Leveraging Risk Assessments to Raise Funding for Your Security Program

Similar documents
The Meaningful Hospitality Smart Hiring Guide

Building a Sustainable Culture of Security

BT and the Future of IT Security. Bruce Schneier Chief Security Technology Officer, BT BCSG. 27 February 2009

Seven Key Success Factors for Identity Governance

SECURITY METRICS MANAGEMENT

Security requirements are changing as threats continue to evolve. For many reasons Security has seen a shift from operational to strategic While

Grow your business 2016 Issue 10

What is a Responsibility-Based Workplace Model?

THE ULTIMATE CUSTOMER PERSONA TEMPLATE

DON T LET TALENT BE YOUR SUPPLY CHAIN S WEAKEST LINK: 3 LESSONS

Competitive Intelligence 101. Staying Ahead of the Competition

If it is worth doing, it is worth doing slowly Mae West CREATING FOLLOWERSHIP DURING CHANGE MARCH, 2011 SUSAN L. NEWTON

Marketing Strategy. Marketing Strategy

Six Steps to Improving Corporate Performance with a Communication Plan

Guiding Principles COPYRIGHTED MATERIAL

COACHING USING THE DISC REPORT

Workforce Optimization

Motivating Your Booth Staff

Workplace Violence Survey Results 75 Respondents (March 2018)

BETTER TEAMS. BETTER RESULTS.

Marketing Automation: One Step at a Time

Interviewing a Commercial Cleaner Checklist Free Site Assessments & Quotes We clean in ALL states!

WILLIAMBOURLANDLLC OVERVIEW TEAMS LAWYERS LEADERS MARKETING VIDEO

Business Development: Planning for your business

CAFE Department of Agricultural Economics Work-Life Goals

Creating Leading Value

Never Stop Communicating

Trends in Change Management for 2018

7 Ways to Build a Better Business Case for HIGH IMPACT TALENT MANAGEMENT Technology

The Employee Experience. Hire Tough, Manage Easy. We too often hire for skill and fire for behavior.

15 Tips for Improving Your Content Marketing Editorial Calendar

Script for 408(b)(2) Disclosure Focus Groups

THE 7 HABITS OF MILLIONaire RECRUITMENT BUSINESS OWNERS. How to Build & Scale a 7 or 8 Figure Business without burning yourself out or working harder

Supervisor s Guide: Performance Evaluations

The Challenger TM Customer: THE NEW REALITY OF SALES

COMMON JOB INTERVIEW QUESTIONS

5 Legal Issues THAT CONCERN CHURCH LEADERS

Administrator s Institute Handbook

HOW TO DEVELOP A STRONG PROJECT DESIGN. User Guide #9

UAB Performance Management 07/03/2018. Title Page 1

30 Course Bundle: Year 1. Vado Course Bundle. Year 1

INTERNSHIP STARTER HANDBOOK For Community Providers

Critical Steps to Prepare Your Business for Sale

Your Business. with. Inbound Marketing

First-Time Exhibitor s Guide to a Successful Show

Business Intelligence

Law Firm Marketing Discovery Workbook: Getting in Motion

Introduction 1. Bad Apple Group Activity 2. Why do we Avoid Providing Coaching and Feedback to Employees?

Building the Foundation for a Successful Business

GUIDELINE FOR WRITING A BUSINESS PLAN

How to Write a One-Page Strategic Business Plan


THE E-COMMERCE BUSINESS OWNER'S GUIDE TO SEO MANAGEMENT

DIY Brand Audit. How can you tell if your brand is due for an overhaul before you hire a branding consultant?

Get a Leg Up Before the RFP Hits the Street

Opening A Clinic May Be Your Most Successful Business Venture!

Meeting Guide and Agenda by Course

Make sure to listen to this audio: as you go through this handout, to get maximum value.

Developing Construction Leadership:

VARIOUS TYPES OF INTERVIEWS

The Keys to Building a Revenue Marketing Practice

Workplace Change Management. November 11, :00-1:30 p.m.

A Simple, Effective Business Plan Writing Guide (Go to hit Teaching, look at various course documents)

A CLEAR DIFFERENCE. Why We Are Significantly Better Than Other Digital Marketing Training Companies. Digital Marketing Skill Institute

Business Assessment. Advisor Tool Galliard, Inc. All Rights Reserved

Foundation Training Program

Improving. the Interview Experience

The C.L.E.A.R. Service Model has easy-to-apply techniques in five categories that produce high satisfaction scores:

Dealmakers Planning for a Successful Integration: The M&A Roadmap for Success

Delivering Value Why Else Are You Doing The Project?

