When security budgets are lean, the first question that security leaders should ask themselves is this: does the actual risk at a facility merit the expense? Certainly “standard of care” and appropriate local codes and standards must be built into facilities. However, asking, “should I do more?” is critical when managing a very limited budget.
Answering this key question helps you make decisions that add measurable value to your company. It assures your senior management that the resources you do spend are for the right reasons, and that you are a good steward of the funds you have been given to ensure the safety and security of the enterprise. Unfortunately, we often see budgets applied to security requirements for the wrong reasons.
Here are some of the pitfalls security leaders should avoid:
“I must upgrade all of my facilities to ‘X’ standard.”
As a policy statement on the heels of a well done security risk analysis, this makes complete sense. Unfortunately, we often hear this as more of an aspirational desire for better security throughout the enterprise rather than the result of thorough risk analysis. The driver for “upgrade” is blind adherence to an industry guideline or best-practice standard. While these guidelines and standards are a decent place to start, leaping on these bodies of knowledge to guide programmatic security decisions without first anchoring them to a solid risk assessment, is foolish and all-too-often expensive. Vendors of the latest and greatest technologies absolutely salivate over security leaders who do this. The problem is that their “solutions” usually lie heavily within the performance of the gadget, and sadly not in whether the gadget brings true value to the organization.
The “risk” assessment that is not a risk assessment
Security risk assessment and analysis really started to take off in the early to mid-1990’s, following attacks on U.S. embassies and military installations overseas. In the 1980’s and early 1990’s, U.S. government building and facility design guidelines were developed to protect employees and properties from terrorists or other adversaries. Beginning in the 1990’s, criteria were developed to assess which facilities were most at risk, and from what threats. Security risk analysis, originating in the financial and insurance communities, really started to rapidly evolve at this time. The role of risk analysis was and is to provide security executives and planners with judgement as to whether actions [and expenditures] should be taken, beyond mandated minimums. Unfortunately since that time several good, straightforward risk analysis methods were contorted into “methodologies” by well-meaning practitioners. Just to be clear – a solid risk assessment is not only there to serve the security designer – its to benefit company mission. It should also contain a thorough threat analysis for your budgetary planners to determine if the expense of the security upgrade is merited or not. One should not be done without the other. Without threat, or with lip-service paid to threat via a conspicuously defined “Design Basis Threat” [DBT] module, your “risk assessment” is nothing more than a vulnerability assessment or a cursory security review. It is not a full assessment of risk.
The Compliance Review Risk Assessment
Believe it or not, we see this all the time. A compliance review, tied to a government or industry-mandated compliance standard regime, is performed to ensure the company is in compliance and avoids costly fines. Security policies and procedures, physical and technical security measures, and information technology measures to protect systems are all examined through the compliance lens to determine whether they are within or outside of the standard. It’s a check-the-box method that can certify if a facility or organization is compliant with a certain mandated minimum. While compliance is fine for the establishment of a baseline, it is not a substitute for a true risk assessment beca
use – as with vulnerability assessments for security reviews – compliance fails to address threat and risk properly, while missing the crucial “should” question that informs the budgetary process.
There is a lot of talk about “value” in the security business. The reason this term is used and abused so much is that security programs themselves are quite often thought of as cost centers that do not add value to the enterprise. This perception is unfortunately buoyed by inept security management decisions about risk. When budgetary expenditures for security systems and programs are tied to the design process alone, without some consideration as to the actual need, then the perception becomes reality in the minds of CFO’s and CEOs. Especially when the security leader, confronted with the question of “why”, cannot say whether that costly access control system, or CCTV network, or set of new door locks, was really necessary. Yes, there is value in the security business – preventing the incident that “could have happened” because of good security. But proving a negative, or evidence of absence, is very hard. Having solid evidence of what risks are worth spending on, by priority, is a way to show value. The elephant in the middle of the room for any discussion regarding security measures – whether the risk at a facility merits the expense – should not be ignored and is the first question that security should address. The key to answering that question to management’s satisfaction is a comprehensive risk assessment.