Today’s pace of business is many times that of business two decades ago. Yet most organizations do not update their corporate security risk picture with any greater frequency than they did back then. That is because most organizations do not have a risk-based security program. Many have an incident-based or budget-based program, especially when it comes to deploying physical security technology.
This assertion is borne out by the ASIS/SIA Risk Assessment Survey conducted within the last year by ASIS International and the Security Industry Association (SIA), and available for download as shown in the sidebar titled, “Risk Assessment Survey” on page 62. Here is the study’s primary focus:
How and to what extent are risk assessments actually performed, and how do they affect spending decisions?
Some of the most significant findings are:
• The majority of respondents perform risk assessments at least every two years, but about one-third do not conduct risk assessments often or regularly.
• Although security practitioners generally favor prevention, three out of four respondents state that loss events — not risk assessments — are the most popular trigger that leads to security upgrades.
• One-third of security practitioners who perform risk assessments believe their assessments are futile and could not be the basis of a security upgrade.
• Between one-third and one-half of respondents do not install security equipment or make other security upgrades in response to a risk assessment.
• About one-third of respondents fail to conduct cost-benefit analyses when evaluating options to mitigate risk.
• A thoroughly completed risk assessment would likely minimize the top three barriers to the purchase of security systems, which are:
• budget limits (a barrier for four out of five respondents);
• management directives (barrier for nearly half); and
• ROI not justified (barrier for 3 out of 10).
• Less than half of respondents measure the effectiveness of security systems after installation.
Where does your own security program fall with regard to these findings?
The ASIS/SIA survey addresses facility security assessment. What about cyber security? Organizations use electronic information systems and the Internet to accomplish real-time tracking of supply chains, manage inventory, manage business processes, generate online commerce, facilitate working from home and more. That is why the financial consequences of a cyber security incident can be substantial.
“The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask” is a newly released guide from the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). “An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base,” the guide says. “Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down in history as an event that cements customer loyalty and a positive brand image.”
The occurrence of a cyber security event can hugely impact business operations teams and generate new and immediate demands on physical and corporate security. As news accounts have shown recently, the effects of data breaches are clearly not limited to the IT department.
Current Economic Crisis
One reason to pay more attention to risk factors now is that national and global economic conditions are changing the financial and operational risk pictures significantly for many organizations. Many companies are reacting without considering the security consequences. For example, company layoffs significantly increase the risk of proprietary information loss from insiders, as well as the workplace violence risk. An announcement of possible action — or even rumors of it — can drastically change the risk picture. It is vital that appropriate security measures are already in place or are put in place before taking actions or announcing them.