• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Student360
  • About
    • Secure360
    • UMSA
  • Secure360 2022
  • For Sponsors
  • For Speakers
  • Get Involved
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Physical security risk assessment: The dream and the reality

June 7, 2019 by Lindsay Woolward

Copyright: trashhand and Pexels

 

The following is a guest post by a 2019 Secure360 Start-Up Corner sponsor, Quill Security.

 

Physical security is fiendishly complicated. There are hundreds of threats to worry about, thousands of individuals and assets to protect and tens of thousands of security measures to consider. Nobody has the security staffing to stay on top of every nuance, so the best security directors rely on periodic security risk assessments to get a snapshot of their whole risk picture, evaluate if they should consider new security measures and see if an evolving threat landscape requires a change in strategy.

The dream

I’ve spent the last five years as a security consultant and most clients I’ve worked with have had a dream of what a physical security risk assessment project will yield: specific data, good options and the best path to take. They’re going to find an expert team to tour their facilities, make astute observations and deliver an accessible report illustrating the findings and recommending a course of action. They’ll use the resulting report to make a clear, achievable five-year plan. They’ll answer a simple question: how are we going to protect our organization with the resources we have?

The reality

The brutal reality only starts to become apparent when proposals start coming in. It’s going to cost up to $6,000 per building to conduct comprehensive assessments, eating up dollars set aside to actually implement measures. The project is going to take the better part of a year to complete. On top of that, it’s going to take 20 hours per week of project management to set up the site visits, coordinate all the interviews, review updates and keep the project on-track.

The unfortunate and inescapable truth about typical security risk assessments is that understanding all the variables takes time, whether you’re an industry expert or not. Each facility is unique and even the most astute consultant must take time to understand everything that’s going on, answering questions such as:

  • What incidents have occurred in the last five years?
  • What is local crime like?
  • What operations happen in the building and what assets are critical to those operations?
  • How effective is the site’s emergency planning and staff training?

Hundreds of questions that must be asked, answered, quantified, analyzed and interpreted, all billable at $150 per hour or more.

It only gets worse after the report is in and the bill is paid. Don’t get me wrong: a good security risk assessment report will deliver data. It will lay out the options. It will illustrate a path. None of that matters when you start trying to put together a procurement plan and find out that implementation costs will be ten times what you have budgeted. When you get the proposal in front of the board and they veto the second and fourth recommendations for being too expensive, disruptive, or draconian to consider, the consultants aren’t going to come back and adjust the plan.

The reality is that for all the time, money and effort, you’re left with a plan full of holes and the same question you had at the beginning: how are we going to protect our organization with the resources we have?

But it doesn’t have to be that way.

The central contradiction that makes security risk assessments so hard to use well is that the two core goals–gather accurate data quickly and build resilient institutional knowledge–end up being mutually exclusive. Using your own security department requires fitting assessments in beside normal operations, with the effort stretching to months or years. Your earliest assessments go obsolete before you’ve started the last ones.  Moving faster means hiring experts to gather and interpret the data at the cost of not understanding it yourself or being able to adapt when the tough decisions have to be made.

In order to achieve the dream of good data, sensible options, and a clear path to follow, you have to divide the goals of acquiring accurate data, evaluating options, and selecting direction. Use experts to gather the data. Have them deliver it in a computer model which evaluates all the options in real-time. Use the model to select the best direction. The model says facial recognition cameras are effective but the board is squeamish? No problem – remove it from consideration and let the model produce alternative measures you can implement to achieve the reduction you need. Reinforcing entrances is necessary but too expensive? Pinpoint where across your organization it will do the most good and right-size the project to the budget.

We’re fortunate to live in a world where the cloud can deliver trillions of calculations per second directly to your phone and be constantly updated in real-time. The best security risk assessment projects today won’t give you binders of findings summaries: they’ll deliver the underlying data as the risk model you need to understand your entire risk picture at a glance, quickly identify your most at-risk locations and instantly select the best measures on the market to effectively mitigate your risk.

Filed Under: Guest Posts, Business Continuity Management, Physical Security, Risk and Compliance

About Lindsay Woolward

Lindsay Woolward has been a physical security consultant since 2014, assessing security posture and charting a path to effective risk mitigation for cities, counties, school districts and universities from Florida to Washington. Woolward started Quill Security Technology in 2017 with co-founder Lewis Werner to address two frustrating inefficiencies in security assessment and plan implementation: the time between observation and report delivery and the inflexibility of an accepted report in the face of budgetary, operational and political concerns.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. smallarmy
    smallarmy: @TylerCohenWood @Secure360 Good
    about 1 day ago

  2. Secure360 Conference
    Secure360 Conference: Woo hoo!! Thanks to everyone who donated and for those who would still like to, you can do so at… https://t.co/jW3EsvOAFp
    about 1 day ago

  3. Bryghtpath LLC
    Bryghtpath LLC: Bryghtpath CEO @bryanstrawser presented last week at the @Secure360 Conference on "Navigating the Ransomware Challe… https://t.co/iXa3JeRKNN
    about 3 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2022 Secure360. All rights reserved.