SlideShare a Scribd company logo

2016 Resilience Survey for Real Estate and Critical Infrastructure Projects

J
Julian R

Control Risks has conducted this survey with a view to better understanding the perception and approach taken to security and resilience by those who deal with real estate and critical infrastructure. We surveyed more than 100 architects, developers, investors, end-users and engineers.

Engineering
1 of 17
Download to read offline
Managing Risk | Maximising Opportunity RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
TABLE OF CONTENTS FOREWORD 2 INTRODUCTION 4 WHY AND WHEN WE SHOULD ENGAGE WITH THE PROCESS TO ENHANCE SECURITY 6 THE IMPORTANCE OF UNDERSTANDING THE THREAT AND ASSOCIATED RISKS 7 THE BENEFITS OF UNDERSTANDING WHOLE LIFECYCLE COSTS FOR SECURITY 8 THE IMPORTANCE OF ASSESSING AND UNDERSTANDING THE CYBER SECURITY THREATS TO BUILT INFRASTRUCTURE 9 THE IMPORTANCE OF USING QUALIFIED SECURITY PERSONNEL AND APPROPRIATE SECURITY STANDARDS 10 CONCLUSION 12 ABOUT THE SURVEY 13
2 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 FOREWORD The built environment is subject to a wide and complex range of security-related threats and hazards. This is the result of an increasingly volatile global security landscape generated by the proliferation of terrorism, separatism, civil disorder and organised crime, an increasingly technologically-advanced approach to cybercrime, and the prevalence of attacks on crowded places aimed at creating mass casualties. This complex security landscape has led to a growing interest in the subject of resilience. While there are differing interpretations of what this actually means, we describe it as an entity’s ability to adapt and evolve to changing environments whilst minimising the probability and/or impact of all hazards and risk events – a concept that has clear utility in the planning, implementation and operation of the built environment and critical infrastructure. The nature of the threats and hazards that a specific building or development may face is driven by its location, its function, the profile of its users and what that building is perceived to represent. Therefore, every building – and the approach that must be taken to security during its design, construction and operation – is unique, and the success of built infrastructure in facilitating its designed function relies on it being resilient to these security challenges. Control Risks has conducted this survey with a view to better understanding the perception and approach taken to security and resilience by those who deal with real estate and critical infrastructure. We surveyed more than 100 architects, developers, investors, end-users and engineers. We have asked who is responsible for security design, when and how security is considered during design and construction, and how important security is considered to be. The findings from the survey are discussed and analysed in this report and provide a comprehensive view on the extent to which the incorporation of security and resilience measures into building design is seen as a crucial part of the overall process for the development of the built environment.
4 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 A wealth of detailed information exists in the public domain on how to plan for, design and operate built infrastructure that is resilient in the face of the threat of crime, terrorism, social unrest and other associated risks. This includes a range of government directives and regulations, advice provided by national advisory bodies and professional institutions, and a plethora of national and international standards. The availability and awareness of these resources is having an effect on the approach taken to security, resulting in an increasingly pro-active approach and businessess incorporating security design measures at the early stages of the development process. Our survey found that whilst there was a good understanding of the advantages of ensuring that the resilience and security of built infrastructure is addressed during its design and construction, more can be done to ensure an integrated and efficient approach is taken. KEY FINDINGS • Robust security infrastructure provides a competitive advantage. Nearly 60% of respondents believe that the integration of robust security infrastructure into a construction project will help them to stand out from their competitors. • Early engagement with the security demands of a project is seen as essential. Organisations understand the importance of engaging with security requirements as three-quarters of respondents rated the early engagement with security demands of a project as essential. However, 40% stated that they ought to pay more attention to security and nearly a third stated that security will only become more important in the future. • Conducting a threat and risk assessment during the project design stage is key. Close to 90% of respondents see the threat and risks assessment as a critical or essential process to inform decisions during the conceptual design stage of an infrastructure project. How that translates into the development of security infrastructure is not well understood though, and nearly a quarter admit that their knowledge of security, and experience in the design and implementation of security systems, is not good or is insufficient. • Expenditure on security infrastructure creates a positive return on investment. Close to 70% of respondents agreed that the return on investment for expenditure on security infrastructure was worthwhile. However, the capital cost associated with security infrastructure is not necessarily fully understood. • Awareness of cyber security threats to built infrastructure is increasing. However, the picture is still complex: about half of respondents constantly reassess their cyber security threat profile, but a quarter of respondents have never done such an assessment. • Insistence on the use of appropriate security standards is limited. There is a limited appetite for the use of national or international standards when defining the requirements of security systems and a lack of appreciation as to the benefits that they can bring: even the most popular security standards were only used by less than half of respondents. INTRODUCTION
5 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
6 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 There are considerable benefits to be gained from the provision of robust security infrastructure. This includes the potential to attract a wider range of tenant or user, increased rental values for real estate, the ability to address duty-of-care issues and the potential to reduce insurance costs. Indeed, 59% of respondents considered that the provision of robust security infrastructure can provide them with a competitive advantage. While this effect becomes more acute in more demanding security environments, it is even more pronounced when a building has a high-profile user group or contains high-value assets, even when the security threat is more benign. Clearly the combination of the two requires a very focussed approach to security. The best way to understand, develop and deliver the required security infrastructure in a coherent and efficient manner is to address it from the outset because it allows security infrastructure to be integrated efficiently within the architectural, structural, mechanical and electrical designs from the start, thereby reducing the requirements for costly design changes and system retro-fitting. Our respondents agreed and 73% indicated that early engagement with security is essential, whilst 74% indicated that they should incorporate adaptable and scalable security design measures into building design, which would allow them to address future changes in the security environment more efficiently. However, despite this broad recognition of the advantages to be gained from provision of robust security infrastructure and the importance of its early incorporation into the design process, only 57% of respondents considered their approach to the implementation of security measures adequate or good, while 40% believed that security was something they should pay more attention to in the future. The importance of engaging with security is clear and appears to be well understood. But there is more work to be done as this understanding does not necessarily translate into active engagement. If measures are designed collaboratively and early in the process, the financial burden of incorporating security infrastructure can be minimised through integrated and efficient design, the architectural impact of security infrastructure can be lessened, and costly and unsightly retro-fitting of security measures can be avoided. 74.3% The levels of security provided must be adaptable and scalable so that a commensurate response can be provided to changes in the security environment 73.0% Early engagement with the security demands of a project is essential 59.5% Provision of a robust security infrastructure is something that can provide a competitive advantage 40.5% Security is something that we ought to pay more attention to 29.7% We understand that security will only become more important in the future 17.6% Security is provided solely by on-site security personnel 14.9% Security is the responsibility of the police/state 8.1% Security measures are something that can be put in place once a project has been completed 74.3% 73.0% 59.5% 40.5% 29.7% 17.6% 14.9% 8.1% WHY AND WHEN WE SHOULD ENGAGE WITH THE PROCESS TO ENHANCE SECURITY Which of the following descriptions align to your organisation’s approach to security during a construction project? (multiple answers possible)
