provide exceptional customer service and training. This is made possible through the service-based model, where customers appreciate a strong relationship with their integrator or manufacturer that provides them with additional knowledge and assistance when necessary. The cloud has proven to be highly functional, flexible, and convenient for organizations Everyone also wants convenience. In the consumer market, we invest in things like meals that are pre-measured, prepped, and ready to be cooked, or companies that auto-ship dog food to our door each month. This ease-of-use translates over to the B2B market, where time is money and systems that save valuable resources are highly regarded. The Role of the Cloud The cloud has proven to be a highly functional, flexible, and convenient method for organizations to leverage as part of their strategies to protect and modernize their facilities. And the service-based nature lends itself well; forward-thinking integrators and dealers can diversify their product arsenal while still capitalizing on a recurring monthly revenue model (RMR). But then why has there been so much resistance to this change? Over the last 10 to 15 years, the cloud has gotten a bad rap for a myriad of reasons, including usability, management, and unreliability. However, that view of the cloud is changing for the positive as the technology becomes more advanced and innovators learn more about what it means to design a product or service with security at its core. "As-a-service” platform For example, one of the biggest misconceptions that plagues the cloud is the idea that it is not secure. However, the security of public cloud service providers is integral to their success because their business depends on it. Developing an ongoing and trustworthy relationship with customers can only be made possible through the assurance that their services are safe and the customer’s data is protected. As such, they’ve embraced the service-based model that is, at its core, the future of the business world as we know it. There isn’t a person, manufacturer, or integrator partner out there today who isn’t somehow touched or influenced by an “as-a-service” platform. And it’s about time the service-based model that leverages the public cloud reaches the masses.