Taking a top down approach
Devising and implementing a security strategy that includes input from all areas of an organisation is the only way to comprehensively minimise risk. Mike Bluestone of Corps Security and the Security Institute explains how adhering to the eight principles of security will help achieve this objective.
Identifying risk
Ensuring that an organisation, whether private or public sector, is as well protected as possible relies on the identification of potential risks to its personnel as well as to its physical and intellectual property. While this sounds straightforward enough, it has not always been easy to achieve due to the inability, or unwillingness, of risk management departments to work together.
A silo mentality often leads to a fragmented situation where security measures are either missing or even duplicated. It should always be remembered that security is just one facet within the broader concept of risk management – the others being financial, insurance, reputational, health and safety, corporate governance, and ultimate accountability.
Benefits of convergence
The good news is that the benefits of convergence are being recognised. In general, convergence signifies the coming together of two or more entities or phenomena, but when it comes to security it frequently refers to two distinct security functions – physical security and information security – working alongside each other as part of a coherent risk management programme.
With so many variables, predicting where and when an attack could take place is extremely difficult, so all organisations should carry out a comprehensive risk assessment – with contributions from teams at every level – to allow the most appropriate security solution to be identified. This includes an examination of the vulnerability of utilities and key supplies, along with a detailed examination of existing security measures. For organisations that are defined as being higher risk, or are in particularly sensitive areas, specific advisory support should be sought.
Eight principles for a security strategy
In order to carry out this process and work towards the best possible outcome there are some key areas to address. These form the eight principles of security.
The first of these is to define a policy and strategy. This should contain all assessed risks and threats and be endorsed at board level. Not only will this ensure that it is fully supported, it will also mean that an appropriate financial budget is allocated to carry out any necessary measures.
This should be followed by an information and intelligence gathering process to clarify the requirements. For example, an organisation that is moving premises should examine local crime trends and statistics in its new location, look at other building occupiers in the vicinity and assess whether they pose any direct or indirect dangers.
The third principle to consider is human resources, as people are the most important facet of any security programme. Human intervention is essential and trained personnel, whether specialist security officers or employees who have undergone security awareness training, are the eyes and ears of corporate security.
The next issue to address is an organisation’s technical means. The astonishing advances in technology have brought significant benefits to the way security solutions are configured. To be effective most strategies will utilise a combination of manned guarding and technology, including the use of remote monitoring where appropriate.
Next up is the need to define the control and supervision methods needed to manage the policy and strategy. Any confusion surrounding this issue can be positively dangerous, especially during the management of a crisis or contingency. It is then necessary to address the sixth principle and define procedures, as the best security people and technology in the world won’t produce optimum and safe results without sensible, clearly defined, easy to understand and workable practices.
The penultimate issue concerns the scheduling and completion of regular tests and drills. A security system that’s never been tested and drilled is an unknown quantity and may fail to operate as it should in the case of a real situation. Penetration tests are another useful tool in terms of highlighting security strengths and weaknesses.
This brings us to the final principle – the need for internal and external audits. The value of audits cannot be overstated and they will help determine whether the current policy and strategy is still adequate enough to contain all the established risks and threats. It should be remembered that premises, threat levels and circumstances all change over time, so a system must be constantly kept under review. It is also advisable to use, whenever necessary, the professional expertise of external security consultants.
Organisations that carry out a comprehensive risk assessment using a converged approach will be in the best position to benefit from these eight principles, which will in turn help to create a strategy that helps keep people and property safe.
Mike Bluestone
Corps Security