7 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 The most effective and efficient approach to the planning of security infrastructure is one that is threat and risk-led. Every piece of infrastructure has a unique risk profile stemming from the threat it is facing, and to be effective risk mitigation measures need to be tailored to the individual risk profile of the building. The desire to use this approach was reflected by the respondents, 74% of whom considered it essential to conduct a threat and risk assessment; 84% considered it important or essential to develop a security master plan at the conceptual stage of development. Yet effective risk assessment relies on a clearly defined and well-understood approach to tolerable loss. In other words, it is essential that an organisation understands to what level it is willing to accept injury, damage or loss of assets such as people, infrastructure and operating capability, and as a consequence of that level, how much resource it is willing to invest in protecting them. This is a contentious subject and one that is not well understood. 61% of respondents admitted to having an understanding of their tolerable loss that was neither good nor very good. But financial constraints almost always demand that organisations must accept that a degree of loss is possible, especially in more hostile security environments. BUT WHAT THREAT CONSTITUTES THE HIGHEST RISK TO A PIECE OF INFRASTRUCTURE? 68% of respondents listed the indirect effect of terrorism (i.e. collateral damage resulting from another building being targeted) as amongst the top security threats to their infrastructure once it is in use; a direct terrorist attack (i.e. an attack targeted at their building) was also considered to be one of the top security threats (57%). However, the profile of the contemporary terrorist threat could also lead to an overemphasis on low likelihood/high-impact events, with the potential that lower-impact events (such as those stemming from criminality or civil unrest) may not be given full consideration. These low likelihood/high-impact events may have a disproportionate effect on the security of specific assets such as data, and the retention of corporate reputation. Furthermore, it is important to remain aware of the changing tactics and the emergence of new threat actors, be they criminal or terrorist in nature. For example, there may be an increase in active shooter or “lone-wolf” attacks, or a reduction in the likelihood of complex attacks that are highly damaging to infrastructure. Either way, buildings need to be made more resilient to a number of highly unpredictable types of attacks that no longer only occur in countries of perceived high risk, but almost everywhere in the world. THE IMPORTANCE OF UNDERSTANDING THE THREAT AND ASSOCIATED RISKS Does your organisation have pre-defined levels of tolerable loss and does it appreciate how this concept can be used to define design requirements? 13.7% Very poor appreciation Extremely good appreciation 21.9% 24.7% 21.9% 17.8% What do you consider to be the top security threats to infrastructure once it is in use? (please tick all that you rate as top priority) 68.0% Terrorism - indirect/collateral damage 58.7% Insider threat 57.3% Terrorism - direct attack 53.3% Criminality - burglary 48.0% Social unrest 40.0% Anti-social behaviour 40.0% Protest 37.3% Lone wolf attack 36.0% Robbery/mugging/assault 9.3% Other (please specify) 68.0% 58.7% 57.3% 53.3% 48.0% 40.0% 40.0% 37.3% 36.0% 9.3%
8 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 THE BENEFITS OF UNDERSTANDING WHOLE LIFECYCLE COSTS FOR SECURITY Design teams devote a great deal of time and effort to understanding whole lifecycle costs during the feasibility and concept stages of the development of infrastructure. Despite all building users being exposed to the security arrangements that are eventually put in place, security is often omitted from the consideration of these costs or only included either as an afterthought or as a small additional item that can be incorporated into the scope of the mechanical and electrical engineer. This might seem to be an efficient approach in lower-threat and low-risk environments where some simple electronic security systems (rather than physical security systems) might be deemed sufficient. But in the context of a greater threat and/or high-value assets (people, systems and data) the costs, both in terms of capital expenditure (for example on physical and electrical security systems) and operational expenditure (systems maintenance and manned guarding capabilities), can be considerable and security measures need to be implemented as efficiently as possible. However, our survey results indicated that whilst 31% of respondents paid great attention to understanding whole lifecycle costs for security, 17% of respondents paid either no or very little attention to understanding them. Furthermore, 36% admitted to not knowing what level of funding is allocated to security and resilience issues, and 45% undertook no, or only informal, benchmarking for security-related costs. So, despite the fact that there was not a single respondent who considered that there was in no way a good return on investment for security infrastructure – indeed 68% of respondents considered that the return on investment good or very high, and there is clearly great effort taken to try and understand whole lifecycle costs – the limited benchmarking undertaken may influence decisions taken during design and construction. This may, in turn, mean that there is an inability to make a “value for money” case for the incorporation of different types of security, and this may result in an adverse effect on the longer-term profitability and commercial performance of the asset. How much effort do you expend on developing an understanding of whole lifecycle costs for security, including manned elements, during the initial stages of a project? Very little We pay great attention to this 5.2% 12.1% 32.8% 19.0% 31.0%
9 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 With the growing use of technology in modern building control systems, cyber vulnerability is increasing. Integrating technologically advanced security solutions can have the inadvertent side effect of creating potential new entry points for cyber threat actors. The integration of the control room with systems such as video surveillance or heating, ventilation and air-conditioning has evolved from standalone systems to remotely-managed web interfaces that bring an additional risk of compromise. The rapid expansion of technologies (often identified as the “internet of things”) means that the connectivity of devices may also include lighting, door access, sensors and interactive communications tools. Identifying the threats from this additional connectivity prior to system implementation is vital to their mitigation. The survey showed that the understanding of cyber threats and the actions required to mitigate those threats was highly dependent on the sector. Some 50% of security directors from the oil and gas industry state that they constantly reassess the cyber security profile of their organisation’s built environment and have conducted a rehearsal of their cyber crisis response within the last three months. The real estate sector, however, paints an entirely different picture: 40% of respondents from this sector have never assessed their cyber security threats and of those who have, 50% have never rehearsed their cyber crisis response. Simply having a crisis response plan in place is not enough. It is crucial to train with realistic scenarios that test an organisation’s ability to effectively manage evolving cyber incidents (for example, a ransomware attack or an advanced persistent threat (APT) attack), learn from gaps identified and adjust plans accordingly. In the case of a cyber-attack or compromise of building infrastructure, the traditional incident management processes need to be adjusted. Control Risks has seen a trend of increased targeting of building infrastructure over the past few years, with a specific focus on building management systems, alarm systems, sensors and integrated industrial control systems. The effectiveness of a breach can of course be devastating in the nuclear, oil and gas and energy sectors. But even a standard office building needs to be protected, as building management systems often create an easy entry point to a company’s IT network, which then leaves the company vulnerable to further loss or compromise of data. Vulnerability to cyber-attack can also be affected by an increase in third-party access points. 51% of respondents are fully or mostly aware of the level of access to their company’s systems afforded to third-parties and can thereby manage their exposure to the resultant risks. However, 25% are mostly or totally unaware of the level of third-party access to their systems. This lack of awareness means that companies are unlikely to have a holistic view of the threats. Without the understanding of who, what, how and when third parties have access to systems, the threats being posed are unclear and thus cannot be adequately managed. Embedding a culture of cyber security into design, procurement and project delivery processes is key to having effective, secure building management systems. THE IMPORTANCE OF ASSESSING AND UNDERSTANDING THE CYBER SECURITY THREATS TO BUILT INFRASTRUCTURE How aware are you of level of access that your third-party suppliers have to your systems? Totally unaware Fully aware 6.7% 23.3%18.3% 23.3% 28.3%
10 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 THE IMPORTANCE OF USING QUALIFIED SECURITY PERSONNEL AND APPROPRIATE SECURITY STANDARDS The construction industry is highly regulated and there is great emphasis placed on ensuring that correctly qualified personnel are contracted to conduct design and construction. However, this is not necessarily the case in the field of security: 38% of respondents either did not consider a specific formal qualification in the field of security to be important or were unaware of security-related qualifications and professional memberships. In the opinion of the 61% of respondents who saw value in qualifications or memberships of recognised security-related bodies, those considered more relevant were: MSc in security or risk management, Chartered Security Professional (CSyP), Certified Protection Professional (CPP), membership of the American Society for Industrial Security (ASIS) and membership of the Security Institute (SyI). However, the overwhelming indication of our respondents was that a strong track record in the provision of security consulting services was most important: 86% of those who considered qualifications or memberships to be relevant also attached importance to a track record of consulting on similar projects. Whilst Control Risks certainly agrees with the importance of consulting experience and recognises the great benefits of security qualifications such as those mentioned above, we also recognise the fundamental importance of highly qualified Chartered Engineers working within the field of security and of membership of independent organisations such as the Register of Security Engineers and Specialists who promote excellence in security engineering by providing a benchmark of professional quality. In terms of the use of standards, national and international design and construction standards are not only well understood and adhered to by those responsible for the development of infrastructure, but are used to define requirements and to conduct quality assurance. However, in the field of security, despite 81% of respondents stating that security design should be undertaken within specific security standards and best practice, the awareness and use of technical standards was not widespread with even the most popular standards only being used by 44% of respondents.1 To a degree, increasing awareness of technical security standards and their utility is the responsibility of the security consultant. But security standards can provide an audit trail that links the risk assessment, the defined tolerable loss levels and the operational requirement to the performance specifications of individual electronic and physical security systems. WHAT ARE THE ADVANTAGES OF COMPLYING WITH BEST PRACTICE IN TERMS OF THE STANDARDS USED AND THE QUALIFICATIONS OF THE CONSULTANT? Complying with best practice will bring both efficiency and quality to the design and implementation of security by enabling the delivery of coherence and integration between complementary security systems. This will ensure that a holistic approach (incorporating physical, electronic and procedural measures) can be taken to the development of security infrastructure, systems and organisations. But it will also ensure that security systems are tested and approved appropriately, thereby avoiding additional costs in the longer term and potential invalidation of insurances. In addition, and perhaps most importantly, it will ensure that designers and developers are not opening themselves up to any potential liabilities that may occur if they are subsequently found to have not followed recognised best practice. 1 The two standards quoted as being used the most were: • BS EN 50132 – CCTV surveillance systems/alarms • Crime Prevention Through Environmental Design (which in itself is not a standard as such but is a well-recognised multi-disciplinary approach to deterring criminal behaviour through environmental design)
11 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
12 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 From the analysis of the data coupled with existing empirical information and analysis, we offer the following conclusions. • Ideally, the development of resilience of the built environment should commence as a multi-agency activity from the feasibility study stage of a project and be an integral part of a scheme master plan. It should be based on a horizon-scanning, all-hazards risk assessment with due consideration given to environmental, economic, integrity, political, security and cyber threats. This will help inform initial investment decisions. The development of mitigation options, which can be assessed in terms of cost and benefit and factored into project budgets, can then follow. Such activities should help drive investor confidence at these critical early stages. • This unified concept of resilience also allows a more holistic approach, providing a view of the project focussed on the interdependencies of the systems involved rather than the vulnerabilities of each component. This comprehensive view enables mitigation strategies to be consolidated and coordinated, resulting in more effective strategies that tackle multiple risks in a cost-effective way. • Security design and engineering, as part of this process to develop resilience, is a main stream design discipline. It has advanced rapidly in the period since 9/11 in respect of strategies, technologies and processes that address emerging threats and must now be seen as a crucial activity during the development of any piece of infrastructure be it for commercial, personal security or national resilience purposes. However, it cannot be approached in isolation from other design or development activities, and as part of that integrated approach it is fundamental that: –– Security design is preceded by well-informed threat and risk assessments that provide the context, a well-defined security strategy and the development of an overarching security master plan, thereby ensuring that a holistic approach to security can be taken –– The risk appetite and tolerance of potential end-users is well understood in order to ensure that a competitive advantage can be gained by making the development more commercially attractive –– Security design is incorporated into the design and development process from the conceptual design stage onwards, thereby ensuring that any opportunities to maximise operational or design efficiencies are taken –– Appropriate security standards are used that not only allow operational requirements to be defined and fulfilled, but ensure that appropriate systems can be procured and installed in the most efficient manner –– The cyber vulnerabilities, that multiply as the use of building management technology increases, are only well understood in some sectors and need to be addressed by embedding a culture of cyber security into the design, procurement and project delivery processes –– Appropriately qualified and experienced security design engineers are engaged to ensure that best practice can be implemented and end users do not make themselves liable for an inadequate provision of security Finally, it is worth considering that whilst there are numerous commercial and operational reasons for security to be embedded into every aspect of the design, development and operation of built infrastructure, 94% of our respondents viewed the implementation of security (and therefore, in the wider context, the implementation of resilience) as either important or fundamental to fulfilling their duty of care to their people. CONTACT THE AUTHORS: Mark Whyte, Senior Partner, mark.whyte@controlrisks.com Simon White, Director, simon.white@controlrisks.com CONCLUSION
13 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 This global survey, conducted between April and June 2016, took the opinion of 106 respondents into account. While there was a geographical focus on Europe, we had respondents from across the globe, representing all major industries. The survey has been sent out to many of Control Risks’ clients. We also received huge interest via our social media channels, leading to a wide range of job functions being represented. ABOUT THE SURVEY In which region is your organisation’s headquarters located? What role does your organisation have with respect to infrastructure? What is your role within your organisation? Which of the following best describes the industry of your organisation? MIDDLE EAST/NORTH AFRICASUB-SAHARAN AFRICA NORTH AMERICA CENTRAL AMERICA AUSTRALIA/OCEANIAEUROPE OUTSIDE UK ASIAUKSOUTH AMERICA 1.0% 3.8% 5.8% 25.0% 26.9% 9.6% 6.7% 8.7% 12.5% END-USERPORTFOLIO OWNER/MANAGER INVESTOR DESIGN AND BUILD CONTRACTTOR ARCHITECT ENGINEERING CONSULTANT PROJECT MANAGER/PLANNERDEVELOPER 1.0% 4.1% 9.3% 10.3% 17.5% 18.6% 13.4% 25.8% PROJECT MANAGER CEO DESIGNERFACILITIES OR BUILDING MANAGER SECURITY DIRECTOR/MANAGERRISK MANAGERCOO 1.0% 4.2% 8.4% 11.6% 56.8% 14.7% 3.2% TRANSPORTATION OIL AND GAS PHARMACEUTICALS PRIVATE EQUITY PROFESSIONAL SERVICES REAL ESTATE TECHNOLOGY GOVERNMENT HEALTHCARE INSURANCE MANUFACTURING NON-PROFITMINING AEROSPACE MEDIA RETAIL DEVELOPMENT ENGINEERINGBANKINGASSET MANAGER 1.0% 1.0% 2.0% 1.0% 1.0% 1.0% 3.0%2.0% 2.0% 2.0% 1.0% 4.0% 1.0% 7.0% 16.0% 12.0% 8.0% 10.0% 15.0% 10.0%
Control Risks is a global risk consultancy. We help some of the most influential organisations in the world to understand and manage the risks and opportunities of operating around the world. Our unique combination of services, our geographical reach and the trust our clients place in us ensure we can help them to effectively solve their problems and realise new opportunities in a dynamic and volatile world. Working across five continents and with 37 offices worldwide, we provide a broad range of services to help our clients to be successful. Published by Control Risks Group Limited (“the Company”), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company’s negligence (or that of any member of its staff) or in any other way. ©: Control Risks Group Limited 2016. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company.
abudhabi@controlrisks.com alkhobar@controlrisks.com amsterdam@controlrisks.com baghdad@controlrisks.com basra@controlrisks.com beijing@controlrisks.com berlin@controlrisks.com bogota@controlrisks.com chicago@controlrisks.com copenhagen@controlrisks.com delhi@controlrisks.com dubai@controlrisks.com erbil@controlrisks.com frankfurt@controlrisks.com hongkong@controlrisks.com houston@controlrisks.com islamabad@controlrisks.com jakarta@controlrisks.com johannesburg@controlrisks.com lagos@controlrisks.com london@controlrisks.com losangeles@controlrisks.com mexicocity@controlrisks.com moscow@controlrisks.com mumbai@controlrisks.com nairobi@controlrisks.com newyork@controlrisks.com panamacity@controlrisks.com paris@controlrisks.com portharcourt@controlrisks.com saopaulo@controlrisks.com seoul@controlrisks.com shanghai@controlrisks.com singapore@controlrisks.com sydney@controlrisks.com tokyo@controlrisks.com washington@controlrisks.com Control Risks’ offices www.controlrisks.com

