Why Moving To A Risk-Based Approach Helps Business

Download PDF version

Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks on a daily basis. Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business.

In order to resolve these challenges, a security leader can apply a risk-based approach to their security program. According to dictionary.com, risk is “exposure to the chance of injury or loss; a hazard or dangerous chance”. Risk is broader than a security concern and involves the entire business.

Through utilizing a 3R model - considering resources, risks and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure.

A business determines what resources it wants to protect, what risks it needs to protect the resources from and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence. Free online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach

The 3 Rs

The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure or valuable equipment, knowledge-based - such as intellectual property, or organizational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge and processes.

Second, determine what the resources need to be protected from. Anything that threatens harm to the organization, its mission, its employees, customers, partners, its operations or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime) or business risks (compliance or legal issues).

Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at riskFree online risk assessment tools are available to provide a fast, easy way to determine an organization's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organization’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment.

The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact to resources if an event does occur and also assist the organization in recovering from an impact more quickly or easily.

The first step in the 3R model is to figure out what resources need protection, this could physical such as buildings or critical infrastructure

The Path Forward

Understanding what risks a business faces in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organization’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions. Metrics can also help business leaders understand the cost/benefit of resolutions

C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk.

The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision.

Measuring Success

A risk-based approach aligns the security mission with the organization’s mission. Security leaders should have these conversations with their business leaders on a regular basis. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program

Determining a baseline of acceptance gives a foundation for security leaders to point out when the organization is not meeting its own requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries.

The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting

Defining Risks And Vulnerabilities

Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk. The approach puts the security risk decisions in the hands of the ones impacted by those risksAnd it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources.

Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities.

Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.

Download PDF version

Author profile

Kim Rahfaldt Public Relations Manager, AMAG Technology, Inc.

Related companies
AMAG Technology, Inc.

View all news from
AMAG Technology, Inc.

