Safe and Risk-Managed

While every individual and organization that provides security products or services will have their spin on what security is and how to achieve the desired level, the truth is, security is essentially an unachievable outcome. A common definition of security is, “freedom from danger, fear and anxiety.” Security defined as such is, therefore, unattainable.  Anyone who truly understands security knows this, and understands that security is actually a type of risk management. What this means in practice, is that security is all about fear and anxiety and managing levels of fear of danger that are acceptable to the organization.  

The day you are free of at least some measure of fear and anxiety is the day you should retire because you’ve lost your core purpose. This is ironic, because many executives and security professionals will actually resist any attempt to introduce fear, uncertainty and doubt in the process of proposing the need for security remediation; or as I insist it should always be referred to, “Security Risk Management” or (SRM). If you are not scared, you are either naive or in denial.

Because human beings are responsible for acts and conditions that threaten security, security in the purest sense is impossible. In fact, it is the involvement of human beings in all things that perpetually assures insecurity. With human involvement come issues of intellectual competition, lack of education, inevitable error, injection of personality, potential acts of ignorance, laziness, retribution and unintended consequences. Whether you are talking about IT, personal or national security, your primary responsibility is identifying the real risk of loss and its impact. Your secondary responsibility is to balance the risk with the available solutions and financial and personnel resources. SRM must be a continuous and systematic process of analysis of the threats, their relative importance to the organization and then the ability to sustain a program of mitigation and further analysis.

The single biggest challenge in risk management is our human differences. While one individual may look at business SRM from the perspective of intellectual or financial asset protection, another might see it as preservation of reputation and brand. An honest person may see weakness where another sees opportunity. One may be keenly aware of a technical risk, while another is focused on social engineering. An executive sees potential loss of goodwill and customers, while a security manager is worried about his professional reputation and job. Anyway you look at it, risk management is first about a negotiation of priorities.

For some, it is only the existence of enforceable regulations with the threat of punishment that causes the implementation of SRM to become a priority. In the past, SRM was mainly focused on the direct protection of military information, financial assets and closely guarded secrets. The historical driver was business and government survival and a laser focus on keeping the bad guys away from those assets. Today, companies and individuals must guard not only their assets but those of others. This has also created some imbalance toward the protection of soft assets at the expense of other assets. Because the motivations for regulation are always political, one constituent may be served well to the detriment of another. One goal may be in direct contrast to another, and a middle ground must be found.

In recent years we have seen an exponential increase in the legal requirement to protect the hard assets (money, intellectual property and even identity) of those we do business with. I have included identity in hard assets because in the wrong hands, identity can result in significant loss of hard assets. Another aspect that is most challenging to place a value on is privacy and safety. These are what I will call soft assets at risk from emotional assaults like the release of an embarrassing medical history or passport travel records. Interestingly, they are also the assets that are being protected by ever expanding regulations.

So, with all of that said I can hear you asking, “What do I do? Where do I start?” Let’s start with analysis of the risks. To do proper analysis, you first need to win over the stakeholders and decision makers. In the majority of environments that I have consulted, this is a huge barrier to success. The significant disconnect between security practice managers and the boardroom is pervasive. To overcome disconnect, the security practice manager must learn to first listen and executives must be willing to engage those who are responsible for protecting them. The security practice manager must work to understand how the company makes its money, what are its real assets and who or what might do the company harm. Then you must agree on what a potential loss might do and what losses are tolerable. Only after the executives and security practice managers agree on what really matters can there be basis for risk analysis.

I know it’s difficult, but speak the language of the business executive and always be sure that they truly understand your points. You must work to avoid the tendency to speak in technical or industry jargon.  This is true in any business category. Don’t rattle off acronyms, complex engineering or other high-level language. Recognize that you are generally talking to people whose education relates to issues of profit and loss, strategy, resource management and other broad-form business concepts. If you try to bowl them over with your intellect, or the-sky-is-falling theories, you may end up with an executive who thinks you are insulting them. In your negotiation, be sure to accurately identify the ways and reasons a risk is being introduced and balance that with the potential exposure. If a sales person needs Internet access to do their job, barring him from going online is not an option. If they don’t need it, the risk of giving that sales person Internet access, may well outweigh the desire to have it. Don’t make these decisions in a vacuum. If you go too far down the road without understanding the impact, you may find your whole program unraveling.

Once you have agreed on what is at risk, the level of importance of each asset and how much loss is tolerable you can begin to identify a program of Security Practice Management.  Start with a calculation of the potential losses, then add in what you believe would be covered by insurance and other liability management instruments, and find your potential hard-dollar exposure. Don’t forget lawsuits, loss of goodwill, trust of clients, etc. Now decide what you are willing to spend, (potential investment budget) and begin allocation of resources by priority. There is never enough money, people or time to cover it all, so be sure that you don’t put money in to a low-priority risk, at the expense of one that can have a major impact. Thin and wide in the world of risk management equals no management at all.

However, even if you install the latest and greatest technology, close the holes in the fence and put locks on your doors there is always some new risk, some new attack technique and some agent that can cause harm. Treat security risk management as a systematic program of constant analysis and disciplined remediation and then buy lots of insurance.  Remember at the root of every effective Security Practice Management strategy is understanding how to manage fear and anxiety, and not about totally eliminating them.  It’s not about fear mongering, it’s about taking a practical and pragmatic approach to identifying and managing potential exposure.

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3