Physical security risk assessment: The dream and the reality

 

The following is a guest post by a 2019 Secure360 Start-Up Corner sponsor, Quill Security.

 

Physical security is fiendishly complicated. There are hundreds of threats to worry about, thousands of individuals and assets to protect and tens of thousands of security measures to consider. Nobody has the security staffing to stay on top of every nuance, so the best security directors rely on periodic security risk assessments to get a snapshot of their whole risk picture, evaluate if they should consider new security measures and see if an evolving threat landscape requires a change in strategy.

The dream

I’ve spent the last five years as a security consultant and most clients I’ve worked with have had a dream of what a physical security risk assessment project will yield: specific data, good options and the best path to take. They’re going to find an expert team to tour their facilities, make astute observations and deliver an accessible report illustrating the findings and recommending a course of action. They’ll use the resulting report to make a clear, achievable five-year plan. They’ll answer a simple question: how are we going to protect our organization with the resources we have?

The reality

The brutal reality only starts to become apparent when proposals start coming in. It’s going to cost up to $6,000 per building to conduct comprehensive assessments, eating up dollars set aside to actually implement measures. The project is going to take the better part of a year to complete. On top of that, it’s going to take 20 hours per week of project management to set up the site visits, coordinate all the interviews, review updates and keep the project on-track.

The unfortunate and inescapable truth about typical security risk assessments is that understanding all the variables takes time, whether you’re an industry expert or not. Each facility is unique and even the most astute consultant must take time to understand everything that’s going on, answering questions such as:

• What incidents have occurred in the last five years?
• What is local crime like?
• What operations happen in the building and what assets are critical to those operations?
• How effective is the site’s emergency planning and staff training?

Hundreds of questions that must be asked, answered, quantified, analyzed and interpreted, all billable at $150 per hour or more.

It only gets worse after the report is in and the bill is paid. Don’t get me wrong: a good security risk assessment report will deliver data. It will lay out the options. It will illustrate a path. None of that matters when you start trying to put together a procurement plan and find out that implementation costs will be ten times what you have budgeted. When you get the proposal in front of the board and they veto the second and fourth recommendations for being too expensive, disruptive, or draconian to consider, the consultants aren’t going to come back and adjust the plan.

The reality is that for all the time, money and effort, you’re left with a plan full of holes and the same question you had at the beginning: how are we going to protect our organization with the resources we have?

But it doesn’t have to be that way.

The central contradiction that makes security risk assessments so hard to use well is that the two core goals–gather accurate data quickly and build resilient institutional knowledge–end up being mutually exclusive. Using your own security department requires fitting assessments in beside normal operations, with the effort stretching to months or years. Your earliest assessments go obsolete before you’ve started the last ones.  Moving faster means hiring experts to gather and interpret the data at the cost of not understanding it yourself or being able to adapt when the tough decisions have to be made.

In order to achieve the dream of good data, sensible options, and a clear path to follow, you have to divide the goals of acquiring accurate data, evaluating options, and selecting direction. Use experts to gather the data. Have them deliver it in a computer model which evaluates all the options in real-time. Use the model to select the best direction. The model says facial recognition cameras are effective but the board is squeamish? No problem – remove it from consideration and let the model produce alternative measures you can implement to achieve the reduction you need. Reinforcing entrances is necessary but too expensive? Pinpoint where across your organization it will do the most good and right-size the project to the budget.

We’re fortunate to live in a world where the cloud can deliver trillions of calculations per second directly to your phone and be constantly updated in real-time. The best security risk assessment projects today won’t give you binders of findings summaries: they’ll deliver the underlying data as the risk model you need to understand your entire risk picture at a glance, quickly identify your most at-risk locations and instantly select the best measures on the market to effectively mitigate your risk.