Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Security Governance

How to Build a New, Risk-Based Police Model that Really Works

Law Enforcement Can Transform Itself by Turning to a Risk-Based Policing Model

Watching the protests across the country over the last few months,  the two groups, the Citizens and the Police, as polarized as the US Congress, I think, we can do BETTER than this. We can make police officers RISK OFFICERS for their communities.

The current stereotypes of police with military-style weapons and protective gear, is counterproductive, just like the stereotype of poor, uneducated, violent, drug-using citizens is also counterproductive to progress.

Most departments are still working with the historical model of law enforcement that is still followed religiously around the country, even though it is over 100 years old.  This model is totally ” Enforcement ” oriented.  Something bad happens, police go find the perpetrator and arrest them.

At the same time, cities and counties are having a hard time enlisting new officers, in fact, in Police Chief Magazine in the December 2014 issue, they point out that 80% of departments are having major recruitment problems. Young men don’t want to become ‘traditional’ police officers. The role needs to change.

The model of law enforcement is at a point when it needs to change, and to evolve into a risk-basedcrime-preventive model, instead of a total arrest and subdue model. 

The benefit would be a different kind of police force, one that is more educated, more  tech-savvy, and problem solving, and focused heavy on prevention.

Instead of educating police officers on some goofy model of how to talk to people, they need to get educated on threat-risk techniques.  They need to be able to go to a neighborhood, pro-actively and come up with a risk assessment for that neighborhood,  followed by a plan to improve the lives of the people who live
there.  Just like we use interviews and surveys for our high-tech risk assessments, these officers could do the same thing.

Police officers today perform only a narrow range of activities.  This great group of ethical professional officers COULD DO SO MUCH MORE.  


In the next article, we’ll include suggestions on how to make the change.

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.




Put your Hospital Security Department on a Low Fat Diet

Hospitals are reeling from potential losses in funding related to state budget cut-backs
and potential cuts in Medicare programs.  Every area of the hospital budget are being scrutinized, looking for areas to cut and reduce costs.

Instead of waiting for a memo about cuts that affect YOUR department, be a
pro-active manager and right-size your security department and show management
the changes you want to make.

It is possible to have an efficient, accountable security department without having costs run out of control.  It has to be based on real dollars, on real risks and it has to have the ability to show management WHY you need each element in your program.

The already-required risk assessment is the first start in this process.  When regulators come in to a hospital, they want to see the risk assessment first, and then they look to see if you followed the remediation plan identified in the risk assessment, which means they want to see you made the right improvements, based on the plan.

By including program elements in the risk assessment, and mapping it back to your actual budget, you can easily say that the Return On Investment is for each part of your program.

Building a Model for Security Governance, Risk and Compliance

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business.  Think personnel, finance, shipping, sales.  All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security.  You can’t run an organization without locks on the doors.  You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate?   One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1.  Access Controls

2.  Accountability

3.  Budget/Fiscal Responsibility

4.  Compliance

5.  Information Technology

6.  Investigations

7.  Measurement/Evaluation

8.  Personnel Management

9.  Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11.  Security Planning

12.  Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model.  The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process.  For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness.  Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’.   And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come.   Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are.    This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!