Recommended

Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Marketing Türkiye
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecurityOladotun Ojebode
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
 
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Marcello Marchesini
 

Recommended

Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Marketing Türkiye
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Social Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecuritySocial Engineering Role in Compromising Information/Network Security
Social Engineering Role in Compromising Information/Network SecurityOladotun Ojebode
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...
Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...Mighty Guides, Inc.
 
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -
Ponemon report : 'Critical Infrastructure: Security Preparedness and Maturity -Marcello Marchesini
 
US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiLindsey Landolfi
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responseMaciej Buczkowski
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Cisco - See Everything, Secure Everything
Cisco - See Everything, Secure EverythingCisco - See Everything, Secure Everything
Cisco - See Everything, Secure EverythingRedington Value Distribution
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience InsuranceAccenture Insurance
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
Company profile Nov 2015 with the team
Company profile Nov 2015 with the teamCompany profile Nov 2015 with the team
Company profile Nov 2015 with the teamtrevorshaff
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)Seungjoo Kim
 

More Related Content

What's hot

US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiLindsey Landolfi
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responseMaciej Buczkowski
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...Booz Allen Hamilton
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience InsuranceAccenture Insurance
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 

What's hot (20)

US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security Initiativesi
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-response
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Cisco - See Everything, Secure Everything
Cisco - See Everything, Secure EverythingCisco - See Everything, Secure Everything
Cisco - See Everything, Secure Everything
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
CyberM3 Business Enablement: Cybersecurity That Empowers Your Business with C...
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program Effectiveness
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance2018 State of Cyber Resilience Insurance
2018 State of Cyber Resilience Insurance
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 

Similar to 2016 Resilience Survey for Real Estate and Critical Infrastructure Projects

Company profile Nov 2015 with the team
Company profile Nov 2015 with the teamCompany profile Nov 2015 with the team
Company profile Nov 2015 with the teamtrevorshaff
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)Seungjoo Kim
 
GP Safety Culture in NB - finished
GP Safety Culture in NB - finishedGP Safety Culture in NB - finished
GP Safety Culture in NB - finishedLarry Harlow
 
Amelioration of safety management in infrastructure projects
Amelioration of safety management in infrastructure projectsAmelioration of safety management in infrastructure projects
Amelioration of safety management in infrastructure projectsIJERA Editor
 
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docx
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docxFEMARisk Management SeriesRisk AssessmentA How-To Gu.docx
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docxmydrynan
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
Construction case study
Construction case studyConstruction case study
Construction case studyNatie86
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Seungjoo Kim
 
Mejores practicas en proyectos
Mejores practicas en proyectosMejores practicas en proyectos
Mejores practicas en proyectosLisbethRoosRoos
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxOrlando Trajano
 
