Enterprise security strategies identifyliabilities & ways to mitigate risks, showinghow the cost of mitigation prevents largerliabillity costs The security profession continues to take on new risk management responsibilities. The big thing now is called Enterprise Security and Risk Management (ESRM). ASIS International has issued a standard on the subject: ANSI/ASIS/RIMS RA. 1-2015, and a couple of booths at the recent ASIS International 2015 Seminar explored the subject. Mitigating risks “Enterprise Risk Management or ERM is a common business term, so we differentiate ERM from the security world by adding the word security to it,” says Ray O’Hara, CPP, Executive Vice President in the Palm Desert, California, offices of AS Solution. The growth of multi-national business enterprises with multiple locations domestically and internationally has given rise to this new and multi-faceted form of security. “ESRM covers a myriad of areas that need to be protected today,” says O’Hara. O’Hara lists domestic and foreign executive travel, manufacturing and production facilities here and around the world, third-party manufacturing facilities, executive offices, intellectual property and the supply chain that ties all of these assets together. ESRM requires continuous risk and vulnerability assessments, too, because the risks change with circumstances. “What if I have a tractor trailer with electronic equipment sitting in an unsecured truck yard 2,000 miles from its destination?” asks O’Hara. “Do I care? If I transfer the responsibility to the shipper and the shipper’s insurance, I don’t care. Then again, what if I have a customer with a deadline waiting for that equipment? Now I do care. Effective protection requires corporate security to identify all risks — in every department — and rank them as low, medium or high. Then, where appropriate, you mitigate risks to a level that the company can absorb.” Senior executive buy-in Effective protection requirescorporate security to identify all risks -in every department - and rankthem as low, medium or high. Then,where appropriate, you mitigate risksto a level that the company can absorb For an ESRM programme to succeed, senior corporate executives must endorse it and actively support it, continues O’Hara. Suppose you walk into the Human Resources department to discuss risks involved in hiring people around the globe. Suppose further that you have discovered that HR is using a questionable (and inexpensive) service to conduct background checks, and you would like to address that risk. If the Director of Human Resources doesn’t have time for you, you will need to be able to ask the CEO to tell the director to make time, listen to what you have to say and to act on the advice you give. Without the active support of senior executives, ESRM programmes addressing departmental risks throughout every department and in facilities around the world cannot succeed. How does a security department generate that kind of support? Developing enterprise security strategy According to O’Hara, you have to develop an enterprise security strategy, present it to C-Suite executives and show them how your strategy synchronises with the corporate business strategy. The presentation identifies risks and liabilities, recommends ways to mitigate those risks, and shows how the cost of mitigation can prevent much larger liability costs. “Mitigation measures could be insurance, where you transfer the risk to someone else,” O’Hara says. “It could be security technology, security patrols, better background checks. It all depends, of course, on the nature of the problem right now.” For example, explains O’Hara, suppose you have protected a warehouse that is storing a custom-made inventory worth a million dollars awaiting delivery to customers. You’ve secured the warehouse with card access locks, intruder alarms and several cameras. For good measure, you have a security guard swing by a couple times each night. As the inventory is picked up and trucked away to customers, the financial risk declines. At some point, you might decide the risk isn’t great enough to send the security officer to check on the merchandise. By the time the warehouse empties out, you won’t need anyone to monitor the surveillance cameras. Depending on when you expect the warehouse to fill up again and the value of the materials, you could move one or all of those cameras to another location. Enterprise Security and Risk Management is the next big thing for security professionals — and it is a very big, comprehensive thing.
