Delivering Stronger Business Security and Resilience in a Weak Financial Climate

Chris Tomlinson

Arup Resilience, Security & Risk

My Agenda

� The threat spectrum

� The Risk-led Approach and the realities of Security Risk Appetite

� The boardroom view

� Client Needs Detected

2

� Client Needs Detected

� Design-based Solutions

� Operational-based Solutions

� Standards in Commercial Preparedness

� Key Takeaways.

The Spectrum of Threat

Terrorism

• Person-borne explosive attack

• Vehicle-borne explosive attack

• CBR attack

Terrorism/Extremism

• Person-borne explosive attack

• Vehicle-borne explosive attack

• Static

• Encroachment

• Penetrative

Crime & Antisocial Activity

• Violence Against the Person

• Acquisitive (theft /burglary etc)

• Personal

• Business – Insider Threat

• Penetrative

• Simplistic

• Mechanistic

• Criminal Damage

• Anti-social behaviour

• Vagrancy & Trespass

• Violent protest – not necessarily

unlawful

• Weapon attack

• Hand-carried

• Vehicle-borne

Threat Likelihood Impact Risk

� Threat – adversary capability (history), intent and access to their

The Risk Calculus

� Threat – adversary capability (history), intent and access to their

targets, do not forget the insider adversary

� Likelihood – the tough calculation and absolutes are difficult to

come by – so relative likelihoods may be all that can be managed

� Impact – this is the straightforward part – all about asset and

process vulnerability; and costs of denial/loss.

Serious Impact

Nuisance Terrorism

Theft/Insider Threat/Burglary

Workplace Intimidation/Violence

ArsonCriminal damage

Minor Impact

Civil Disorder

The Resulting Conundrum

More Likely Less Likely

Costs

� Risk appetite, at the organisational level, is the amount of risk

exposure, or potential adverse impact from an event, that the

Threat Likelihood Impact Risk

There will be Risk Appetite

exposure, or potential adverse impact from an event, that the

organisation is willing to accept/retain. (Mark Carey - Deloitte

& Touche LLP)

� An economically-conditioned balance between maintaining

profitability, while not facing reputational exposure through

culpable risk-mitigation failure. (Me)

Life Safety

Risk Appetite Illustrated in Counter TerrorismLevels of Resilience to the Effects of Blast

Life Safety + Evacuation

Economic Reinstatement

Operational Continuity

All of which is a little

counterintuitive, given that

organisations normally say

that they are want to be

operationally viable after a

catastrophic event

Questions that might guide Risk Appetite� Identify headline risk impacts on life safety, economic reinstatement or reputation

� What adjacencies might increase or decrease risks?

� What are the acceptable norms for protecting the business – are there standards we can use as a benchmark?

8

� What risks can be treated, transferred, terminated and what is left to tolerate – the latter lies at the core of risk appetite?

� Is there an Enterprise Risk Management process that includes protective security?

� Who reviews risk and how often?

� Struggles to show real benefit, beyond the simplistic e.g. effects on stock shrinkage – ROI badly researched

� Often ugly and oppressive, with a default setting of heavy-duty, rather than subtle technologies

� Adds operational friction – it slows people and stuff down

Boardroom Views on Security

� Adds operational friction – it slows people and stuff down

� Laced full of confusing standards and often do not offer advice on sub-optimal ‘fixes’ – always the Rolls Royce never the Honda Civic

� Never linked to sustainability targets – e.g. ‘Carbon Cost of Crime’.

Preparedness in the Private Sector

� A survey of 263 senior executives from various companies

examined how they approach resilience and security

� Five key areas were examined: physical security, IT security,

business continuity, crisis management, and pandemic planning

� Approximately 50% said IT security, business continuity, and

crisis management at their company were "completely" or "very

coordinated" with enterprise risk management, while only 43 %

10

coordinated" with enterprise risk management, while only 43 %

said the same about physical security

� 21% of companies surveyed had a co-ordinator that oversees all

five preparedness areas.

� The key concerns were: risk versus opportunity, due diligence

and duty of care (compliance and reputation protection)

Our Clients Want

� Easy-to-understand risk analysis and deductions

� Just enough – with an audit trail for what was agreed on and why

� Scalability – things change and systems need to adapt

� Early intervention – security as an afterthought is ugly and

expensive

� A balance between security technology and operations – Capex

11

� A balance between security technology and operations – Capex

versus Opex

� Value-added in security solutions

� To be convinced of a return on investment – not just financial

� Functional and management convergence – traditional

stovepipes are challenged.

Design-Based Solutions

� The trend is towards Internet Protocol solutions, but buyer beware!

� Convergence onto unified ICT networks, but….

� Convergence of building management systems –intelligent buildings

� Smarter devices deployed – on-board processing

12

� Smarter devices deployed – on-board processing

� Adaptable plug and play (e.g. POE)

� Biometrics and reliable recognition

� Stand-off detection and automated tracking

� Physical Security Information Management (PSIM).

Operations-based Solutions

� Unified command and control – moving security to business

areas that are the ERM focus

� Human Capital Risk – managing the insider threat

� Boardroom education to value adds

� ‘Red-teaming’ – thinking adversary

� Professionally develop your capable guardians

13

� Professionally develop your capable guardians

� Test and validate plans

� Sharing best-practice – co-ordinate resilience planning with

other stakeholders (e.g. telecoms and lifeline utilities, local blue

light responders etc).

� Professional organisation memberships – e.g. CSARN.

Standards, Best-practice and References

� BS 25999-1:2006 & BS 25999-2:2007 - business continuity management code of practice

� ASIS International SPC.1-2009 – Organizational Resilience: Security, Preparedness, and Continuity Management Systems – Requirements with Guidance for Use and other references

14

� US National Fire Protection Association 1600 -Standard on Disaster/Emergency Management and Business Continuity Programs

� The Conference Board report - ‘Preparedness in the Private Sector – 2011’

� Organisation specific e.g. BCO.

Key Takeaways� You cannot mitigate everything, so figure out what you can

handle as risk appetite – easier said than done

� Doing nothing is not an option, but mitigation sufficiency is

linked to risk appetite

� Get a risk assessment done and one that offers deductions for

best protective fit against form, function and budget

15

� Scalability – things change (think about review programmes)

� Have an audit trail for what was agreed on and why

� Do it early because security as an afterthought is ugly and

expensive (and think sustainability)

� Think about balances between security technology and

operations – ROI is important.

Questions

chris.tomlinson@arup.com

www.arup.com