The security vendor’s guide to threat and risk

Oct. 16, 2023
Intelligence technologies and unified security management platforms will help customers stay ahead of rapidly evolving geopolitical and extremist threats

This week, the security industry's top executives will descend on the InterContinental New York Times Square for the annual Securing New Ground conference. A key question will be how security integrators, manufacturers, and service providers can deliver the most value to customers. The answer is simple:

1.   Understand specific, real-world security threats and risks facing your customers.

2.    Understand your customers’ business and the impact of security risks on their organizations.

3.    Work in partnership with your customers as a well-informed advisor to identify optimal solutions to mitigate their security risks.

Using this model, you will find your way to growing revenue and increased customer satisfaction.

Today's corporate security leaders are overwhelmed with a wide range of complex threats and risks to their organizations. These include street crime, theft, organized retail crime, robbery, extremism and political violence, cyber-physical attacks, insider threats, workplace violence, geopolitical risks, pandemics and other biological threats, and natural disasters.

As security executives grapple with these issues, trying to make the most cost-effective decisions to protect their organization's people, property, and information from an endless list of malicious actors, they are regularly pitched by security integrators and other vendors on the latest security technologies.

Sometimes these technologies address a real pain point; sometimes they do not. It is easy for security buyers to see when vendors have put in the time and effort to understand their business and the risks they face. Conversely, they can quickly spot salespeople who are trying to hit their quota of "boxes" sold that month with little care for the customer's true requirements.

Frustration among security leaders with ham-handed approaches from security vendors is well documented. One quote from an oil and gas security practitioner in an SIA focus group captures it well: "One of the things that we require of our integrator is that they understand our business. We do not want them just bringing us stuff because it’s a new technology. We want them to understand where our risks are and where our concerns are, and if something comes up that would enhance our ability to manage that, then we are very happy to hear that.”

When asked what they want from vendors, security buyers consistently provide the same answer: understand the risks to our business and present tailored solutions. Security leaders are often short-staffed and under-resourced, and they want a vendor who can be a trusted advisor on security issues - not just a technology or guard provider.

Three Key Steps for Security Vendors to Grow Market Share

This clear demand signal from customers creates an opportunity for the astute security vendor. A deeper understanding of threats and risks facing customers, along with timely recommendations for how to mitigate those risks, paves the way to deeper customer relationships and increased sales. Security vendors should integrate the following three key steps into their workflow to optimize their product, service, and business development processes:

1.    Assess threats and risks to customers and prospects: Integrators and other vendors should conduct research and analysis (or hire a consultant who will do it for them) to develop a current and emerging threat outlook tailored to target industries and clients. This analysis can be based on open-source intelligence or proprietary tools, and can also be informed by engagements with current, past, and prospective customers on the threats they find most concerning. The analysis should be sufficiently deep that the vendor becomes familiar with the potential impacts on their customers' people, property, and information.

2.    Apply industry best practices to these challenges: Once the vendor understands the top threats and risks facing the customer, they can identify the industry best practices most relevant to mitigating those risks. Leveraging standards and guidelines from the U.S. government and industry associations like ASIS, vendors can provide bullet-proof recommendations to customers. There are excellent standards and guidelines on enterprise security risk management, physical asset protection, cyber-physical convergence, and insider threat mitigation, among others, which should be referenced during vendors’ sales calls.

3.    Recommend an ideal technology or services mix: Only after these two antecedent steps should the vendor make a recommendation on security technologies and services. Based on the assessment and best practices, the vendor can collaborate with customers and prospects to identify the most effective technology solutions for their unique security needs. Explicitly aligning these security technologies to specific threats, risks, and best practices will have a two-pronged effect: increase the chance of a sale and provide real, trusted value to the client.

Addressing Today's Greatest Threats

While this process should be tailored for each customer and prospect, there are a few top threats and risks we have found to be on the minds of most security leaders. Below, we provide examples of how the methodology outlined above might be applied to each to provide enhanced value to customers.

Rising Crime

Increasing rates of crime are a significant threat for businesses across all sectors. Whether it is petty theft, robbery, burglary, or organized retail crime, companies are faced with a host of potential criminal activities that can severely impact their operations.

The ASIS Physical Asset Protection Standard encourages organizations to take a holistic view and systems approach to protecting physical assets from these types of crimes. Based on a careful assessment of the risks, organizations should develop a physical protection system (PPS) that provides protection in depth, minimum consequence of component failure, and balanced protection. The standard also outlines the categories of security technologies that should be included in a PPS.

