When meeting initially with a new client the most common complaint I hear is: “We have looked at this before and my existing solutions lack the ability to communicate or be integrated.” as the biggest barrier to implementing a more holistic security solution. Well I am here to tell you that with some small upgrades at the “head-end” many of your edge devices and sensors can be immediately integrated in most cases. More importantly from my perspective, by including all departments in the evaluation and research process to improve risk management, the policies, procedures and goals will result in the organizational value of improved overall visibility into the entire security infrastructure.
Here is a generic example of how you might discuss the real needs, goals and risks within your organization before you look to make any changes. By understanding the risks and potential costs associated with those risks, such as: annual loss expectancy, total cost of ownership, you can better develop your return-on-investment.
Let us look at internal investigations as the business area’s to discuss the risks. First create a working group that includes a representative from every department that plays any role in these areas. This might include human resources (HR), corporate security, (CS) information technology (IT), facilities, loss prevention (LP), finance & Insurance, marketing and legal.
Next, brainstorm events and scenarios that could create risk for the company in an internal investigation or disaster. Such events might include information leaks in various departments or a potentially violent customer or employee. Then, rank the risks by likelihood and impact. Absolute precision is not necessary here, although this step may provide the momentum to gather new metrics, both within your business and from the outside world for benchmarking purposes. Now for controls and solutions: List existing controls. Look for redundancy across departments. Brainstorm new ones to address these risks. Rank new controls based on cost, difficulty, and effectiveness—especially noting controls that can reduce likelihood and impact across multiple types of event. With good luck, you might be able to pay for a new control by reducing the redundancy of existing controls. Finally select the appropriate point person responsible for implementing (or championing) each high-priority control. Then establish a way to measure the effect of each new control and a way to communicate that measurement within and outside of your working group. Don't get too hung up on making overly formal. Keep the end in mind: Enable business objectives. Keep it simple (KISS). Make internal investigations more effective and less risky. Now repeat this process with a new team for each of these additional areas: business continuity and disaster recovery, intellectual property protection, and brand protection, employee fraud, loss prevention or asset protection and general liability. Obviously, each of these areas may require a different set of team members although may be the same.
Beyond the specific business value you create in each area—the deliverables you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups. These connections can form the basis for competitive advantage for your organization.
One of the greatest benefits of today’s integrated physical security solutions is the real time actionable intelligence that can dramatically decrease the time to gather together information about security incidents. Then act on that information. For example if an employee is terminated by the organization and HR removes the employee’s authority from the network that information can instantly be upgraded to the organizations access control system, alarm system, etc. This can immediately reduce the opportunity and temptation from a disgruntled employee to cause any further damage to the organization.
After you have defined your risk management goals and vulnerabilities it will be a lot easier to create a budget to meet these goals. Then if you have not already done so, develop a partnership with a security integrator that you can trust. The next step is to test various potential solutions within your organization; I always try to show three of the top solutions based on the client’s vertical market, current legacy systems in place and your goals for today and tomorrow.
The good news is that in many cases with these solutions real benefits have been proven within organizations of all sizes and across a multitude of vertical industries and with very high return-on-investment (ROI) such as three to nine months. Some of the key benefits are: Having the capability to quickly communicate to management the details of an incident, having actionable intelligence about incidents, tools to assist in prevention of future incidents, having real time view of security events, instantly responding to events in real time, reducing incident resolution time, streamlining operations/improving productivity, reducing security costs and delivering a ROI on the organizations physical security environment.
Take a moment to discuss “Risk Management” as a concept with your management team, remember there’s never a dull moment in security. In the next few years, more new challenges will be thrown at business organizations as the cultural landscapes transforms. Will you have the tools in place to meet those challenges?