Holistic Cybersecurity_September 21, 2022_FV.pdf
Holistic Cybersecurity_September 21, 2022_FV.pdfHolistic Cybersecurity_September 21, 2022_FV.pdf
Holistic Cybersecurity_September 21, 2022_FV.pdfDrDaveChatterjee
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationNUS-ISS
 
Site Safety Management and planning for Building Construction
Site Safety Management and planning for Building ConstructionSite Safety Management and planning for Building Construction
Site Safety Management and planning for Building ConstructionAbu Yousuf Jamil
 

Similar to 2016 Resilience Survey for Real Estate and Critical Infrastructure Projects (20)

Company profile Nov 2015 with the team
Company profile Nov 2015 with the teamCompany profile Nov 2015 with the team
Company profile Nov 2015 with the team
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)
 
GP Safety Culture in NB - finished
GP Safety Culture in NB - finishedGP Safety Culture in NB - finished
GP Safety Culture in NB - finished
 
Amelioration of safety management in infrastructure projects
Amelioration of safety management in infrastructure projectsAmelioration of safety management in infrastructure projects
Amelioration of safety management in infrastructure projects
 
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docx
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docxFEMARisk Management SeriesRisk AssessmentA How-To Gu.docx
FEMARisk Management SeriesRisk AssessmentA How-To Gu.docx
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
 
[IJET V2I4P6] Authors:Miss Smita A. Bhole
[IJET V2I4P6] Authors:Miss Smita A. Bhole[IJET V2I4P6] Authors:Miss Smita A. Bhole
[IJET V2I4P6] Authors:Miss Smita A. Bhole
 
Construction case study
Construction case studyConstruction case study
Construction case study
 
SQP
SQP SQP
SQP
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
The New Security - Post "9/11"
The New Security - Post "9/11"The New Security - Post "9/11"
The New Security - Post "9/11"
 
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
Using the CGC's Fully Automated Vulnerability Detection Tools in Security Eva...
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Mejores practicas en proyectos
Mejores practicas en proyectosMejores practicas en proyectos
Mejores practicas en proyectos
 
Research highlights in safety and security
Research highlights in safety and securityResearch highlights in safety and security
Research highlights in safety and security
 
Secure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptxSecure Soft Development Life Cycle .pptx
Secure Soft Development Life Cycle .pptx
 
Holistic Cybersecurity_September 21, 2022_FV.pdf
Holistic Cybersecurity_September 21, 2022_FV.pdfHolistic Cybersecurity_September 21, 2022_FV.pdf
Holistic Cybersecurity_September 21, 2022_FV.pdf
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
 
Site Safety Management and planning for Building Construction
Site Safety Management and planning for Building ConstructionSite Safety Management and planning for Building Construction
Site Safety Management and planning for Building Construction
 

Recently uploaded

CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 

Recently uploaded (20)

CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 

2016 Resilience Survey for Real Estate and Critical Infrastructure Projects

  • 1. Managing Risk | Maximising Opportunity RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
  • 2. TABLE OF CONTENTS FOREWORD 2 INTRODUCTION 4 WHY AND WHEN WE SHOULD ENGAGE WITH THE PROCESS TO ENHANCE SECURITY 6 THE IMPORTANCE OF UNDERSTANDING THE THREAT AND ASSOCIATED RISKS 7 THE BENEFITS OF UNDERSTANDING WHOLE LIFECYCLE COSTS FOR SECURITY 8 THE IMPORTANCE OF ASSESSING AND UNDERSTANDING THE CYBER SECURITY THREATS TO BUILT INFRASTRUCTURE 9 THE IMPORTANCE OF USING QUALIFIED SECURITY PERSONNEL AND APPROPRIATE SECURITY STANDARDS 10 CONCLUSION 12 ABOUT THE SURVEY 13
  • 3.
  • 4. 2 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 FOREWORD The built environment is subject to a wide and complex range of security-related threats and hazards. This is the result of an increasingly volatile global security landscape generated by the proliferation of terrorism, separatism, civil disorder and organised crime, an increasingly technologically-advanced approach to cybercrime, and the prevalence of attacks on crowded places aimed at creating mass casualties. This complex security landscape has led to a growing interest in the subject of resilience. While there are differing interpretations of what this actually means, we describe it as an entity’s ability to adapt and evolve to changing environments whilst minimising the probability and/or impact of all hazards and risk events – a concept that has clear utility in the planning, implementation and operation of the built environment and critical infrastructure. The nature of the threats and hazards that a specific building or development may face is driven by its location, its function, the profile of its users and what that building is perceived to represent. Therefore, every building – and the approach that must be taken to security during its design, construction and operation – is unique, and the success of built infrastructure in facilitating its designed function relies on it being resilient to these security challenges. Control Risks has conducted this survey with a view to better understanding the perception and approach taken to security and resilience by those who deal with real estate and critical infrastructure. We surveyed more than 100 architects, developers, investors, end-users and engineers. We have asked who is responsible for security design, when and how security is considered during design and construction, and how important security is considered to be. The findings from the survey are discussed and analysed in this report and provide a comprehensive view on the extent to which the incorporation of security and resilience measures into building design is seen as a crucial part of the overall process for the development of the built environment.
  • 5.
  • 6. 4 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 A wealth of detailed information exists in the public domain on how to plan for, design and operate built infrastructure that is resilient in the face of the threat of crime, terrorism, social unrest and other associated risks. This includes a range of government directives and regulations, advice provided by national advisory bodies and professional institutions, and a plethora of national and international standards. The availability and awareness of these resources is having an effect on the approach taken to security, resulting in an increasingly pro-active approach and businessess incorporating security design measures at the early stages of the development process. Our survey found that whilst there was a good understanding of the advantages of ensuring that the resilience and security of built infrastructure is addressed during its design and construction, more can be done to ensure an integrated and efficient approach is taken. KEY FINDINGS • Robust security infrastructure provides a competitive advantage. Nearly 60% of respondents believe that the integration of robust security infrastructure into a construction project will help them to stand out from their competitors. • Early engagement with the security demands of a project is seen as essential. Organisations understand the importance of engaging with security requirements as three-quarters of respondents rated the early engagement with security demands of a project as essential. However, 40% stated that they ought to pay more attention to security and nearly a third stated that security will only become more important in the future. • Conducting a threat and risk assessment during the project design stage is key. Close to 90% of respondents see the threat and risks assessment as a critical or essential process to inform decisions during the conceptual design stage of an infrastructure project. How that translates into the development of security infrastructure is not well understood though, and nearly a quarter admit that their knowledge of security, and experience in the design and implementation of security systems, is not good or is insufficient. • Expenditure on security infrastructure creates a positive return on investment. Close to 70% of respondents agreed that the return on investment for expenditure on security infrastructure was worthwhile. However, the capital cost associated with security infrastructure is not necessarily fully understood. • Awareness of cyber security threats to built infrastructure is increasing. However, the picture is still complex: about half of respondents constantly reassess their cyber security threat profile, but a quarter of respondents have never done such an assessment. • Insistence on the use of appropriate security standards is limited. There is a limited appetite for the use of national or international standards when defining the requirements of security systems and a lack of appreciation as to the benefits that they can bring: even the most popular security standards were only used by less than half of respondents. INTRODUCTION
  • 7. 5 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
  • 8. 6 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 There are considerable benefits to be gained from the provision of robust security infrastructure. This includes the potential to attract a wider range of tenant or user, increased rental values for real estate, the ability to address duty-of-care issues and the potential to reduce insurance costs. Indeed, 59% of respondents considered that the provision of robust security infrastructure can provide them with a competitive advantage. While this effect becomes more acute in more demanding security environments, it is even more pronounced when a building has a high-profile user group or contains high-value assets, even when the security threat is more benign. Clearly the combination of the two requires a very focussed approach to security. The best way to understand, develop and deliver the required security infrastructure in a coherent and efficient manner is to address it from the outset because it allows security infrastructure to be integrated efficiently within the architectural, structural, mechanical and electrical designs from the start, thereby reducing the requirements for costly design changes and system retro-fitting. Our respondents agreed and 73% indicated that early engagement with security is essential, whilst 74% indicated that they should incorporate adaptable and scalable security design measures into building design, which would allow them to address future changes in the security environment more efficiently. However, despite this broad recognition of the advantages to be gained from provision of robust security infrastructure and the importance of its early incorporation into the design process, only 57% of respondents considered their approach to the implementation of security measures adequate or good, while 40% believed that security was something they should pay more attention to in the future. The importance of engaging with security is clear and appears to be well understood. But there is more work to be done as this understanding does not necessarily translate into active engagement. If measures are designed collaboratively and early in the process, the financial burden of incorporating security infrastructure can be minimised through integrated and efficient design, the architectural impact of security infrastructure can be lessened, and costly and unsightly retro-fitting of security measures can be avoided. 74.3% The levels of security provided must be adaptable and scalable so that a commensurate response can be provided to changes in the security environment 73.0% Early engagement with the security demands of a project is essential 59.5% Provision of a robust security infrastructure is something that can provide a competitive advantage 40.5% Security is something that we ought to pay more attention to 29.7% We understand that security will only become more important in the future 17.6% Security is provided solely by on-site security personnel 14.9% Security is the responsibility of the police/state 8.1% Security measures are something that can be put in place once a project has been completed 74.3% 73.0% 59.5% 40.5% 29.7% 17.6% 14.9% 8.1% WHY AND WHEN WE SHOULD ENGAGE WITH THE PROCESS TO ENHANCE SECURITY Which of the following descriptions align to your organisation’s approach to security during a construction project? (multiple answers possible)
  • 9. 7 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 The most effective and efficient approach to the planning of security infrastructure is one that is threat and risk-led. Every piece of infrastructure has a unique risk profile stemming from the threat it is facing, and to be effective risk mitigation measures need to be tailored to the individual risk profile of the building. The desire to use this approach was reflected by the respondents, 74% of whom considered it essential to conduct a threat and risk assessment; 84% considered it important or essential to develop a security master plan at the conceptual stage of development. Yet effective risk assessment relies on a clearly defined and well-understood approach to tolerable loss. In other words, it is essential that an organisation understands to what level it is willing to accept injury, damage or loss of assets such as people, infrastructure and operating capability, and as a consequence of that level, how much resource it is willing to invest in protecting them. This is a contentious subject and one that is not well understood. 61% of respondents admitted to having an understanding of their tolerable loss that was neither good nor very good. But financial constraints almost always demand that organisations must accept that a degree of loss is possible, especially in more hostile security environments. BUT WHAT THREAT CONSTITUTES THE HIGHEST RISK TO A PIECE OF INFRASTRUCTURE? 68% of respondents listed the indirect effect of terrorism (i.e. collateral damage resulting from another building being targeted) as amongst the top security threats to their infrastructure once it is in use; a direct terrorist attack (i.e. an attack targeted at their building) was also considered to be one of the top security threats (57%). However, the profile of the contemporary terrorist threat could also lead to an overemphasis on low likelihood/high-impact events, with the potential that lower-impact events (such as those stemming from criminality or civil unrest) may not be given full consideration. These low likelihood/high-impact events may have a disproportionate effect on the security of specific assets such as data, and the retention of corporate reputation. Furthermore, it is important to remain aware of the changing tactics and the emergence of new threat actors, be they criminal or terrorist in nature. For example, there may be an increase in active shooter or “lone-wolf” attacks, or a reduction in the likelihood of complex attacks that are highly damaging to infrastructure. Either way, buildings need to be made more resilient to a number of highly unpredictable types of attacks that no longer only occur in countries of perceived high risk, but almost everywhere in the world. THE IMPORTANCE OF UNDERSTANDING THE THREAT AND ASSOCIATED RISKS Does your organisation have pre-defined levels of tolerable loss and does it appreciate how this concept can be used to define design requirements? 13.7% Very poor appreciation Extremely good appreciation 21.9% 24.7% 21.9% 17.8% What do you consider to be the top security threats to infrastructure once it is in use? (please tick all that you rate as top priority) 68.0% Terrorism - indirect/collateral damage 58.7% Insider threat 57.3% Terrorism - direct attack 53.3% Criminality - burglary 48.0% Social unrest 40.0% Anti-social behaviour 40.0% Protest 37.3% Lone wolf attack 36.0% Robbery/mugging/assault 9.3% Other (please specify) 68.0% 58.7% 57.3% 53.3% 48.0% 40.0% 40.0% 37.3% 36.0% 9.3%
  • 10. 8 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 THE BENEFITS OF UNDERSTANDING WHOLE LIFECYCLE COSTS FOR SECURITY Design teams devote a great deal of time and effort to understanding whole lifecycle costs during the feasibility and concept stages of the development of infrastructure. Despite all building users being exposed to the security arrangements that are eventually put in place, security is often omitted from the consideration of these costs or only included either as an afterthought or as a small additional item that can be incorporated into the scope of the mechanical and electrical engineer. This might seem to be an efficient approach in lower-threat and low-risk environments where some simple electronic security systems (rather than physical security systems) might be deemed sufficient. But in the context of a greater threat and/or high-value assets (people, systems and data) the costs, both in terms of capital expenditure (for example on physical and electrical security systems) and operational expenditure (systems maintenance and manned guarding capabilities), can be considerable and security measures need to be implemented as efficiently as possible. However, our survey results indicated that whilst 31% of respondents paid great attention to understanding whole lifecycle costs for security, 17% of respondents paid either no or very little attention to understanding them. Furthermore, 36% admitted to not knowing what level of funding is allocated to security and resilience issues, and 45% undertook no, or only informal, benchmarking for security-related costs. So, despite the fact that there was not a single respondent who considered that there was in no way a good return on investment for security infrastructure – indeed 68% of respondents considered that the return on investment good or very high, and there is clearly great effort taken to try and understand whole lifecycle costs – the limited benchmarking undertaken may influence decisions taken during design and construction. This may, in turn, mean that there is an inability to make a “value for money” case for the incorporation of different types of security, and this may result in an adverse effect on the longer-term profitability and commercial performance of the asset. How much effort do you expend on developing an understanding of whole lifecycle costs for security, including manned elements, during the initial stages of a project? Very little We pay great attention to this 5.2% 12.1% 32.8% 19.0% 31.0%
  • 11. 9 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 With the growing use of technology in modern building control systems, cyber vulnerability is increasing. Integrating technologically advanced security solutions can have the inadvertent side effect of creating potential new entry points for cyber threat actors. The integration of the control room with systems such as video surveillance or heating, ventilation and air-conditioning has evolved from standalone systems to remotely-managed web interfaces that bring an additional risk of compromise. The rapid expansion of technologies (often identified as the “internet of things”) means that the connectivity of devices may also include lighting, door access, sensors and interactive communications tools. Identifying the threats from this additional connectivity prior to system implementation is vital to their mitigation. The survey showed that the understanding of cyber threats and the actions required to mitigate those threats was highly dependent on the sector. Some 50% of security directors from the oil and gas industry state that they constantly reassess the cyber security profile of their organisation’s built environment and have conducted a rehearsal of their cyber crisis response within the last three months. The real estate sector, however, paints an entirely different picture: 40% of respondents from this sector have never assessed their cyber security threats and of those who have, 50% have never rehearsed their cyber crisis response. Simply having a crisis response plan in place is not enough. It is crucial to train with realistic scenarios that test an organisation’s ability to effectively manage evolving cyber incidents (for example, a ransomware attack or an advanced persistent threat (APT) attack), learn from gaps identified and adjust plans accordingly. In the case of a cyber-attack or compromise of building infrastructure, the traditional incident management processes need to be adjusted. Control Risks has seen a trend of increased targeting of building infrastructure over the past few years, with a specific focus on building management systems, alarm systems, sensors and integrated industrial control systems. The effectiveness of a breach can of course be devastating in the nuclear, oil and gas and energy sectors. But even a standard office building needs to be protected, as building management systems often create an easy entry point to a company’s IT network, which then leaves the company vulnerable to further loss or compromise of data. Vulnerability to cyber-attack can also be affected by an increase in third-party access points. 51% of respondents are fully or mostly aware of the level of access to their company’s systems afforded to third-parties and can thereby manage their exposure to the resultant risks. However, 25% are mostly or totally unaware of the level of third-party access to their systems. This lack of awareness means that companies are unlikely to have a holistic view of the threats. Without the understanding of who, what, how and when third parties have access to systems, the threats being posed are unclear and thus cannot be adequately managed. Embedding a culture of cyber security into design, procurement and project delivery processes is key to having effective, secure building management systems. THE IMPORTANCE OF ASSESSING AND UNDERSTANDING THE CYBER SECURITY THREATS TO BUILT INFRASTRUCTURE How aware are you of level of access that your third-party suppliers have to your systems? Totally unaware Fully aware 6.7% 23.3%18.3% 23.3% 28.3%
