So, You Want a Security Survey

In our security consulting practice we are often asked to conduct security surveys. We are also asked to do security audits. Some clients ask for vulnerability assessments. Others ask for risk analyses. Some of these clients do not realize they are...

Risk Management Strategies
Most clients end up requesting a blend of the services described above. The result is usually a prioritized list of concerns. Once you understand your risks, what can be done about them? There are several risk management strategies: avoidance, transfer, abatement, spreading and assumption.

Avoidance means simply removing the target. Sometimes this is a reasonable approach, such as stocking only the absolute minimum of high-risk inventory items, or having items drop-shipped from the manufacturer directly to the end user. Sometimes-such as when a firm decides not to do business in a certain neighborhood-it can constitute inappropriate, and even illegal "red lining," which threatens to deny constituencies needed services.

Transfer is a term that in this context means insurance. We find, through insurance firms or brokers, institutions willing to bet we will not suffer a loss. In exchange for being the beneficiary of this bet, we pay an annual fee, our insurance premium. Most organizations use insurance to mitigate risk. Most insurance companies or brokers insist their clients reduce the risk of loss through abatement.

Abatement, also called loss prevention or mitigation, is where most security professionals ply their trade. Risk is reduced through the thoughtful, timely and cost-effective application of security architecture, systems, personnel, programs and employee involvement. Once you have determined your risks, you may decide to develop or enhance your security policy and procedures.

New programs may need to be developed to protect new initiatives. Crime prevention through environmental design (CPTED) uses the built environment to enhance security for the intended users of a space while increasing feelings of insecurity on the part of unwanted visitors. The integrated implementation of security systems has a role to play in many properties. At some sites, security personnel carry out security policy, procedures and programs. The final and most important test of all security precautions is the degree to which employees are aware of and support the program.

Spreading means distributing your assets to multiple locations where they cannot all be attacked at once. This does not work for all businesses, but is an option for some. Assumption is also called self insurance. Risk is dynamic. There is a trade off between the risk of failure and the rewards of success. At some point, most businesses agree that risk has been reduced sufficiently and that the remainder is accepted by the enterprise as the cost of doing business. Business executives are frequently more comfortable with this concept than are most security professionals.

You Get What You Pay For
You will certainly pay for your security consultation one way or another. Some security guarding providers or security system integrators offer "free" consultation, but rest assured their time is paid for from their overhead. There are some very good people working for these firms, but be careful about asking a guard company whether you need guards, or asking a systems installer how many security cameras you need. A brand- and vendor-independent consultant has no product to sell, other than professional advice. Independent consultants sink or swim based upon the value of the information they provide and the quality of the projects they manage.

Choosing Your Consultant
What experience does your consultant have? A career in law enforcement may, or may not, translate into the ability to provide effective security consultation. Who are your prospective consultant's references? What are your consultant's qualifications, certifications, and credentials?

If fraud is the primary threat to your enterprise, a certified fraud examiner credentialed by the Association of Certified Fraud Examiners ( may be right for you. If the security of your information systems is at the top of your list, there are professionals who have attained the Certified Information Systems Security Professional certification, a credential granted by the International Information System Security Certifications Consortium (, also known as (ISC)2. If you need a security generalist, a certified protection professional-CPP- board certified in security management by ASIS International ( may be what you are looking for. ASIS International recently added two new certifications. The Professional Certified Investigator credential is for experienced investigators. The Physical Security Professional is a certification for physical security professionals.