When considering an ideal security technology mix to counter rising crime based on industry best practices, vendors should focus on the latest access control technologies, video surveillance with built-in video analytics, the application of robots and drones to augment or supplant the security force, and more targeted technologies such as dye packs and asset tracking technology, which can increasingly be applied to a wide range of theft and burglary.

Insider Threats

Insider threats refer to security risks that come from within the organization - employees, former employees, contractors, or business associates who have inside information regarding the company's security practices and data.

The Cybersecurity and Infrastructure Security Agency's (CISA) Insider Threat Mitigation Guide calls on organizations to build comprehensive insider threat programs. These programs should be tailored to the organization's mission and culture and employ multi-disciplinary capabilities, among other criteria.

Insider threat programs are bigger than technology, but they do rely on effective and integrated technologies and software for success. Those technologies include cyber tools, such as user behavior analytics, user activity monitoring, and data loss prevention. They also should integrate key physical security technologies, such as logged badge readers, facial recognition and other biometrics, and access control technology that can prevent or log illicit egress from sensitive facilities.

Cyber-Physical Attacks

Cyber-physical attacks aim to disrupt or damage the functioning of physical infrastructure through cyber means. This could involve hacking into critical infrastructure or smart building technologies, such as power grids or HVAC systems, with the intent of causing real-world harm.

Vendors should be familiar with CISA's Cybersecurity and Physical Security Convergence Action Guide and NIST's Guide to Operational Technology Security. These nascent guidelines encourage organizations to adopt converged security functions that integrate cybersecurity, physical security, information sharing, access and facilities, insider threat, and workplace violence. This is critical to ensuring that operational technologies, including those used as part of an electronic security system, cannot be hacked by malicious actors.

As vendors go to market, they must be aware of growing concerns about cyber-physical attacks among their buyers and should be ready to demonstrate how the technologies they are selling are cyber-secure. This will not only help them gain the trust of their customers but also differentiate them from competitors who may not have the same level of understanding about cyber-physical security. Additionally, vendors should be prepared to advise their customers on potential vulnerabilities in their systems and offer solutions for improved cybersecurity.

Geopolitics and Extremism

With the rise of great power competition between the United States and China, outbreak of war in Europe and the Middle East, and an increasingly heterogenous violent extremist environment, many organizations find themselves in the crosshairs of politically motivated bad actors - whether that is a foreign government, a non-state group, or a lone wolf terrorist. These threat actors often target critical infrastructure and soft targets to cause maximum damage and disruption.

While industry best practices on how private sector organizations can address these sophisticated threats are limited, we advise clients that intelligence capabilities and broader geopolitical and national security awareness are crucial. Vendors selling into critical infrastructure and soft target environments should be familiar with the latest U.S. government strategies and threat assessments, such as the recently released 2024 Homeland Threat Assessment, so they can be conversant on how these types of risks may impact their customers.

Intelligence technologies and unified security management platforms will help customers stay ahead of rapidly evolving geopolitical and extremist threats. From real-time critical event alerting to supply chain risk analysis, many of the most important technologies in this space are software-based. However, as specific threats arise, specific technologies should also be offered, such as using gunshot detection and ballistic barriers to mitigate extremist small arms attacks on electric substations.

Threats and risks, industry best practices, and security technologies evolve on a day-to-day basis. Therefore, security integrators, manufacturers, and service providers must keep current on all these issues to maximize the value they provide to their customers and keep ahead of competitors. This is the path to providing trusted advice and ensuring repeat sales while others in the market just sell boxes.

About the authors:Mark Freedman is the CEO & Founder of Rebel Global Security, a consultancy that helps security executives build strategies that account for geopolitics, nation-state attacks, espionage, terrorism, and other global threats. Mark has provided advice to Fortune 500 and multinational companies and worked with virtually every national security agency, including the DOD, FBI, and Intel Community. For almost a decade, Mark was a strategic planner for the State Department where he served as Chief of Staff to the Ambassador-at-Large for Counterterrorism. Mark has also worked in Big 4 strategy consulting helping client organizations build security programs. Mark is a Certified Protection Professional (CPP), Certified Information Security Manager (CISM), and a member of the ASIS Steering Committee on Enterprise Security Risk Management.
Rick Mercuri is Senior Advisor for Corporate Security at Rebel Global Security. Rick has served as senior security executive at two of the largest U.S. banks. For four decades in corporate security, Rick has demonstrated strong leadership and strategic decision-making for global and domestic organizations. Rick is a trusted advisor to C-level executives and a thought leader with expertise in mitigating complex physical security risks and developing threat intelligence capabilities. Rick is a Certified Protection Professional (CPP).