How to build an effective PSIM program from the ground up

Security executives need to know what should be protected and why to leverage the true power of PSIM


One of the common misconceptions about PSIM (physical security information management) is that it focuses exclusively on integration and incident management. In reality, effective PSIM programs are built on a solid foundation that starts with understanding which assets need to be protected. Once you know what needs protecting and why, you can bring the power of PSIM to address the how.

Start by asking the question: what are the "crown jewels" which, if lost, stolen, damaged, or diminished would most negatively impact my company’s brand, operations or bottom line? Then ask: what are the biggest threats to these assets?” Only by answering these questions will you begin to be able to understand the critical role that preparation plays in informing effective incident response.

On Thursday, Sept. 26 at 11:00 a.m., I’ll be moderating an ASIS educational session on "The Building Blocks of PSIM." Joining me for this panel will be; former FBI Assistant Director Chris Swecker, a former Bank of America CSO who now serves as the CEO his own risk management consulting firm Chris Swecker Enterprises; Brian Stephens, senior vice president of corporate security at Bank of America; and, Jeff Spivey, international vice president of ISACA, president of Security Risk Management, Inc., vice president of RiskIQ, and past president and chairman of the board for ASIS International.

At the end of this session participants will understand:

• How to identify their "crown jewels" and how to link these critical assets to specific vulnerabilities using threat analysis.

• The critical role that this preparation plays in informing effective incident response and the role of technology (PSIM).

• How to apply these building blocks to create crisis response plans to mitigate risk that could otherwise negatively impact their company’s reputation, operations and bottom line.

The panel will be delivering four different aspects of the building blocks of PSIM. First, I will present an overview of PSIM and its three distinct elements; situational awareness (knowing what is going on around you, often aided by integrating subsystems), situation management (doing things faster and more efficiently, effectively, consistently and compliantly) and situation reconstruction (reporting/re-enactment to re-live the incident and learn from it, train others and/or demonstrate compliance).

With that as a foundation, Swecker will take a deep dive into tools for identifying the crown jewels which can be protected through PSIM. Your organization’s crown jewels can run the gambit from physical facilities to intangible assets such as your company’s reputation, brand and intellectual property. He will also examine the concept of “threat Intelligence” and the utilization of subject matter experts to help identify the specific vectors.

Next, Spivey will examine some of the successful methodologies for addressing enterprise risk management (ERM) through the convergence of security and IT. Lastly, Stephens will offer best practice guidelines for large multi-site organizations. Although PSIM is also used for single, large campuses, some of its power only becomes evident when managing multiple locations. He will compare and contrast reactive and proactive organizational structures, with a focus on how to be predictive and preventative.