Measuring business performance and forecasting

ATTRITION: THE SILENT KILLER

ISO whitepaper, January Inspiring Business Confidence.

The E-Myth Revisited Why Most Small Businesses Don t Work And What to Do About It

set your exhibit measurement strategy Using Data to Enhance the Experience

Driving Change in Indirect Procurement

Referral Management Workflow. A Guide for Improving Your Referral Management Workflow

Key Points How to create an effective business plan

Mastering. Messaging. By David Grossman,

The Art of the (Investor) Pitch

Innovative Marketing Ideas That Work

Project Management Assessment. Apply an In-Depth Approach to Project Management to Achieve Systematic Success

From the Ground Up: 8/30/2017. From the Session Description: What is Major Gift Fundraising?

Visionary Leadership. A leadership style to get your team aligned toward achieving your vision.

AUDIT Where are we now? ONGOING MEASUREMENT Are we getting there?

Pitch Deck Template Definition: A series of words and images that illustrate a venture s story and business model.

Expose the Actors. XChange, August 13, 2017

Achieving Business Analysis Excellence

White Paper. Clothing Playbook. Making a success of your clothing season

PROACTIVE VS. REACTIVE HIRING: THE TOP 10 REASONS WHY PROACTIVE HIRING SAVES TIME AND MONEY PRESENTED BY:

This workbook is provided by the Kutztown University Small Business Development Center.

Project Portfolio Management Assessment

Adversary Adaptation to Protective Measures

You might not realize it yet, but every time you log in to salesforce.com

BUILDING A SAFER, MORE PRODUCTIVE WORKFORCE

Phillip Banks PE, CPP The Banks Group Inc. Berndt Rif MSc. MBA DeNederlandscheBank

Your reputation is your greatest asset. Keep Ohio Beautiful Affiliates 2013 Annual Meeting

Risk Assessment as a Foundation for Disaster Preparedness

The First 90 Days Critical Success Strategies For New Leaders At All Levels by Michael Watkins

Creating Your Value Proposition

Transcription:

Leveraging Risk Assessments to Raise Funding for Your Security Program Shawn Reilly, CPP, PSP, CHPA, CPD 1 Sources of Information ASIS Facilities Physical Security Measures Guideline Design and Evaluation of Physical Protection Systems, 2nd Edition Effective Physical Security, 4th Edition Implementing Physical Protection Systems: A Practical Guide, 2nd Edition Risk Analysis and the Security Survey, 4th Ed 2 Finding a Funding Way Overview Risk Assessment The Process and Results Physical Protection System (PPS) Tools in Your Toolkit Presenting Your Business Case Gathering and Presenting Your Data Just Be a Harder Target. 3 1

What do you want from your PPS? The Right Countermeasure at the Right Place and Right Time 4 1 Assess Assets Risk Management Process Flow 2 Assess Threats 4 Assess Risks 5 Determine Countermeasure Options Make RM Decisions 3 Assess Vulnerabilities 5 How are vulnerabilities different from risks and how are risks different from threats? RISK: The potential for damage or loss of an asset. THREAT: Any circumstance or event with the potential to cause loss or damage to an asset. VULNERABILITY: A weakness or flaw that can be exploited by a threat. COUNTERMEASURE: An action taken or a physical entity that reduces or eliminates one or more vulnerabilities. COST BENEFIT: A comparison between the cost of a countermeasure and the value of an asset. 6 6 2

What is Your Foundation for Funding the Physical Protection System (PPS) There has to be a systematic approach. The foundation must always be the risk assessment. Sun Tzu: Act after having made assessments. Risk Assessment What are you protecting and from what? Where are the greatest threats and vulnerabilities to your most critical assets? 7 Assets Research ID Critical Asset Impact The Assets Risk Assessment Process Impact Matrix Level Threats Research Part I ID Threats Part II Adversary Needs, wants Indicators History Suspected Attempted Successful Intent Capability History Threat level Matrix Vulnerability Research Current Countermeasures Against identified threats to assets Vulnerability decision Matrix Risk Assessment Gather all data and apply to one Matrix Impact / threat /vulnerability /overall / acceptable risk Counter Measures 8 Apply new Countermeasure Reassess Vulnerability New lower score Is risk now Acceptable? 8 The Formula R = Pa * (1 Pe) * C R Risk Pa Probability of Attack Pe Combines both the probability of Pi interruption and Pn Neutralization C Criticality 9 9 3

Elements of the Risk Processes Risk Management Decision Mitigation Alternatives Risk Assessment 10 10 Risk Elements Risk Assessment determines the most critical assets, threats, and vulnerabilities (Priority order) Risk Mitigation Alternatives Assumption accept risk Avoidance Move the asset Limitation Implement controls to limit impact (preventive, detective, and response) Transfer Buy insurance Site Hardening use the PPS to reduce vulnerability (policies, Equipment, People) Risk Management Takes all aspects of the risk process and makes a decision 11 11 Risk Assessment Methodology Gather data on: Assets Via interviews of staff and documents identifying high risk areas. Threats Via crime history and perceptions of threats by staff. Risk of crime through data mining. Vulnerability Via assessment of adversary path and tests of the security response to alarms. 12 4

Assets Determine what assets are most critical to the organization Use the mission and vision statements to learn what is important to the organization Interview leaders of key departments Interview front line supervisors and workers to understand what is important to their jobs People, facilities, equipment, information, other 13 13 Threats Who threatens the organizations assets (3 kinds of bad guys) Outsider Insider Outsider with help of insider History, Capability, Intent The more of these elements are present the higher the threat 14 14 Vulnerabilities What countermeasures are in place to deter the threat? Are they difficult to exploit? Are they layered from the perimeter to the asset? 15 15 5

Countermeasures Sometimes what seems to be the most obvious countermeasure may not be the right one 16 Countermeasures Selected countermeasures should address Effectiveness (Cost benefit analysis) Return on investment Total cost of operation Be sure to address all three aspects of the PPS Policy / Procedure Change No Cost Equipment Change Medium to High Cost Adding Manpower High Cost 17 PPS consists of policies and procedures, equipment and manpower. The Risk Assessment drives this process. System Objective Facility Characterization: Design and Evaluation Process PPS Objectives Characterize the Assets Define the Threat Identify the Target PPS Design Detect Delay Respond Analysis Analysis & Evaluation EASI ASD Risk Assessment Make the equipment fit your goals, not the goals fit the equipment. Final Design Or Redesign 18 18 6

Tools in Your Risk Assessment Toolkit Design Basis Threat (DBT) Adversary Path (Adversary Sequence Design) Estimate Adversary Sequence Interruption (EASI) Drills (Announced and Unannounced) Badge Survey (snapshot in time) 19 19 20 Tools: Design Basis Threat (DBT) He who defends everything defends nothing. Frederick the Great The adversary against which the utility must be protected (Patterson, 2007) (ASIS Protection of Assets Manual, Physical Security) Determining the DBT requires consideration of the threat type, tactics, mode of operations, capabilities, threat level and likelihood. Other characteristics of the threat to consider vehicles, weapons, tools, or explosives, and the threat s motivation. It is critical that these characteristics are described in the DBT because later, during the vulnerability assessment (VA), they will help in gauging the effectiveness of the individual PPS components, as well as the overall system. 20 Tools: Adversary Sequence Design Task 1 Task 2 Task 3 Task 4 Task Task 6 Task 7 5 Task 1 Mean Time.1 min Climb fence 2.3 min Run 80 ft 3.8 min Force door 4.4 min walk 50 ft 5.2 min Walk to container 6.1 min Cut lock 7.2 min open container gather material 8.9 min Escape Total Time: 3 minutes Task 8 Garcia Book 21 21 7

Tools: Estimate of Adversary Sequence Interruption (EASI) 22 Tools: Drills Unannounced drills will determine the response capability and times to those areas that the client has deemed important enough to have alarms installed. Response times will determine if proper delays are in place to stop a threat before the perpetrator has time to depart the area. Having more than 6 drills can afford you the opportunity to establish an average response time along with a standard deviation. 23 Conducting the Risk Assessments If you are not well versed in conducting assessments find someone who is. Make it an annual review or when a significant change occurs in assets, threats or vulnerabilities Bring an outside agency in to have an unbiased look at your organization. 24 8

The Risk Assessment is a dynamic process and can change over time. Food for Thought Risk Homeostasis As you get more secure, people begin to take more risks. The opposite is true, as well. In either case, there is a risk appetite that people are willing to take. Know your C suite s appetite. 25 Getting the Project Funded After you determine the greatest threats and vulnerabilities to your most critical assets, how do you get the money for the equipment you need? You go to your boss. 26 26 Before You Go to Your Boss for Funding 27 27 9

