Delivering stronger business security and resilience
Delivering Stronger BusinessSecurity and Resilience in a WeakFinancial ClimateChris TomlinsonArup Resilience, Security & Risk
My AgendaThe threat spectrumThe Risk-led Approach and the realities of SecurityRisk AppetiteThe boardroom viewClient Needs Detected2Client Needs DetectedDesign-based SolutionsOperational-based SolutionsStandards in Commercial PreparednessKey Takeaways.
The Spectrum of ThreatTerrorism• Person-borne explosive attack• Vehicle-borne explosive attack• CBR attackTerrorism/Extremism• Person-borne explosive attack• Vehicle-borne explosive attack• Static• Encroachment• PenetrativeCrime & Antisocial Activity• Violence Against the Person• Acquisitive (theft /burglary etc)• Personal• Business – Insider Threat• Penetrative• Simplistic• Mechanistic• Criminal Damage• Anti-social behaviour• Vagrancy & Trespass• Violent protest – not necessarilyunlawful• Weapon attack• Hand-carried• Vehicle-borne
Threat Likelihood Impact RiskThreat – adversary capability (history), intent and access to theirThe Risk CalculusThreat – adversary capability (history), intent and access to theirtargets, do not forget the insider adversaryLikelihood – the tough calculation and absolutes are difficult tocome by – so relative likelihoods may be all that can be managedImpact – this is the straightforward part – all about asset andprocess vulnerability; and costs of denial/loss.
Risk appetite, at the organisational level, is the amount of riskexposure, or potential adverse impact from an event, that theThreat Likelihood Impact RiskThere will be Risk Appetiteexposure, or potential adverse impact from an event, that theorganisation is willing to accept/retain. (Mark Carey - Deloitte& Touche LLP)An economically-conditioned balance between maintainingprofitability, while not facing reputational exposure throughculpable risk-mitigation failure. (Me)
Life SafetyRisk Appetite Illustrated in Counter TerrorismLevels of Resilience to the Effects of BlastLife Safety + EvacuationEconomic ReinstatementOperational ContinuityAll of which is a littlecounterintuitive, given thatorganisations normally saythat they are want to beoperationally viable after acatastrophic event
Questions that might guide Risk AppetiteIdentify headline risk impacts on life safety, economicreinstatement or reputationWhat adjacencies might increase or decrease risks?What are the acceptable norms for protecting thebusiness – are there standards we can use as abenchmark?8What risks can be treated, transferred, terminated andwhat is left to tolerate – the latter lies at the core of riskappetite?Is there an Enterprise Risk Management process thatincludes protective security?Who reviews risk and how often?
Struggles to show real benefit, beyond the simplistice.g. effects on stock shrinkage – ROI badlyresearchedOften ugly and oppressive, with a default setting ofheavy-duty, rather than subtle technologiesAdds operational friction – it slows people and stuffdownBoardroom Views on SecurityAdds operational friction – it slows people and stuffdownLaced full of confusing standards and often do notoffer advice on sub-optimal ‘fixes’ – always theRolls Royce never the Honda CivicNever linked to sustainability targets – e.g. ‘CarbonCost of Crime’.
Preparedness in the Private SectorA survey of 263 senior executives from various companiesexamined how they approach resilience and securityFive key areas were examined: physical security, IT security,business continuity, crisis management, and pandemic planningApproximately 50% said IT security, business continuity, andcrisis management at their company were "completely" or "verycoordinated" with enterprise risk management, while only 43 %10coordinated" with enterprise risk management, while only 43 %said the same about physical security21% of companies surveyed had a co-ordinator that oversees allfive preparedness areas.The key concerns were: risk versus opportunity, due diligenceand duty of care (compliance and reputation protection)
Our Clients WantEasy-to-understand risk analysis and deductionsJust enough – with an audit trail for what was agreed on and whyScalability – things change and systems need to adaptEarly intervention – security as an afterthought is ugly andexpensiveA balance between security technology and operations – Capex11A balance between security technology and operations – Capexversus OpexValue-added in security solutionsTo be convinced of a return on investment – not just financialFunctional and management convergence – traditionalstovepipes are challenged.
Design-Based SolutionsThe trend is towards Internet Protocol solutions, butbuyer beware!Convergence onto unified ICT networks, but….Convergence of building management systems –intelligent buildingsSmarter devices deployed – on-board processing12Smarter devices deployed – on-board processingAdaptable plug and play (e.g. POE)Biometrics and reliable recognitionStand-off detection and automated trackingPhysical Security Information Management (PSIM).
Operations-based SolutionsUnified command and control – moving security to businessareas that are the ERM focusHuman Capital Risk – managing the insider threatBoardroom education to value adds‘Red-teaming’ – thinking adversaryProfessionally develop your capable guardians13Professionally develop your capable guardiansTest and validate plansSharing best-practice – co-ordinate resilience planning withother stakeholders (e.g. telecoms and lifeline utilities, local bluelight responders etc).Professional organisation memberships – e.g. CSARN.
Standards, Best-practice and ReferencesBS 25999-1:2006 & BS 25999-2:2007 - businesscontinuity management code of practiceASIS International SPC.1-2009 – OrganizationalResilience: Security, Preparedness, and ContinuityManagement Systems – Requirements with Guidancefor Use and other references14US National Fire Protection Association 1600 -Standard on Disaster/Emergency Management andBusiness Continuity ProgramsThe Conference Board report - ‘Preparedness in thePrivate Sector – 2011’Organisation specific e.g. BCO.
Key TakeawaysYou cannot mitigate everything, so figure out what you canhandle as risk appetite – easier said than doneDoing nothing is not an option, but mitigation sufficiency islinked to risk appetiteGet a risk assessment done and one that offers deductions forbest protective fit against form, function and budget15Scalability – things change (think about review programmes)Have an audit trail for what was agreed on and whyDo it early because security as an afterthought is ugly andexpensive (and think sustainability)Think about balances between security technology andoperations – ROI is important.