In early January of 2018, the Security Industry Association (SIA) published, “Security Megatrends™: The 2018 Vision for the Security Industry.” This concise booklet summarized 10 megatrends, one of which was #4, “Evolution of Risk Management: Risk Management Transcends Department Titles”, which asserted the following:
“The risks have changed and no organization, large or small, is immune from physical security threats, terrorism, hackers, and organized crime and insider compromise. Corporate security is morphing into new disciplines and even employing counter intelligence practices to proactively address and plan for attacks which are wide-ranging and can include loss of information, credit card fraud, workplace violence, worker’s compensation fraud, embezzlement, loss of proprietary information and compliance control. Risk management and planning has broadened and the most effective plans focus on a holistic approach and collaboration between all stakeholders – extending beyond the chief security officer, security executive, C-suite and chief information security officer to include human resources, information technology, other employee stakeholders as well as suppliers and service providers.”
Although the evolution of managing risk is well illustrated in SIA’s article on Megatrend 4, it is important to dive even deeper to see how this trend consequentially affects not only the logical world of physical security but also the role of the entry in mitigating risks.
What is Security Risk and How is it Measured?
The first issue is that “risk” unfortunately as a term seems to be either misused or over used and often times an actual risk is deferred or set aside due to its improper use. Most of those in a C-suite position typically review a risk as a consequence of events rather than a precursor to liability. This is often times the greatest problem and thus the Achilles heel of defining how best to deal with security risk. The answer sometimes is as easy as preventing those risks from entering your building. Policies alone cannot prevent a malicious bad actor from getting in. After years of building the walls internally with cameras, access control, cyber security, and analytics, it’s time to reevaluate security risk.
How Do you Become Defensible to Liability?
Risk turns into liability when a manager or executive knows and accepts that a door with an access control device can be breached by simply holding it open for someone else. If that is a known risk, then how do you become defensible to liability? The answer is a secured intelligent entry system that prevents tailgating and piggybacking. Unfortunately, the security industry must go back to their roots and realize that defining, tracking, disclosing, evaluating and pursuing threats once they occur is merely mitigating risks but not resolving liability.
The C-suite more than ever wants to know what the term “security risk” means but it cannot do so unless the security industry defines it for them. Therefore, as compliance does not provide absolute security, then security stakeholders must build deterrents that are effective in mitigating risks so they do not lead to liability, which is absolute. As the evolution of risk management includes an acceptance of multiple risks and involving more stakeholders, part of this new, holistic approach MUST involve the recognition and management of liability and the entry’s important role in eliminating it.