  • 12. 10 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 THE IMPORTANCE OF USING QUALIFIED SECURITY PERSONNEL AND APPROPRIATE SECURITY STANDARDS The construction industry is highly regulated and there is great emphasis placed on ensuring that correctly qualified personnel are contracted to conduct design and construction. However, this is not necessarily the case in the field of security: 38% of respondents either did not consider a specific formal qualification in the field of security to be important or were unaware of security-related qualifications and professional memberships. In the opinion of the 61% of respondents who saw value in qualifications or memberships of recognised security-related bodies, those considered more relevant were: MSc in security or risk management, Chartered Security Professional (CSyP), Certified Protection Professional (CPP), membership of the American Society for Industrial Security (ASIS) and membership of the Security Institute (SyI). However, the overwhelming indication of our respondents was that a strong track record in the provision of security consulting services was most important: 86% of those who considered qualifications or memberships to be relevant also attached importance to a track record of consulting on similar projects. Whilst Control Risks certainly agrees with the importance of consulting experience and recognises the great benefits of security qualifications such as those mentioned above, we also recognise the fundamental importance of highly qualified Chartered Engineers working within the field of security and of membership of independent organisations such as the Register of Security Engineers and Specialists who promote excellence in security engineering by providing a benchmark of professional quality. In terms of the use of standards, national and international design and construction standards are not only well understood and adhered to by those responsible for the development of infrastructure, but are used to define requirements and to conduct quality assurance. However, in the field of security, despite 81% of respondents stating that security design should be undertaken within specific security standards and best practice, the awareness and use of technical standards was not widespread with even the most popular standards only being used by 44% of respondents.1 To a degree, increasing awareness of technical security standards and their utility is the responsibility of the security consultant. But security standards can provide an audit trail that links the risk assessment, the defined tolerable loss levels and the operational requirement to the performance specifications of individual electronic and physical security systems. WHAT ARE THE ADVANTAGES OF COMPLYING WITH BEST PRACTICE IN TERMS OF THE STANDARDS USED AND THE QUALIFICATIONS OF THE CONSULTANT? Complying with best practice will bring both efficiency and quality to the design and implementation of security by enabling the delivery of coherence and integration between complementary security systems. This will ensure that a holistic approach (incorporating physical, electronic and procedural measures) can be taken to the development of security infrastructure, systems and organisations. But it will also ensure that security systems are tested and approved appropriately, thereby avoiding additional costs in the longer term and potential invalidation of insurances. In addition, and perhaps most importantly, it will ensure that designers and developers are not opening themselves up to any potential liabilities that may occur if they are subsequently found to have not followed recognised best practice. 1 The two standards quoted as being used the most were: • BS EN 50132 – CCTV surveillance systems/alarms • Crime Prevention Through Environmental Design (which in itself is not a standard as such but is a well-recognised multi-disciplinary approach to deterring criminal behaviour through environmental design)
  • 13. 11 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016
  • 14. 12 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 From the analysis of the data coupled with existing empirical information and analysis, we offer the following conclusions. • Ideally, the development of resilience of the built environment should commence as a multi-agency activity from the feasibility study stage of a project and be an integral part of a scheme master plan. It should be based on a horizon-scanning, all-hazards risk assessment with due consideration given to environmental, economic, integrity, political, security and cyber threats. This will help inform initial investment decisions. The development of mitigation options, which can be assessed in terms of cost and benefit and factored into project budgets, can then follow. Such activities should help drive investor confidence at these critical early stages. • This unified concept of resilience also allows a more holistic approach, providing a view of the project focussed on the interdependencies of the systems involved rather than the vulnerabilities of each component. This comprehensive view enables mitigation strategies to be consolidated and coordinated, resulting in more effective strategies that tackle multiple risks in a cost-effective way. • Security design and engineering, as part of this process to develop resilience, is a main stream design discipline. It has advanced rapidly in the period since 9/11 in respect of strategies, technologies and processes that address emerging threats and must now be seen as a crucial activity during the development of any piece of infrastructure be it for commercial, personal security or national resilience purposes. However, it cannot be approached in isolation from other design or development activities, and as part of that integrated approach it is fundamental that: –– Security design is preceded by well-informed threat and risk assessments that provide the context, a well-defined security strategy and the development of an overarching security master plan, thereby ensuring that a holistic approach to security can be taken –– The risk appetite and tolerance of potential end-users is well understood in order to ensure that a competitive advantage can be gained by making the development more commercially attractive –– Security design is incorporated into the design and development process from the conceptual design stage onwards, thereby ensuring that any opportunities to maximise operational or design efficiencies are taken –– Appropriate security standards are used that not only allow operational requirements to be defined and fulfilled, but ensure that appropriate systems can be procured and installed in the most efficient manner –– The cyber vulnerabilities, that multiply as the use of building management technology increases, are only well understood in some sectors and need to be addressed by embedding a culture of cyber security into the design, procurement and project delivery processes –– Appropriately qualified and experienced security design engineers are engaged to ensure that best practice can be implemented and end users do not make themselves liable for an inadequate provision of security Finally, it is worth considering that whilst there are numerous commercial and operational reasons for security to be embedded into every aspect of the design, development and operation of built infrastructure, 94% of our respondents viewed the implementation of security (and therefore, in the wider context, the implementation of resilience) as either important or fundamental to fulfilling their duty of care to their people. CONTACT THE AUTHORS: Mark Whyte, Senior Partner, mark.whyte@controlrisks.com Simon White, Director, simon.white@controlrisks.com CONCLUSION
  • 15. 13 RESILIENCE FOR REAL ESTATE AND CRITICAL INFRASTRUCTURE PROJECTS SURVEY 2016 This global survey, conducted between April and June 2016, took the opinion of 106 respondents into account. While there was a geographical focus on Europe, we had respondents from across the globe, representing all major industries. The survey has been sent out to many of Control Risks’ clients. We also received huge interest via our social media channels, leading to a wide range of job functions being represented. ABOUT THE SURVEY In which region is your organisation’s headquarters located? What role does your organisation have with respect to infrastructure? What is your role within your organisation? Which of the following best describes the industry of your organisation? MIDDLE EAST/NORTH AFRICASUB-SAHARAN AFRICA NORTH AMERICA CENTRAL AMERICA AUSTRALIA/OCEANIAEUROPE OUTSIDE UK ASIAUKSOUTH AMERICA 1.0% 3.8% 5.8% 25.0% 26.9% 9.6% 6.7% 8.7% 12.5% END-USERPORTFOLIO OWNER/MANAGER INVESTOR DESIGN AND BUILD CONTRACTTOR ARCHITECT ENGINEERING CONSULTANT PROJECT MANAGER/PLANNERDEVELOPER 1.0% 4.1% 9.3% 10.3% 17.5% 18.6% 13.4% 25.8% PROJECT MANAGER CEO DESIGNERFACILITIES OR BUILDING MANAGER SECURITY DIRECTOR/MANAGERRISK MANAGERCOO 1.0% 4.2% 8.4% 11.6% 56.8% 14.7% 3.2% TRANSPORTATION OIL AND GAS PHARMACEUTICALS PRIVATE EQUITY PROFESSIONAL SERVICES REAL ESTATE TECHNOLOGY GOVERNMENT HEALTHCARE INSURANCE MANUFACTURING NON-PROFITMINING AEROSPACE MEDIA RETAIL DEVELOPMENT ENGINEERINGBANKINGASSET MANAGER 1.0% 1.0% 2.0% 1.0% 1.0% 1.0% 3.0%2.0% 2.0% 2.0% 1.0% 4.0% 1.0% 7.0% 16.0% 12.0% 8.0% 10.0% 15.0% 10.0%
  • 16. Control Risks is a global risk consultancy. We help some of the most influential organisations in the world to understand and manage the risks and opportunities of operating around the world. Our unique combination of services, our geographical reach and the trust our clients place in us ensure we can help them to effectively solve their problems and realise new opportunities in a dynamic and volatile world. Working across five continents and with 37 offices worldwide, we provide a broad range of services to help our clients to be successful. Published by Control Risks Group Limited (“the Company”), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company’s negligence (or that of any member of its staff) or in any other way. ©: Control Risks Group Limited 2016. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company.
  • 17. abudhabi@controlrisks.com alkhobar@controlrisks.com amsterdam@controlrisks.com baghdad@controlrisks.com basra@controlrisks.com beijing@controlrisks.com berlin@controlrisks.com bogota@controlrisks.com chicago@controlrisks.com copenhagen@controlrisks.com delhi@controlrisks.com dubai@controlrisks.com erbil@controlrisks.com frankfurt@controlrisks.com hongkong@controlrisks.com houston@controlrisks.com islamabad@controlrisks.com jakarta@controlrisks.com johannesburg@controlrisks.com lagos@controlrisks.com london@controlrisks.com losangeles@controlrisks.com mexicocity@controlrisks.com moscow@controlrisks.com mumbai@controlrisks.com nairobi@controlrisks.com newyork@controlrisks.com panamacity@controlrisks.com paris@controlrisks.com portharcourt@controlrisks.com saopaulo@controlrisks.com seoul@controlrisks.com shanghai@controlrisks.com singapore@controlrisks.com sydney@controlrisks.com tokyo@controlrisks.com washington@controlrisks.com Control Risks’ offices www.controlrisks.com