Cyber Security in the Wake of SolarWinds: Essential Tips for Boards & CISOs
On October 30, 2023, the US Securities and Exchange Commission charged SolarWinds and its Chief Information Security Officer,...
Mark Barwood – Business Development Manager, Acuity Risk Management
In today’s ever-changing environment, securing business assets and maintaining resilience requires adopting a risk-based approach to security programming. This approach, which I learned during my experience with the Certified Security Management Professional course (CSMP – International Security Management Institute 2020) and my work at BBC Corporate Security and Pirate Studios, emphasises adapting to threats and risks.
General Stanley McChrystal’s book, “Risk, a User’s Guide”, provides an insightful quote: “If there are no threats, our vulnerabilities don’t matter; and if we have no vulnerabilities, threats don’t matter.” This succinctly captures the essence of the risk equation: THREAT x VULNERABILITY = RISK.
To develop a risk-based approach to security management programs, organisations can follow the example process outlined below:
Asset Identification: Identify tangible assets such as people, equipment, buildings, property, and cash, as well as intangible assets like reputation, market share, intellectual property, and knowledge. Assess the operational criticality of each asset.
Threat Intelligence: Determine the threats facing the assets, such as protesters, terrorists, organized crime groups (OCGs), opportunist criminals, individuals suffering from mental health issues, insider threats, and fixated individuals. Evaluate the capability and intent of these threat actors to cause harm.
Risk Analysis (Inherent): Assess the risk in the absence of control measures. In a counterterrorism (CT) context, likelihood can be defined by the Joint Terrorism Analysis Centre (JTAC), with consequence scored as catastrophic.
Mitigation: Employ the 4T’s of risk mitigation:
Terminate: Cease activities with high risks
Treat: Implement control measures to reduce risks to an acceptable level.
Transfer: Transfer the risk through insurance to a third party.
Tolerate: Accept low-risk situations.
Risk Analysis (Residual): After implementing control measures and mitigation strategies, reassess the remaining risk. This evaluation should align with the organization’s comfort level regarding risk exposure. React to incident data, such as a sudden increase in crime reports targeting an asset, which may necessitate a review of current mitigation measures.
Vulnerability Analysis: Evaluate security gaps based on agreed-upon standards of physical security measures. If critical assets require specific control measures and some are ineffective or partially effective, a security vulnerability exists. The responsibility lies with the risk owner to decide on the appropriate mitigation strategy. Budgetary constraints may influence the decision to accept a vulnerability. Record the decision and the name of the risk owner.
Risk Reporting: Heads of Security or members of Executive Boards require clear and concise reporting on security risk. Capital expenditure decisions for physical security often rely on risk analysis reports that demonstrate changes in security risk exposure. Visual representation, in my opinion, is the most effective way to convey this information.
Acuity’s STREAM Integrated Risk Manager platform offers a comprehensive solution to automate the risk management process described above. Trusted by numerous organisations worldwide for enterprise risk management, compliance, and audit, this platform can be tailored to suit the needs of security programs that prioritize a risk-based and forward-thinking approach. STREAM seamlessly integrates all aspects of physical security risk management, continuously adjusting risk metrics to demonstrate the organization’s risk exposure as it progresses toward its operational goals.