SNGTM takes a broad look the latest research, and commercial and industrial market trends in the security industry The Security Industry Association (SIA) has announced the agenda for Securing New Ground® (SNGTM), the security industry’s top executive conference, scheduled for Oct. 28-29, 2015, at the Millennium Broadway Hotel in New York City. The SNGTM 2015 This executive forum takes a comprehensive look at the state of the security industry, the latest research, and commercial and industrial market trends impacting business strategies. Over a day-and-a-half of sessions tailored for suppliers, integrators and practitioners, conferees will experience a focused, unbiased event where game-changing information is exchanged, and business gets done. “In the last several years of SNGTM, we have mapped incredible change in the security industry to the benefit of our members and conferees,” said V. John Stroia, Chief Operating Officer of The Will-Burt Company and SIA Chairman. “I’ve seen firsthand how businesses have been bought and sold and lucrative new deals have been made because of contacts initiated at the SNGTM conference. It is the best place for security industry executives to make things happen.” Some of the top presenters confirmed to date include influential suppliers, integrators and practitioners in the security industry: Suppliers Steven Van Till, President & CEO, Brivo Systems Thanasis Molokotos, President & CEO, ASSA ABLOY Americas Division Ron Virden, President & General Manager, Lenel, Supra and Onity Integrators and dealers Tim Whall, Chairman & CEO, Protection 1 Jason Oakley, President, North American Video, Inc. Pamela Petrow, President & CEO, Vector Security Inc. Practitioners Bonnie Michelman, Director of Police, Security and Outside Services, Massachusetts General Hospital Brian Allen, Chief Security Officer, Time Warner Dave Cullinane, Founder, TruSTAR Technology LLC New SNGTM opportunities For the first time, SIA is teaming up with the Global Security Risk Management Alliance (GSRMA) to expand SNGTM opportunities for security practitioners. A half-day practitioners’ session will provide a plain English translation of IT security concepts and actions so any physical security leader can effectively engage in a discussion of cyber security. “As cofounder and president of GSRMA, I have alerted my fellow security practitioners to beware of the blurring distinctions between traditional and logical security. As we work toward an umbrella Enterprise Security Risk Management framework, SNGTM is an excellent venue for practitioners to identify the challenges of a unified security alignment side-by-side with suppliers and security integrators,” said Ray O'Hara, CPP, Executive Vice President of AS Solution. The security sector is evolving at a rapid pace, and SNGTM is essential to properly evaluate new partnerships and key factors that will influence the decisions and investments visitors make in the future.
If your company has a facility or a current business meeting in Seoul, South Korea, you would want to know the details behind the recent knife attack on the U.S. ambassador to South Korea, Mark W. Lippert. You would want to know that the attacker belonged to a group promoting the unification of North and South Korea and that South Korean President Park Geun-hye called the event an attack on the South Korea-U.S. alliance. You would want to know where in Seoul the attack occurred as well as many other details not reported in the newspaper. How close are your facilities to the location of the attack? Does proximity to the location mean that you should take special precautions to protect your people? “If you do business in Nigeria, you’ll no doubt want to know all you can about Boko Haram and how this movement can affect your company and personnel,” says Ray O’Hara, CPP, executive vice president with AS Solution, a security provider offering services that include embedded intelligence analysts. Monitoring and reporting on news sources: Many Fortune 500 companies with installations around the world employ or embed third-party intelligence analysts in their far-flung operations. The goal is to keep everyone up to date on potential regional risks. “The work of intelligence analysts includes gathering many types of data and creating reports that turn that data into actionable intelligence,” continues O’Hara, who is also a past president of ASIS. “The work of intelligence analysts includes gathering many types of data and creating reports that turn that data into actionable intelligence.” Intelligence analysts monitor a variety of news sources every day looking for events that could affect the company’s business as well as its vertical markets. “Analysts don’t simply report the news — they filter it and analyse it,” says O’Hara. “They use a variety of public and proprietary news sources, alerts, social media platforms and even deep web data.” They look for changes in existing patterns and new, emerging patterns that could alter the company’s security profile. When company employees travel to a city or if the company decides to take part in an event in a city, the analysts take a close look at the neighbourhood, the city and the region. In addition to news sources, they talk to local people in the company’s orbit: employees working in a company office there, customers, the authorities and others. Finally, the analysts consolidate their findings into reports on risks related to company travel and events. Intelligence analysts around the world: Analysts also follow and report on major events in parts of the world where the company has interests, issuing regular updates whenever new information becomes available. AS Solution’s people are always scanning the landscape for talented young people that might make good analysts. “They need to have an interest in the world and a business mind,” O’Hara says. “An analyst’s job is about duress and risk to the business they are involved in.” “An analyst’s job is about duress and risk to the business they are involved in.” For instance, an analyst working with a firm that manufactures heavy equipment would have to be tuned into the markets for raw materials, equipment needed to handle the manufacturing tasks, the state of the company’s customers. How are their businesses doing? Intelligence analysis as part of a company’s security portfolio is becoming more and more important to companies with facilities and customers located around the world. “It is also an important response to 24-hour-a-day news overload,” adds O’Hara. “We have to find news important to our company somewhere underneath all the news chatter. “And as you know, the news media is often wrong. So part of an analyst’s job is to validate the information included in his or her reports.” Intelligence collection and analysis is a growing security need, adds O’Hara. AS Solution works with Fortune 50 companies, and embeds more and more of its analysts in their business units to look for trends and risks — in emerging economies such as those in Africa and now Cuba as well as in trouble spots such as the Ukraine. As the world changes, so does the nature of security.