printer friendly version

Feeling vulnerable?

I recently attended the ASIS Middle East Security Conference & Exhibition in Dubai. A presentation by Jean Perois forced those present to ask questions surrounding security vulnerability and preparedness. Are we merely reactive to security threats? Do our investigations and processes lead to solutions and successful outcomes?

Many of us consider that having enlisted the services of a security provider, CCTV cameras, controlled access to buildings and demarcated areas, that our valuable assets are safe. Then, when a security incident occurs, we have a hard time understanding how it could happen and scramble to fix the situation.

Oprah Winfrey once said, “Luck is a matter of preparation meeting opportunity” and instead of being reactive, we need to anticipate issues and prepare for them.

In many countries it is becoming a mandatory exercise to incorporate a comprehensive risk assessment process. Such assessments will enable a corporation to evaluate what threats are credible and whether these could possibly be successful.

So, what does a risk assessment entail?

* Asset characterisation: Your first step is to identify your assets, evaluate their criticality and the impact that would be experienced should they be compromised.

* Threat assessment: Threats need to be identified and ranked, as well as an assessment of your assets according to their attractiveness.

* Vulnerability analysis: The effectiveness of your current security measures need to be evaluated, scenarios and consequences defined and vulnerabilities identified.

* Risk assessment: Based on your vulnerability, threat and attractiveness variables a risk ranking needs to be established.

* Countermeasure analysis: Through this analysis organisational and procedural changes and processes need to be put in place and one needs to ensure that these work.

In order for a risk assessment to be advantageous, it needs to be put into practice. Do not make the mistake of going to all the trouble of identifying threats and creating solutions without applying the information.

A key component to ensuring your risk assessment is viable, is vulnerability testing. This requires you to actually test your security process and response. An example of what a vulnerability test is, if you are a manager at a shopping centre and you want to test your security with regards to car theft, plan a scenario, where a car is stolen, and measure the reaction.

Once you have identified your organisational and procedural changes, communicate and educate your staff on a consistent basis to ensure their understanding. Very often, security measures fail because your workforce is unaware of procedures. I say it again, on a consistent basis. This information needs to be available during the induction process and then through regular training sessions.

Also, risk assessments cannot be a once-off occurrence. You need to conduct assessments on a regular basis. Depending on the value and criticality of your assets, I suggest quarterly or at least twice a year, particularly to assess the effectiveness of your security measures.

I cannot stress enough the importance of preparedness, not only from a security point of view, but from cost as well. It is far more cost effective to do a risk assessment than to lose most or all of your assets.

Jenny Reid

Share this article:

Further reading: