Focus on policies and risk management

Resellers need to know where to start and what to ask

When an integrator visits a potential customer for an access control specification, what's the first thing they should talk about? Product? If you answered yes, well, shame on you. You never start a conversation talking about product. You start by posing questions to the end-user that allow you to better ascertain what will best serve them and their business community or culture-make it safer and more secure system wide.

We consulted three experts in the field to ask them specifically what they think the security reseller and integrator should be asking the end-user about risk management and policies for access control. What we found overall was that it all reverts back to the need for consultative selling practices-a holistic approach, said Elliot Boxerbaum, CPP, CSC and president and chief executive officer of Security Risk Management Consultants Inc., Columbus, Ohio.

"It's all about a holistic security management program," said Boxerbaum. "Technology is just one piece. The most effective integrators are those who ensure the systems and the technologies are organizationally sustainable."

Boxerbaum developed and posted on the company Web site ( a diagram of the Holistic Security Program Management(tm) Model Security-each of the four core elements (security technology, policies and practices, staff training and engagement, and program management) interacts with every other element to create a flexible, resilient foundation. This foundation, however, should be considered only the beginning.

He said technologies are important, but alone they don't make a facility secure. "The key is helping the end-user understand the importance of doing an assessment and setting some priorities," continued Boxerbaum. "For example, accredited hospitals are required to do a vulnerability assessment, identifying risks and the impact of risks, then set priorities for the facility. Integrators should try to understand that their installation is part of a bigger system overall."

Ed Meltzer, national director of System Management for Niscayah Inc., Kansas City, Mo., said integrators need to be competent in their risk assessment for the customer and not simply responsive to situations. "We have to understand the customer's business drivers; that's what's often missed," said Meltzer. "It's important for the integrator to understand the pain or challenges with deployment of technology vertically and horizontally throughout the organization. Integrators need to understand what the whole operational impact is of even putting a camera or a card reader on a single door."

"Everyone is trying to increase performance and drive down costs," continued Meltzer. "You can't do that unless you understand the entire organizational impact and develop a structure that understands the motivation of the client." Meltzer said the integrator has to ask about what the challenges are for the facility--operational and financial and risk. "What is the impact the challenge is having on the facility? What do they currently have in place? What is the risk management philosophy of the user?"

According to Ron Lander CPP, CMAS, who is chair of the ASIS Council on Information Technology Security and chief executive officer of Ultrasafe Security Specialists, Corona, Calif., there are new threats and risks to consider at the workplace, including the crossover of domestic violence and bullying into places of employment.

Statistics from reveal that workplace violence decreases productivity and overall job satisfaction. During the year 2006 in America, homicide was the second leading cause of fatal occupational injury. Nearly 1,000 workers are murdered and 1.5 million are assaulted in the workplace each year. A study of domestic violence survivors found that 74 percent of employed battered women were harassed by their partner while they were at work.

This content continues onto the next page...