The „generic & holistic” plan of approach to tackle security issues of critical infrastructures, with strategic vision and pragmatic solutions
If you must deal with security issues in your organization, you can handle it in two different ways:
You can either go for quick-wins and implement some cameras at critical spots for example, or you can thoroughly examine your organization’s security-DNA and map what is needed to reach the appropriate security level.
The first option will give you a false sense of security, with only some slight results as cameras on itself don’t fix security issues entirely. The results will not lead to a longevous security level and will be questioned afterwards by management, also because of the lack of integration in the business processes and the missing return on investment.
The other option is a total & integrated approach on security management with durable impact on the long run for the different layers in your organization. This holistic approach on security has proven its added value since more than 3 decades: this approach, which I implemented myself as Security Director of 3 corporates, was that much successful that it became the standard approach of the R&T Group: supporting and advising our customers as a dedicated partner on how to tackle their specific security issues in a strategic and pragmatic way, always bearing the bigger picture in mind.
The application of such an approach is explained in this article, as if it is implemented by a corporate security director in his/her organization.
Before kicking off and immediately diving into the security matter, it is necessary for a security expert to really understand the needs of the stakeholders, internal and external, and the corporate culture with all its values and habits. Getting the context clear at the beginning is indispensable and will be addressed throughout the entire process.
The consequences of changed security installations & solutions can be drastic for the organization and the operational processes. If for such a transformation process, there is no broad support inside the organization, there is only a limited chance of success. So, it is crucial that at this early stage also the scope and expectations are well described, in order to be fully aligned. Internal stakeholders and contacts are listed and interviewed, not only strictly security-related, but also the key figures to the different business processes. After all, these stakeholders will be very important and meaningful, not only to provide you with insider information but also to carry out the changes or policies to the entire organization. Their involvement will drive them to support and promote the decisions towards their colleagues. It has to be stated that support from the managing board is essential to reach an optimal chance of success.
The input from the interviews with the stakeholders, all relevant internal documentation, records of previous corporate or sector incidents and official police statistics will provide data to assess the actual risks to the organization. Potential aggressions and aggression scenarios are mapped. Risk analysis gives also the opportunity to prioritize and put assumptions in perspective. Make sure that outdated risk analyses are updated. Due to constant changes in society and new criminal phenomena and tendencies, risk analyses need to evolve over the time being. Ideally, it is reviewed annually. Risk analysis is as an initial phase extremely important to realize a durable security management (not incident-driven): it justifies future security investments and is the most important indicator of the return on security investments. At the same time, it withholds your organization from excessive security measures.
Once you know the risks and the potential damage they can cause to the assets of your organization, a gap analysis of the security situation as-is and what is necessary to mitigate the risks, can be carried out. Interviews and (technical) site visits offer the possibility to map the totality of the security facilities and the company organization and to inventory the weaknesses in the security measures in function of the identified values and risks. The status on the actual level of security will become clear.
To design a security concept where all identified weaknesses and risks are taken into account, it is needed to aim for an integrated security concept. Integrated security management focuses on the adjustment of the different types of preventive security measurements, namely: organizational, architectural and technical measurements. This means that not only techno-preventive measures like CCTV, access control or intrusion detection have to be in place, but also the roles and responsibilities of each staff member, the communication lines, instructions, monitoring and the intervention have to be well elaborated. During the conceptional phase, make sure all legal requirements are taken into account.
The human aspect is an underestimated link in the total security concept. When people don’t act in a desirable way, it can create huge gaps in your secured environment. This lack of security attitude can be dealt with by security awareness programs. Every person – internal or external – in your organization plays an important role in the total picture of security and therefore has to take its responsibility. When security awareness is fully embedded in the organization, a true security culture arises. This takes a lot of time and effort, but is key in an integrated security management, in respect with the corporate culture1 individualities and to strengthen your security level.
After designing and planning your security concept and strategy, the implementation phase can take off. Some examples of these actions are:
- Roles and responsibilities are assigned ;
- Policies and procedures have to be written and validated by the management board ;
- Architectural and technical measures are designed in a technical specification document and when adjudicated, meticulously followed-up when implemented ;
- Security awareness programs are developed and communicated ;
- Guarantee the quality of your site guarding ;
As a conclusion and based on our extensive experience, we always emphasize on the combination of strategy and pragmatism. A generic view on the organization’s business processes, values and concerns will strengthen your security approach and create support base through the different layers in the organization. In the end, your organization has to benefit from your professional engagement towards security.
1 Security culture Transformation© (developed by the R&T Group)