Rebooting your security programme
Businesses across the globe face all kinds of risks on a daily basis, and these risks are constantly evolving. That’s why we’re always seeking to improve the solutions we offer and challenge our clients to look at things differently.
We’ve been working on a new risk management model that will help businesses to build, customise and develop security programmes that are ideally suited to their individual needs and environments, whether it’s critical energy infrastructure, a bank, retail space or an office.
Building a programme from the ground up
While there are countless risk management models on the market, after a lot of research we found they tend to use inconsistent language, and there’s a lack of specific methodology or structure, making the user experience more difficult. So we decided to go beyond the security industry and work with an academic partner, the Georgia State University Center for Process Innovation, who could look at the issue from a completely outside perspective.
It’s a really similar concept to the Effects Based Security Design planning method, but we’re using it to build a comprehensive, consistent and easy-to-use software solution that takes it to a whole new level.
Before a business can determine what security solutions are right for them – be it the number of security officers posted at a site, the amount of cameras surrounding a perimeter, or the level of identity and visitor management required – they need to ask themselves some fundamental questions:
- What am I looking to protect?
- What do I want to protect it from?
- How do I prevent an incident or risk from happening?
- If something does happen, how can it be contained?
- How do I recover from it?
With this in mind, our model takes you through the entire risk management process, which includes three key components: resources, risks and resolutions.
The first step involves sitting down with the client and identifying all of the resources they want to protect. These could be physical resources, such as buildings, critical infrastructure or valuable equipment, knowledge-based resources, such as intellectual property, or organisational resources, such as people or governance structure. Once we’ve created a list, we’ll assign a value to that resource.
This can be quite simple; for example, if somebody were to steal a vehicle from a site there would be an insured value against it. On the flip side, say for something like intellectual property that has no insured value, we’ll work out what we think this resource is worth to the business.
Then, we sit back and look at the likelihood of these resources being exposed to particular risks. These could be contextual risks, such as workplace safety or natural disasters, criminal risks, such as theft or cybercrime, or business risks, such as compliance or legal issues.
We’ll take into account how frequently incidents like these have occurred in the past, using a client’s historical data and – where there are gaps – industry-wide resources, such as the FBI’s Uniform Crime Report, to build a clear and well-informed picture.
Finally, we’ll identify the most appropriate resolutions that will enable the client to manage and tackle these risks. These span three main categories: prevention, containment and recovery.
Firstly, preventative resolutions, such as carrying out background checks on all visitors to a site or having perimeter protection in place, aim to stop an incident from happening in the first place. Secondly, containment resolutions, such as having intrusion detection or fire safety systems installed, help to mitigate risks during an incident in order to minimise the impact it has on a site, a business or its people. Lastly, recovery resolutions, like investigations or security forensics, are designed to alleviate risks after an incident has occurred, ensuring that business operations recover quickly and that damage is as minimal as possible.
A constantly evolving security programme
As a whole, this model allows us to work with businesses to monitor their resources, understand the risks they face, and, together, we can come up with the most appropriate and effective resolutions. We can also use this information to work out the total cost of ownership – based on the client’s exposure to certain risks – as well as the cost of the various resolutions that we’re going to put in place.
Once we’ve got this framework together, we’ll continue to work with them to monitor the progress of the security programme, using real time intelligence and data analytics to create reports. This way, we can make sure the programme is consistently working at its best, and is in line with the business’ requirements, which can change over time. We call this the risk management lifecycle.
Here in North America, we’re currently using our model to develop a highly sophisticated software solution. This will include a risk profile module, which will help clients to understand their situation when it comes to security, and a risk assessment module, which our consultants can assess to provide support and guidance. We’re doing a controlled launch in the US and Canada, but the goal is to roll this offering out globally. A 3D interactive tool is also in the pipeline, which will let consultants walk a client through their risk management lifecycle and explain what potential holistic solutions could look like.
We believe this type of model can change the way we think about security, for the better. That’s why we’re asking our entire business, our clients and the wider industry to look at security programmes with a truly risk-based, data driven approach – this is the future.
Joe Young is the Senior Director of Cloud and Enterprise Solutions for G4S, overseeing technology and innovation for the G4S Secure Integration Managed Services division.