Knowing Where to Begin
When creating something new, sometimes the most difficult part is knowing where to start. Let’s assume that your organization has or is currently experiencing some form of risk within your corporate environment. One of the most common deficiencies we see in security programs is their inability to scale their resources to match the rapid growth of the organization. For example, larger facilities have greater access control concerns, employees may travel more, and an expanding workforce can escalate the threat of workplace violence. With these new challenges, security departments are stretched thin and struggle to perform efficiently. This is why it is vital to give security programs and risk management greater consideration within your annual planning and budget.
When discussing future security initiatives, it is important to note that technical and human assets are cost centers to a corporation’s security program. The capital contribution can be greatly misunderstood by many organizations when establishing a security program aimed at explicitly curbing life-safety liabilities. When dealing with human assets, you must contend with human error, third-party providers, turnover, and even potential union regulations. These issues can significantly burden an organization when trying to justify reasonable needs for increased security costs to stakeholders who may not always see the value. Establishing your security department or program is much less complex than we are sometimes led to believe; however, we must begin with the #why. Leaders and stakeholders should understand why they need improved security within their corporate ecosystem before indulging in all of the latest and greatest security systems and technologies.
At The North Group (TNG), we quickly evaluate corporate risk through the formula (below). We use this formula to determine financial, legal, life safety, and insurance liabilities. At times, all of these liabilities can come at once.
Risk = (Threats x Vulnerability / Countermeasures) x Impacts
There are many ways to evaluate your security capabilities. When building your security program, aiming small to miss small is imperative. Focusing your efforts and taking it one step at a time will enable you to stay within your intended target instead of missing it altogether. You will not be able to accomplish every objective for growth at once. Still, you can develop a scalable, obtainable, and sustainable security program by identifying the factors and risks surrounding your key liabilities that were listed above. Below are some examples of how this can beaccomplished.
1. Understanding your risk and establishing itemized values to each.
2. Collect and gather all information pertaining to risks/threats posed to your organization.
3. Create components for assessing your vulnerabilities.
4. Develop your security program without changing the culture of the organization. If anything, if this is done correctly it could potentially strengthen your culture.
5. Understand the appetite of stakeholders to spend money on organizational security growth.
6. Understand countermeasures currently in place and what needs to be improved.
7. Conduct impact studies on your primary risk areas and provide metric-based reports to stakeholders.
Once the above examples have been addressed and have done your due diligence, it is imperative to establish a routine re-evaluating of your risks surrounding deploying your security assets. In preparation of developing or improving your own security program, understanding your organization’s security ecosystem offers a fundamental structure for you to build upon. We have outlined the five pillars of a corporation’s security ecosystem in the following section, with the intent of providing guidance through the development process.
Pillar #1: Physical Security.
Physical security encompasses your technical and human assets. Technical assets include access control systems, security cameras, fencing, and barriers. In contrast, human assets are what they sound like, your corporate security personnel, executive protection agents, and security drivers.
The technical development of a physical security program should start with a well-rounded provider. Most organizations currently face what we call “technical debt.” While this term has many faces for different markets and industries, in the physical security realm, it means a system has reached its end-of-life phase before the cost or burden of the products produces a return on investment (ROI).
Technical debt creates many potential problems, including:
1. System failure due to age
2. Inaccessibility to cloud-based systems
3. A lack of current knowledge of how to extract data from an old system
4. Unqualified system maintenance
5. Lack of interoperability between the system and the host network
6. Greater susceptibility to intrusion
All roads lead back to continued planning and assessments. Cutting corners with this part of your program can lead to higher costs in the long run. Here are five ways to reduce or eliminate your technical security program debt:
1. Create a plan for the legacy management of your technical security systems. Then automate your testing procedures. Manual testing will cost more and be largely inefficient to your risk matrix.
2. Build and oversee through a project management structure. You will save a considerable amount of money by doing so.
3. Establish your own internal security system best practices.
4. Know your provider and review their budget. Significant technical upkeep can hide overages and price gouging by security providers. Establish standards and expectations for your provider or servicing department.
5. Buy what is scalable, not what is cheap. We often focus on the quick and most inexpensive providers as purchasing authorities, but who wins in the end? The lowest technical bidder awarded the contract tends to focus on their own needs, not the customers.
Pillar #2: People.
People are a vital component of organizational success. Security and safety programs are primarily built to protect employees from risk and liabilities. Physical security is a key component when considering how to protect your staff, but it starts long before they appear for their first day of work. Creating or choosing who will create your corporate security program must be centered around the integration of current and future environments and building upon your current corporate culture, not dissolving it.
It is imperative to manage and track the following relationships within corporate security:
1. All permanent and contracted staff
2. Partners
3. 3rd party vendors
4. Visitors
5. Special situations or public events
Executive Leadership and Human Resources should dictate some of this, with proper processes and protocols. Your security program should also have an in depth understanding of threat management regarding human-based risks. Remember that risk and exposure variables can differ by industry. This can largely depend on operating footprint, growth, products, market indicators, brand risk, reputational risk, exposure to foreign governments, capital investments, investor relations, leadership, corporate culture, and demographics.
To build your security program with human-based risk in mind, using our formula, Risk = (Threats x Vulnerability / Countermeasures) x Impacts. 1) Assess those key areas where vulnerability and threats to your people may arise; 2) Evaluate the current countermeasures you have in place to protect your people and mitigate vulnerabilities; and 3) Identify what impacts may apply in each vital area. It is then you will be on your way to understanding your true security needs to protect and mitigate risk for your personnel.
