Security Assessments – Are You Getting the Best ROI?
In the past decade, the security assessment methodology has gravitated from the government to private sector, especially within the critical infrastructure communities. The private sector has come to the realization there is a cost benefit for securing their interests. Companies are now allocating budgets for security initiatives and private consultants to assess their security posture and recommend mitigation measures to reduce or eliminate vulnerabilities. But are you getting the best return on investment (ROI) with the process you are using?
Stakeholders need to carefully consider if the assessment process is really providing them the critical information they need or is it just a “check the box” process. If your organization is going to spend time, money and effort conducting assessments of your facilities, operations and assets, make sure you are getting the proper ROI. Your consultant or security expert should develop a personalized tool with a true end-to-end assessment methodology. As a minimum the assessment process should include the following elements.
- An open source review of the facility, operation, and key personnel. Is the organization giving away too much information?
- Threat assessment for that particular facility, operation, or geographical region (historical and current threats)
- Interview of all key stakeholders and key personnel at the facility
- Emergency Management/Safety
- Facility Services
- Network security
- Executive Management
- An All Hazards Assessment to determine threats from:
- Human Caused Events
- Natural Hazards (fires, floods, earthquakes, etc.)
- Technological Hazards (systems, networks, backups, redundancies)
- Full scope physical security (vulnerability) assessment
- Physical Security (gates, fences, guards, bollards/barriers, security systems, access control systems, etc.).
- Security Operations
- Cyber Security
- Scenario Based Penetration Testing
- CPTED (Crime prevention through environmental design)
- Plan and Policy Review
- Emergency Action/Disaster Preparedness Plans
- COOP Plans
- Security Plans
- Anti-terrorism/Counter Surveillance Plans
- MOU/MOA with local emergency services organizations
- Training and Exercise Process and Plans
- Are all plans integrated with each other?
At the conclusion of an assessment, your security expert should be recommending concrete mitigation strategies and give stakeholders clear options.
- Mitigate the risk (preferred) or;
- Transfer the risk or;
- Accept the risk
Organizations must carefully scrutinize the assessment tool or process that is being utilized and make sure you are getting the best ROI for the time, money, and effort you are expending.
Steve Schrimpf is the President of GCS Security Services LLC, an international risk mitigation and security firm specializing in a wide array of security consultancy and risk advisory services. Since 1986, Mr. Schrimpf has highly specialized training and experience in overseeing physical security programs and conducting vulnerability, criticality and threat assessments for some of our nation’s most critical operations, assets and facilities. He holds a Master Certification in Infrastructure Protection from the Department of Homeland Security.
He is also a Chairman for the American Society of Industrial Security (ASIS) International, a certified Terrorism Liaison Officer working within the national fusion center framework, and an active member of Infragard, an FBI led coalition of public and private security professionals dedicated to the protection of critical infrastructure components. He is a graduate of Security Engineering and Design Course (USACE) and holds a B.S. degree in Organizational Management and a Master’s degree in Human Resource Management.