Related links
Articles by Kim Rahfaldt

In case you missed it

ISC West 2019 Wrapup: An Ecosystem Of Apps, Chips And Systems To Come

The excitement of ISC West 2019 continued until the very end – almost. Exhilarated by the first two busy days of the show, attendees and exhibitors seemed to welcome a slower third day. There were no complaints about booth traffic, and still plenty of thoughtful conversations taking place, everyone determined to maximize the value of face time with customers until the last second. Building An IoT Ecosystem In SAST At a show lacking in high-profile new technology announcements, the biggest news is perhaps the possible long-term impact of first-time exhibitor Security and Safety Things (SAST), a Bosch startup. SAST is building a new Internet of Things (IoT) ecosystem for the security and safety industry, including an app store, an open and secure camera operating system, a software developer environment, and a portal for integrators. SOCs (system-on-chips inside cameras) are becoming much more capable" Their 1,800-square-foot booth was big for a first-time exhibitor, and the American football theme was well received, as was the substance of the company’s effort to drive innovation in a highly fragmented industry. Seeing actual cameras and apps on display at the ISC West booth is “more real than PowerPoint,” says Hartmut Schaper, CEO of Security and Safety Things (SAST). “For us, seeing is believing,” says Schaper. “It was important for us to show cameras and apps for the first time. People are surprised at how far down the road we are.” “This dynamic will change in the industry,” says Schaper. “SOCs (system-on-chips inside cameras) are becoming much more capable. Soon there will be more processing power on the edge. People will find a way to use the extra processing power.” “Seeing is believing” at the SAST booth at ISC West 2019, where CEO Hartmut Schaper showed several manufacturers’ cameras whose functionality can be expanded using Android apps Developing More Apps Several large manufacturers are already involved in the initiative, but there are some holdouts. “We are having ongoing talks with everyone to convince them to join,” Schaper says. “Some of the bigger ones will come around. We are not a camera manufacturer, and not a threat. We are owned by Bosch but are managed completely separately. There will be more and more apps developed, and momentum will increase.” “A year from now we will have successful customers we can talk about, and more camera manufacturers on board,” he says. “This year we are taxiing on the runway, but next year we will have cleared the tarmac and be climbing.” If the approach succeeds, their first appearance at ISC West will be remembered as historic. Future Of Surveillance Cameras Off the show floor, in a nearby meeting room, chip maker Ambarella demonstrated technologies that will be driving the future of video surveillance cameras, including more intelligence at the edge. “People have been using more traditional video analytics approaches, though most of them have been disappointing,” says Chris Day, Ambarella VP of Marketing and Business Development. “What is ground-breaking now is the use of neural networks and real artificial intelligence, which has increased capabilities 100x. "You will see camera products coming out over the next year that are massively better than before. It’s not just incrementally getting better. Cameras will be coming out later this year with analytics that are absolutely amazing based on [the new chips.]” Larry Anderson, editor-in-chief of SecurityInformed.com, talks about Ambarella HDR and Low Light Solutions with Jerome Gigot, Senior Director of Marketing for Ambarella. (Source: Ambarella) New Systems-on-Chips Ambarella has introduced four new systems-on-chips (SoCs) in the last year, with emphasis on computer vision (video analytics). The newest is the S6LM Camera SoC with 4K imaging technology, unveiled at ISC West. The S6LM includes Ambarella's latest high dynamic range (HDR) and low-light processing technology, highly efficient 4K H.264 and H.265 encoding, multi-streaming, on-chip 360-degree de-warping, cyber-security features, and a quad-core CPU. People shouldn’t forget what a good camera is, and there doesn’t have to be a tradeoff" “With so much focus on AI and computer vision, I’m concerned the industry has taken focus away from low light imaging, wide dynamic range and image quality,” says Day. “You have to see the details in an image. People shouldn’t forget what a good camera is, and there doesn’t have to be a tradeoff, it’s all included in one chip.” From Products To Systems With a new general manager on board (Daniel Gundlach, formerly of Bosch), FLIR Systems Security Division is continuing its transition from a product company to a solutions provider, removing internal silos to clear the path. FLIR offers a strong end-to-end portfolio for Smart Cities applications, including the TruWITNESS line of body worn cameras and newly acquired Aeryon drones. FLIR’s historical strength as the top thermal imaging provider continues, but today they are much more than a thermal imaging company, offering visible day/night cameras, infrared pan-tilt-zoom cameras, video management systems and other technologies to provide a broader platform. FLIR's Saros security cameras combine multiple security technologies, including thermal sensors, high-resolution visible imaging, IR and visible LED illuminators, onboard analytics and two-way