martes, 22 septiembre 2020
Visitas totales a la web: 86046056

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

What Not to Do

Security Executive Council

In 2017, the Security Leadership Research Institute(the SEC’s research arm) asked security practitioners to choose from a list which activities their security department performed. We asked the question to see what kind of risk assessment activities security leaders were conducting.

The results raised new questions.

Security Barometer results chart showing which security function activities are most prevalent

Most respondents were identifying security countermeasures to mitigate risk and identifying specific threats, but fewer were identifying assets, and even fewer were identifying and communicating with risk owners.

At a high level, risk assessments would include most or all of these elements in equal measure. Why was there such variance?

These questions and other research have led us to see that there are a variety of approaches to risk assessment, as well as confusion regarding process and proven practice.

Here are some common missteps to avoid.

Lacking a formal, comprehensive process.

Over our 20 years working with security and risk practitioners, we’ve recognized that a comprehensive risk assessment is the ideal first step to beginning a new program or inheriting a new security position. We’ve also recognized that it often doesn’t happen.

In a 2017 survey conducted by the Security Leadership Research Institute, only 25% of participants based their security programs and services on a formal risk assessment process. In contrast, nearly 40% based them on “the way it’s always been done,” past incidents, and specific demands from executives.

Security Barometer results chart showing what most security programs/services in the organization are based on

Building or revising the program around a comprehensive assessment is the only way to ensure that all risk, not just familiar risk or common risk, is addressed.

Basing the risk assessment solely on your background or expertise.

Risk assessment in the United States has a long history, beginning with the Army Physical Security Field Manual in the 50s and moving through residential and small business crime prevention surveys in the 70s, the ASIS Protection of Assets Manual, and finally to the Securities and Exchange Commission’s 10K requirements.

Notice that this history crosses over from military and law enforcement to small business and multinational corporations. It also crosses over a couple of generations, and an unprecedented shift in technology and its integration into common culture.

Because of all this, it’s important to ask yourself how your approach to risk assessment is colored by not only its history, but your own. If you were trained in the military, for example, are you relying on the concepts of that original 1950s field manual to the exclusion of other perspectives? If you started out in cybersecurity for a multinational, are you neglecting the fundamentals of physical security?

Oversimplifying.

Risk is complex and assessments can be highly specialized.

Business has evolved, as has risk. Staff work from remote offices. Services are delivered through a variety of models, most of which require at least some contractors to have access to sensitive information or assets. The rapidity of technological innovation creates new risks every day.

Globalization has created new risk. Product development is often done offshore where regulations and monitoring may not meet local standards of care. Laws and customs in local countries must be considered carefully because what is acceptable practice in one location may not be in others. Where are your products and components coming from? What is the level of due diligence of the companies you do business with?

Regulatory requirements now add their own layer of risk as well: the risk of noncompliance.

The risk to the organization generally goes well beyond what one might see at first glance. Always look further.

Not aligning with organizational strategy.

What is your company’s strategy? What is its risk appetite? What are its growth priorities?

These questions should go hand in hand with a security risk assessment. Knowing the answers will help identify risk and guide risk mitigation, avoidance, or acceptance.

If your organization has done an enterprise risk assessment, that’s a good place to start. Look at the business of your organization from a high level, understand it, and ensure that your assessment incorporates the organization overall.

Working in a vacuum.

Risk impacts executive management and other leaders across the organization. Integrating their input and concerns into the risk assessment process will make its results more accurate and more effective.

It’s also important to remember that other functions often have risk mitigation roles. Reaching out to them can make security aware of possible synergies and prevent the silo effect, in which multiple functions are operating alone and often duplicating efforts.

Graphic depicting the idea of Unified Risk Oversight

Communicate to upper management throughout the process that Security is the risk mitigation organizer, but they are the risk owners.

Failing to re-assess regularly.

Even when you are in tune with the changing and wide-ranging risks to your organization, do you regularly re-assess them? Only about half of practitioners we surveyed in 2019 said yes.

Security Barometer results chart showing the prevalance of risk re-assessments

If it seems that nothing ever changes at your organization and annual reassessments are unnecessary, think again. Local crime trends change, new technologies emerge, creating new threats. Regular assessment can also create opportunities. For instance, if a risk that you’ve budgeted to mitigate is no longer a significant risk, those funds can be reallocated.

Fecha de publicaciónfebrero 27, 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El paracaidista español que humilló a los «temibles» espías soviéticos

Joaquín Madolell, natural de Melilla y militar del Ejército del Aire, desarticuló la mayor red del espionaje...

UME, para servir

Uno se pregunta, al ver las estadísticas de bajas, por qué no funcionarán los gobernantes con la misma prontitud y eficacia que los militares. Circula un video en el que un general, a pesar de la mascarilla, explica claramente el funcionamiento de las Unidades militares; una perfecta organización en la que un estado mayor planea y dirige las operaciones en curso, mientras otro va programando las operaciones futuras. Todo un engranaje funcionando con eficacia, en silencio y sin alardes, donde cada elemento sabe lo que tiene que hacer y cómo hacerlo, sacando el máximo rendimiento de sus escasos medios, y a pesar de lo imprevisto y desconocido de un enemigo que dio la cara cuando ya estaba dentro.

Últimas noticias

El contraataque de Álvarez-Pallete

La retirada de César Alierta como máximo responsable de Telefónica en 2016 abrió las puertas de la Presidencia a su delfín...

¿Y AHORA QUÉ?

En España, nuestra Nación, para algunos simplemente país o IBEX35, todo está dicho en el Congreso, en la prensa y en las redes sociales....

Mozambique army surrounds port held by Isis-linked insurgents

Militants seized the Mocímboa da Praia site, which is near gas projects worth £45bn, last week Government troops are...

Strategic Security: Forward Thinking for Successful Executives

An engaging study of management from a security industry perspective, Strategic Security: Forward Thinking for Successful Executives unfolds like an academic program on strategic...

El desconocido error histórico de «Salvar al Soldado Ryan» con el Día D y el capitán Miller

Francis L. Sampson no era un maestro de escuela, sino un capellán militar de la 101ª División Aerotransportada Existen...