Focus on policies and risk management

When an integrator visits a potential customer for an access control specification, what's the first thing they should talk about? Product? If you answered yes, well, shame on you. You never start a conversation talking about product. You start by posing questions to the end-user that allow you to better ascertain what will best serve them and their business community or culture-make it safer and more secure system wide.

We consulted three experts in the field to ask them specifically what they think the security reseller and integrator should be asking the end-user about risk management and policies for access control. What we found overall was that it all reverts back to the need for consultative selling practices-a holistic approach, said Elliot Boxerbaum, CPP, CSC and president and chief executive officer of Security Risk Management Consultants Inc., Columbus, Ohio.

"It's all about a holistic security management program," said Boxerbaum. "Technology is just one piece. The most effective integrators are those who ensure the systems and the technologies are organizationally sustainable."

Boxerbaum developed and posted on the company Web site ( a diagram of the Holistic Security Program Management(tm) Model Security-each of the four core elements (security technology, policies and practices, staff training and engagement, and program management) interacts with every other element to create a flexible, resilient foundation. This foundation, however, should be considered only the beginning.

He said technologies are important, but alone they don't make a facility secure. "The key is helping the end-user understand the importance of doing an assessment and setting some priorities," continued Boxerbaum. "For example, accredited hospitals are required to do a vulnerability assessment, identifying risks and the impact of risks, then set priorities for the facility. Integrators should try to understand that their installation is part of a bigger system overall."

Ed Meltzer, national director of System Management for Niscayah Inc., Kansas City, Mo., said integrators need to be competent in their risk assessment for the customer and not simply responsive to situations. "We have to understand the customer's business drivers; that's what's often missed," said Meltzer. "It's important for the integrator to understand the pain or challenges with deployment of technology vertically and horizontally throughout the organization. Integrators need to understand what the whole operational impact is of even putting a camera or a card reader on a single door."

"Everyone is trying to increase performance and drive down costs," continued Meltzer. "You can't do that unless you understand the entire organizational impact and develop a structure that understands the motivation of the client." Meltzer said the integrator has to ask about what the challenges are for the facility--operational and financial and risk. "What is the impact the challenge is having on the facility? What do they currently have in place? What is the risk management philosophy of the user?"

According to Ron Lander CPP, CMAS, who is chair of the ASIS Council on Information Technology Security and chief executive officer of Ultrasafe Security Specialists, Corona, Calif., there are new threats and risks to consider at the workplace, including the crossover of domestic violence and bullying into places of employment.

Statistics from reveal that workplace violence decreases productivity and overall job satisfaction. During the year 2006 in America, homicide was the second leading cause of fatal occupational injury. Nearly 1,000 workers are murdered and 1.5 million are assaulted in the workplace each year. A study of domestic violence survivors found that 74 percent of employed battered women were harassed by their partner while they were at work.

"Today, you have to be aware that domestic violence has spilled over into the workplace," said Lander. "So you have to think outside the box today and also, take the holistic approach. You have to consider all the entrances, not just the main one. The significant other can be waiting in the parking lot or garage; they know where their partner works and when they leave, etc."

Lander said an assessment will determine the company's risk priorities, competitive risks, assets, personnel or other hardware of software risks. "You need to cover the perimeter with access control, and make sure people have an escape plan as well. People have to learn to react and how to react. Generally, I've found there is a lack of security preparedness and training at corporations and among end-users."

Another initiative is to take the personnel factor into account and consider all the possibilities; help the end-user develop handbooks and policy management guides as well as orientation procedures and follow up. Checking that the processes have been implemented is another goal. Companies need disaster preparedness plans and copies have to go out to all personnel. "Access control has to be fortified--many access control systems have all their data on one computer and don't have appropriate back up."

Lander said if a corporation/company is not sure what they want, they should hire a consultant with no connections to any manufacturers to do a complete site assessment. "Some integrators have a tendency to lead a client down a path of least resistance, which is equipment that they are familiar with, which sometimes is not in the best interest of the client," added Lander. "Many good integrators will do a hardware assessment and be aware of the overall capabilities of many vendors, thereby giving the client what they need."

The way the reseller can add value to the equation is through the consultative selling approach and that means a consideration of the policies and risk management procedures which may be in place, or assisting the end-user. Coupled with technology, such as access control, the solution will be sure to fit the user like a glove.

Leading Stats

According to the latest workplace injury figures from the U.S. Department of Labor, violence is a leading cause of job fatalities, behind only transportation incidents, prompting numerous organizations to advocate stronger standards for violence prevention guidelines.