audio and digital input/outputs. Products In Critical Infrastructure Applications In addition to Safe Cities, FLIR installs a range of products in critical infrastructure applications, such as oil and gas and electric utilities. Ports also tend to combine traditional security with an emphasis on perimeter protection, a FLIR strength. Existing perimeter protection applications can open opportunities for the broader platform. For example, installing a complete system in an airport that already uses FLIR’s thermal technology represents “low-hanging fruit” for the company, says Fredrik Wallberg, FLIR Director of Marketing – Security and Intelligent Transportation Systems. Ambarella demonstrates its latest imaging technology for video security during ISC West 2019 (Source: Ambarella) Integrated Solutions Bosch's Focus At the Bosch booth, there was an emphasis on integrated solutions and the customer experience. A mock retail store setup demonstrated systems such as overhead cameras for people counting and alarm communication to provide an alert if a refrigerator door is left ajar. A wireless panic button generates a silent alarm, communicates with a 2-way radio, and triggers a camera to focus on the area. An AVIOTEK IP camera alarms if there is a fire, based on observing actual flames rather than smoke. A new Bosch fixed dome camera series offers wireless remote commissioning capabilities that reduce installation and set-up time by up to 75 percent. Set-up only takes three steps: install the mounting bracket, connect the cables, and attach the camera module. Commissioning can be done wirelessly or remotely with no need for ladders or lifts. Dahua Marks Five Years In The States An IR illuminator is attached to each lens module to ensure there is always illumination in the field of view Time flies in the security industry, and it has already been five years since the Dahua brand entered the U.S. market. Today the company offers products through ADI and some 20 distributors, and has more than 30 technical consultants and technical support employees and 50 or 60 sales people in the field (including independent rep firms). “We are growing,” says Tim Shen, Director of Marketing at Dahua Technology USA. “It’s exciting for the company.” At ISC West, Dahua introduced a line of Multi-Flex panoramic cameras with lens modules that can be repositioned along an internal track for 180-, 270- or 360-degree views, providing flexibility for integrators. An IR illuminator is attached to each lens module to ensure there is always illumination in the field of view. Cost savings come from ease of installation (one camera instead of four) and only one VMS license (instead of four). AI And Night Color Cameras Dahua is also emphasising its Night Color cameras that remain in full color mode regardless of how dark it gets. There is no IR illumination or IR cut filter – the camera stays in color mode and displays any visible image in colour with as little as 1 lux of illumination. The 2 megapixel version is on display at ISC West, and a 4 megapixel version will come in the fall. A year ago at ISC West, Dahua emphasised its initiatives in artificial intelligence (AI) in order to position the company as a technology leader. This year, the message was more general – ‘Power Through Technology.’ The range of Dahua technologies includes AI, Night Color, Starlight low-light imaging, fifth-generation HDCVI, and e-POE (Enhanced Power over Ethernet). Dahua USA's Director of Marketing says "the market itself likes AI", and expects more AI applications to follow (Source: Dahua USA's LinkedIn) “When we present AI to customers, they are happy, but when it comes to the budget they don’t have it,” says Shen. “The market itself likes AI, and it’s very much a buzzword. But we still need a proof of concept that it can do something good for end users. We need time to develop broader applications. The ‘smart retail’ market and education are good places to start.” he says. “AI is for project business,” adds Jennifer Hackenburg, Dahua’s Senior Product Marketing Manager. “Projects that are looking at AI haven’t come to fruition yet; they are still in the pipeline. It’s not for your everyday business. They are implementing it, but not as fast.” Access Control Beyond Doors Access control should extend beyond doors. That’s the message I heard at the ASSA ABLOY booth, which displayed a variety of physical locks and intelligent access systems. An example is traffic cabinets, those metal boxes in public locations that could potentially be accessed to invade an internal network. ASSA ABLOY emphasises the need to secure the variety of enclosures, cabinets, drawers and small spaces ASSA ABLOY emphasizes the need to secure the variety of enclosures, cabinets, drawers and small spaces throughout an enterprise. The company’s ‘security continuum’ message draws attention to the need for the right level of security for the right opening, using existing infrastructure as well as new electronic technologies. “Customers face a combination of non-traditional access control and questions on how they can secure things that are not doors,” says David Corbin, ASSA ABLOY Director of Access Control Accessories. The security message is resonating beyond the traditional security department to involve other stakeholders in an enterprise, including IT directors. There is new awareness of vulnerabilities that have been there forever, such as traffic cabinets that can be opened with a key purchased on eBay.

