By Lindsay Woolward, Consultant, Guidepost Solutions
Cyberattacks, fire, volatile employees, and targeted violence can show up at unexpected times and pose serious operational risk to organizations of all sizes. But how can you prepare for a random chance that could have an enormous impact on you, your people, and your property? The answer is good risk data. So how do you get the right data? And how do you use it?
There are a million different things you could do, and prioritizing is key. Good risk data will help you scale your response between relatively “likely” scenarios, like a disgruntled employee posting inflammatory things on social media, to “unlikely” but emotionally charged events, such as a shooting near or in your facility. Data helps you and your organization identify what you can do to increase resilience against multiple threats and mitigate a swath of risks.
The big picture: Business decisions are increasingly driven by data from ROI to overhead rate, marketing engagement metrics to sales conversion rates, and so much more. That’s why security operations must have the data to prove to leadership that it’s worth the time, money, and people to put together a community plan, set aside a retreat day to talk through a few scenarios, or invest in a robust visitor management system to be prepared to keep operations moving in the event of a major security incident.
What’s needed: Good risk data has three critical components:
- What’s the current state?
You need to know how security risks stack up against other concerns facing your organization, like competitive risks, inflationary pressure, and other factors outside your control that you must contend with to thrive.
- What’s the cost of doing something?
You need to forecast the amount of time, money, and people needed to mitigate the security risks.
- What’s the cost of doing nothing?
This is the other side of the puzzle. Consider the types of disruption you are likely to experience if you continue business-as-usual.
Why it matters: The savvy security director knows convincing the C-Suite requires data with all three components. Your organization faces specific risks, which you can mitigate with the right resources. If leadership chooses to focus resources elsewhere, they can expect a steady drip of social media surprises, theft, and other nuisances to slow operations, and for the unlucky time that you draw the short straw, serious confusion and operational disruption.
With the right kind of data, you can work with your leadership to make smart resource allocation choices. Using the data can help you identify the risks that cost a hundred thousand dollars per year which can be averted with thousands of dollars in security investments. It can also help make smart choices about what you need to put in place now in the event a serious incident occurs. By working with other decision makers to figure out where physical and cyber risk stack up next to competitive and market forces, your team can succeed.
What’s next: To get this done, you need a risk assessment program. Focus on these core tasks:
- Enumerate organizational operations.
- What do you do and how do you do it?
- Identify your critical assets.
- What people, infrastructure, equipment, and materials are necessary to operate?
- Evaluate your risk environment.
- What kinds of attacks, large and small, may target your organization’s assets?
- Analyze your current security posture.
- How effective are your security resources at deterring, delaying, detecting, and responding to the attacks you’ve evaluated?
- Propose action.
- What could you change about your security posture to better mitigate the risk of attack, and at what cost?
- Decide what to implement.
- Of the actions you could take, which are worth it? Can you mitigate some critical risk?
- Reevaluate your security state.
- Is your data up-to-date? Have you changed things?
While this analysis can be accomplished by your security department, there is value in getting an independent third-party consultant involved. An independent firm can quickly establish a solid foundation of data for you to build upon. They can provide an objective viewpoint to the process ensuring all measures are addressed and bring broad knowledge and experience into the assessment.
The net-net: By establishing a program focused on delivering high-quality data to leadership, you establish security as a critical component of successful operations and business continuity. By implementing a risk analysis program geared for constant data deployment using smart risk modeling, which can be updated as your threat environment and security posture change, you’ll always be prepared to answer the tough questions if and when a serious disruption occurs.
Lindsay Woolward is an experienced security and audiovisual professional specializing in security risk consulting, security technology design, and audiovisual systems design. He advises city, county, and state governments; K-12 school districts; universities; corporations; and transportation authorities. Projects include comprehensive security risk assessment and master planning, threat vulnerability assessments, security technology systems design, and AV systems design.