Pillar #3: Data.
Data security is critical in most circumstances when creating a corporate security program. Many times, third-party providers are brought in to fix a security-related matter or perform a risk assessment. For those existing security departments, the first question we ask is: What is your relationship with your IT security and what does that communication look like?
We often learn that this is a “Church & State” issue – meaning complete separation. There is no working relationship, and this could be detrimental to overall operations. Collaboration between IT and Security is vital when talking about data security.
Data equals money. Ransomware, hacking, and data security are unforgiving when you have a security program that is not in tune with your data security risks on a regular basis. This can lead to exposing trade secrets, confidential employee and client data, and IoT (Internet of Things) access. It can also create adversarial opportunities, allowing bad actors to find ways to exploit the gap between data security and corporate security management/programs.
How a Corporate Security Program should assess a stand-alone relationship with IT/Data Security:
1. Over-communicate.
2. Create reporting metrics for each other’s departments.
3. Conduct joint assessments and planning.
4. Jointly validate physical and cyber security capabilities.
Pillar #4: Infrastructure Security.
Infrastructure Security is interconnected with IT security but focuses on how your networks talk to your remote sites, offsite workers, website, supply chain operations, and more. A good corporate security program will contain a section outlining its infrastructure safety and security policies, procedures, and practices by incorporating the risk matrix process. Although that process varies from company to company, it is part of the necessary due diligence. It will lead to a greater understanding of facility management, IT, human resources, stakeholder input, and various other corporate divisions and components.
Infrastructure Security is the backbone of a corporate security program, do not lose sight of how important this component is when building or managing your program.
Creating a validation and assessment tool will help track and manage the infrastructure security risks your corporate security program is responsible for overseeing. Work with stakeholders to maintain continuity and ensure you are on the same level of understanding regarding the risks to the corporate infrastructure. Maintain tracking meetings, problems addressed, and gaps occurring for legal liability purposes.
Pillar #5: Crisis Management.
Crisis management is where our operations thrive with respect to when all “hell” breaks loose. As a company, our focus has primarily lived in this environment until recently. The reasoning behind this was we excelled at seeing it, understanding what we were assessing, and creating “out of the box” strategies to mitigate the crisis. We have found that building a corporate program (or management team) around early warning detection and embedding personnel to manage the program while being able to respond to a crisis has been widely successful for both the customer and TNG.
Considering all variables.
When addressing corporate security programs from a development phase, you will need to consider the variables of a current crisis or one that may arise. Some are small, with large dollar signs, and some are large, with even largerdollar signs. That is where your response comes down to some critical components that, if performed correctly, can save time and money.
How to prepare for what you don’t yet see:
1. Work your various concerns through the risk matrix.
2. Build a crisis response group within your organization’s ecosystem and meet at least quarterly.
3. Establish trigger warnings or events that mandate collaboration.
4. Perform a corporate crisis-based risk assessment for your direct or embedded security team.
5. Don’t validate everything internally. Doing so is like grading your own test and can create risk-based debt.Consult with third-party vendors on planning and preparedness.
6. Have your leadership team voice their crisis concerns.
Focused thinking about crisis management for your security program:
1. Build clear and concise documentation systems for all your corporate security-related policies and procedures. Have human resources review and legal approve them.
2. Write and test Emergency Response Plans for all areas of human-based security, physical security, infrastructure security, and other places you may face risk. This is where a third-party corporate risk assessment can be critical to minimize your areas of liability.
3. Know and understand your business continuity plan. If you don’t, you won’t have time to figure it out when you have to use it. Business continuity plans are relatively easy to create. Your corporate security program development should include these plans, as your corporate security team will be vital in executing and mitigating further risk.
4. Recovery Plans: The Crisis has happened, and you’re now attempting to return to normalcy. If you had a workplace violence incident, a pandemic, or an employee passes away. Your disaster recovery plan should include the following:
a) What is the situation? Is it workplace violence, an act of God, a cyber-attack, or fire?
b) Where are our corporate operations currently?
c) Who is in charge?
d) Where should we focus first?
e) Who has been affected?
f) How many people have been affected?
g) What are the impacts?
h) What have we lost?
Pricing Your Organization’s Security Budget
Pricing your security budget is the cultivation of all the things we have identified through your assessments, needs analysis, and risk matrix development.
A straightforward way to formulate a Rough Order of Magnitude (ROM) pricing, while addressing an organization’s return on investment into a security program, that is either designed or developed, is to employ something that TNG has used for several years.
Risk-Based Pricing Process
1. Identify the value of your business based on gross annual revenue and multiply that number by 0.0134.
2. Create a cost proforma sum around your overhead and again multiply that number by 0.0134.
3. Evaluate and create a sum of potential legal liabilities.
4. Evaluate and sum your annual spend in insurance costs.
5. Create a cost benefit analysis around these items to your overall security program development costs and annual security budget.
If your sums multiplied by 0.0134 are greater than your estimated budget for your security program or department, then it is recommended that you reevaluate, through a needs analysis, of what your security budget should be.
Conclusion
Remember, building a security program doesn’t have to be intimidating. Keep the risk formula, five pillars and tips in mind when constructing the program. If you have more questions or would like to learn more about creating corporate security programs or embedded security services, please contact The North Group at (844) 750-9222 or email us at info@tngdefense.com. For more articles like this visit our blog section.