ISC West 2019 Day Two: Explaining The New And The Tried-And-True

There are many new technologies at ISC West this year. There are also some tried-and-true solutions on display. More mature products have the benefit of being fully vetted and battle-tested, which may make them a more comfortable choice for security customers. I had a couple of discussions on Day 2 of the show about the advantages, and possible drawbacks, of new products. “To a security director, when you say ‘new,’ he translates that into ‘risk,’” says Bill Spence, VP of Sales, U.S., Canada and Western Europe for HID Global’s Lumidigm biometrics brand. “Anytime you say new, there is a probability of risk. The key is to educate. Education quantifies risk, and an educated customer can make an intelligent decision about risk versus reward.” “We have to take customers from where they are to help them understand new technologies,” says Spence. “We must give them a bridge to that understanding, and education is the bridge.” Lumidigm Biometrics Integrations An app provides graphics that take installers step-by-step through the installation process HID Global is incorporating Lumidigm biometrics into the new iClass SE RB25F fingerprint reader being highlighted at the show. Two-factor authentication can use either a card or mobile credential along with biometrics; there is no latency; and templates can be stored on a card. Another new offering at the HID Global booth is an augmented reality tool to simplify installation of newer systems that incorporate the more secure OSDP protocol. An app provides graphics that take installers step-by-step through the installation process. Also highlighted at the HID Global booth — and at the booths of turnstile manufacturers throughout the show — are embedded readers that provide tested and certified mobile access control for turnstiles. IClass SE technology is embedded in the iRox-T Turnstile Reader from Essex Electronics. Innovative Security Technologies There’s a delicate balance at any trade show between creating excitement about new products and educating customers to be comfortable with new technologies. There is some of both at ISC West 2019. In the future, hardware will be a delivery device, not the core of systems “We are on the cusp of change in the industry, and it’s closer than ever,” says Jennifer Doctor, Johnson Controls’ Senior Director, Project Management - Intrusion. “We will see the impact of promised technologies that will come from other industries, such as artificial intelligence. The very definition of security is changing. We are an industry that needs to be risk-averse, and we need to prove out the technology. There is innovation, but we just need to make sure technologies are what the market wants and expects.” “In the future, hardware will be a delivery device, not the core of systems, which will come from intelligence in the software and from services,” she adds. “The products we deliver will enable that.” Have 30 percent of service companies in the U.S. security market jumped into the cloud? PowerSeries Pro Intrusion Portfolio Johnson Controls is highlighting the commercial PowerSeries Pro intrusion portfolio, which features PowerG encrypted technology that enables wireless systems that are cyber-secure. The cloud is coming on strong, and one company finding success in cloud systems is Eagle Eye Networks, which has seen 93% compounded annual growth over the past three years. Economies of scale have enabled them to lower subscription prices by 35%, with an extra 10% decrease for customers that pay annually. Ken Francis, President of Eagle Eye Networks, says they are signing up 50 new dealers a month for the cloud video offering. Francis estimates that 30 percent of service companies in the U.S. security market have jumped into the cloud “It’s really heating up,” says Francis. “The general cloud is driving increases in the surveillance cloud.” Jumping To Cloud Embracing the cloud and recurring monthly revenue (RMR) requires that dealers transform their businesses to ensure success. Francis says dealers should dedicate sales resources to cloud offerings rather than expect everyone to sell the cloud, and there should be a base commission plan on RMR services in lieu of upfront project fees. March Networks is also showing integration of video with the Shopify cloud-based point-of-sale (POS) system “Talk to professionals about your cash flow and understand how to capitalize on financing partners to ensure cash flow while investing in the RMR stream,” he adds. “And look for ways to reduce your costs to serve the customer base as your RMR increases.” For example, use of remote site diagnostics, configuration and support can avoid the need for expensive “truck rolls” that can undermine profitability. Francis estimates that 30 percent of service companies in the U.S. security market have jumped into the cloud. Alarm companies, which are accustomed to the RMR model, are generally ahead of the curve, while traditional security integrators are lagging. “It’s a requirement to change or die,” he notes. Insight Hosted Managed Service Also, in the area of managed services, March Networks is highlighting its Insight hosted managed service that can provide instant information on video systems located at remote sites, including visibility into firmware versions, camera warranty information, and cybersecurity status of systems. The ability to dive deeply into system status empowers a new recurring revenue stream for integrators. Color-coded icons summarize system status and show pending issues and clicking on the icons provides detailed workflow information. The system can also be offered for smaller systems such as those at convenience stores and quick-serve restaurants. March Networks is also showing integration of video with the Shopify cloud-based point-of-sale (POS) system. The integration enables managers to evaluate POS information, especially anomalies, to determine possible employee theft and other shrinkage issues.

What Is The Role Of Ethical Hackers To Ensure Cybersecurity?

Ethical hackers are familiar to the world of cybersecurity. As cybersecurity awareness increases in physical security, they are also playing a larger role to ensure the safety of networked and information technologies used in our market. We asked this week’s Expert Panel Roundtable: What is the role of ‘ethical hackers’ to ensure cybersecurity of networked products in the physical security market?