Are you seen as a cost or investment? To get funded, you have to understand and articulate a business case. Define the Return On Investment (ROI), the Total Cost of Operation (TOC) and develop a cost benefit analysis of the PPS you are proposing. If you don t or can t, everyone will continue to see you as a cost to the organization and funding will come very slowly. 28 Return on Investment If what you want costs $100,000, what will your organization get for its investment? Reduced Crime Enhanced investigations of crimes that do occur Reduced liability exposure Less tangible benefits, such as o Greater sense of safety by employees and customers o Positive reputation How long will it take to save $100,000 in thefts to pay for the system? Liability cases: Its better to follow case law than make it. 29 Total Cost Of Ownership To truly identify what a system costs, you have to include recurring maintenance over the life span of the equipment. Keeping your system running can t be hit and miss. You need to have the equipment up and running. The worst thing you can do is finally get the money and then have the system not work as YOU advertised. Part of the cost of getting the equipment is budgeting for a service agreement or hiring people to do it. Few organizations have the expertise to maintain today s complex PSIM systems. 30 10

Other Economic Impacts What if the system fails? Are you prepared to take compensatory measures? o Add manpower, redirect existing equipment, change procedures for as long as the system is down. When will it have to be replaced? Have you ever looked at the amortization on the equipment you already own? Most likely it s 10 years, despite the fact that you know in 5 8 years it will have to be replaced if not sooner. Will the technology be outdated and unserviceable soon? 31 Organizational Culture Do we have to be that good? A real life example Will they allow a big ugly camera hanging off the building they consider to be artwork? Are the employees willing to wear an ID badge? Is adding a fence considered to be creating a fortress? 32 32 Working with Facilities How do your security needs fit into the overall organization's goals? If there is a total of $100,000 in capital for everyone, having a $100,000 need is not realistic. What capital projects are being funded? Those projects show you what is important to the organization. Create a security standard for Facilities project managers to use before the budget is set Fundamental CPTED concept. 33 11

Getting the Project Approved Sample: Project Titles Advanced Access Control System for Floors 2 5 OR Enhanced Nurse Safety Through Positive Identification and Access Control Which title would spark the interest of hospital decision makers? Each industry has words that spark interest or a response. Learn how to use these terms in your proposals to their best effect. 34 Data What are the Key Performance Indicators of the health of your department? Measure where you are & determine where you want to be. Gap Analysis Example: You are experiencing 28 thefts a month. Similar organizations have an average of 18 thefts a months. You want to be below 13. How do you plan to get there? Use the risk assessment to identify the most critical assets at the greatest risk. Metrics are also the business way of communicating to your boss how you are doing and where attention is needed. 35 What Should You Measure? Activities: Crimes, financial, volume, quality, service and most anything else that is measureable. If its not measurable its not worth reporting. SMART: Simple, Measureable, Achievable, Realistic, and Time bound After measuring your key indicators you have to tell someone. Sending your boss a spreadsheet with hundreds of inputs will never be read. Try creating a dashboard 36 12

Dashboards can be as complex as this or 37 Simple Dashboard Example Thefts Assaults Parking 10% Not meeting goal Achieving the goal < 10% below goal This one chart tells you, your staff and your bosses exactly how you are doing AND where the money needs to be applied. 38 Communicating is The Key to Everything Weekly staff meetings to your people Keep your staff focused, motivated and on track. Monthly meetings with your boss Keep the most important issues in front of him/her. Quarterly security meetings with others Rounding on other department heads makes them feel part of the process. Annual security report state of the organization How did we do? A message to all employees Have a 60 second vision brief ready. You never know who you will run into in the elevator. 39 13

Final Though: Target Hardening The security forces mission is to protect people and property from valid threats. The criminal is looking at your organization, comparing his chances of success compared to your neighbor. You don t have to be impenetrable, you have to just be a harder target than your neighbor. Beat the bear. 40 40 Summary Getting funded is as simple as making your business case. The risk assessment is the foundation to the entire process. Use business elements when advocating to your bosses and others. It will be easier to sell. Gathering this data to get funding also makes your security department better for it. Communicating is always the key to success. After gathering the data present it in a way that will be understood. Be a harder target 41 Bottom Line: How to Beat a Bear 42 14

Discussion To get source documents for this presentation, email sreilly@techsystemsinc.com. 43 15

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback