Delivering Stronger Business Security and Resilience in a Weak Financial Climate
Chris Tomlinson
Arup Resilience, Security & Risk
My Agenda
� The threat spectrum
� The Risk-led Approach and the realities of Security Risk Appetite
� The boardroom view
� Client Needs Detected
2
� Client Needs Detected
� Design-based Solutions
� Operational-based Solutions
� Standards in Commercial Preparedness
� Key Takeaways.
The Spectrum of Threat
Terrorism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• CBR attack
Terrorism/Extremism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• Static
• Encroachment
• Penetrative
Crime & Antisocial Activity
• Violence Against the Person
• Acquisitive (theft /burglary etc)
• Personal
• Business – Insider Threat
• Penetrative
• Simplistic
• Mechanistic
• Criminal Damage
• Anti-social behaviour
• Vagrancy & Trespass
• Violent protest – not necessarily
unlawful
• Weapon attack
• Hand-carried
• Vehicle-borne
Threat Likelihood Impact Risk
� Threat – adversary capability (history), intent and access to their
The Risk Calculus
� Threat – adversary capability (history), intent and access to their
targets, do not forget the insider adversary
� Likelihood – the tough calculation and absolutes are difficult to
come by – so relative likelihoods may be all that can be managed
� Impact – this is the straightforward part – all about asset and
process vulnerability; and costs of denial/loss.
Serious Impact
Nuisance Terrorism
Theft/Insider Threat/Burglary
Workplace Intimidation/Violence
ArsonCriminal damage
Minor Impact
Civil Disorder
The Resulting Conundrum
More Likely Less Likely
Costs
� Risk appetite, at the organisational level, is the amount of risk
exposure, or potential adverse impact from an event, that the
Threat Likelihood Impact Risk
There will be Risk Appetite
exposure, or potential adverse impact from an event, that the
organisation is willing to accept/retain. (Mark Carey - Deloitte
& Touche LLP)
� An economically-conditioned balance between maintaining
profitability, while not facing reputational exposure through
culpable risk-mitigation failure. (Me)
Life Safety
Risk Appetite Illustrated in Counter TerrorismLevels of Resilience to the Effects of Blast
Life Safety + Evacuation
Economic Reinstatement
Operational Continuity
All of which is a little
counterintuitive, given that
organisations normally say
that they are want to be
operationally viable after a
catastrophic event
Questions that might guide Risk Appetite� Identify headline risk impacts on life safety, economic reinstatement or reputation
� What adjacencies might increase or decrease risks?
� What are the acceptable norms for protecting the business – are there standards we can use as a benchmark?
8
� What risks can be treated, transferred, terminated and what is left to tolerate – the latter lies at the core of risk appetite?
� Is there an Enterprise Risk Management process that includes protective security?
� Who reviews risk and how often?
� Struggles to show real benefit, beyond the simplistic e.g. effects on stock shrinkage – ROI badly researched
� Often ugly and oppressive, with a default setting of heavy-duty, rather than subtle technologies
� Adds operational friction – it slows people and stuff down
Boardroom Views on Security
� Adds operational friction – it slows people and stuff down
� Laced full of confusing standards and often do not offer advice on sub-optimal ‘fixes’ – always the Rolls Royce never the Honda Civic
� Never linked to sustainability targets – e.g. ‘Carbon Cost of Crime’.
Preparedness in the Private Sector
� A survey of 263 senior executives from various companies
examined how they approach resilience and security
� Five key areas were examined: physical security, IT security,
business continuity, crisis management, and pandemic planning
� Approximately 50% said IT security, business continuity, and
crisis management at their company were "completely" or "very
coordinated" with enterprise risk management, while only 43 %
10
coordinated" with enterprise risk management, while only 43 %
said the same about physical security
� 21% of companies surveyed had a co-ordinator that oversees all
five preparedness areas.
� The key concerns were: risk versus opportunity, due diligence
and duty of care (compliance and reputation protection)
Our Clients Want
� Easy-to-understand risk analysis and deductions
� Just enough – with an audit trail for what was agreed on and why
� Scalability – things change and systems need to adapt
� Early intervention – security as an afterthought is ugly and
expensive
� A balance between security technology and operations – Capex
11
� A balance between security technology and operations – Capex
versus Opex
� Value-added in security solutions
� To be convinced of a return on investment – not just financial
� Functional and management convergence – traditional
stovepipes are challenged.
Design-Based Solutions
� The trend is towards Internet Protocol solutions, but buyer beware!
� Convergence onto unified ICT networks, but….
� Convergence of building management systems –intelligent buildings
� Smarter devices deployed – on-board processing
12
� Smarter devices deployed – on-board processing
� Adaptable plug and play (e.g. POE)
� Biometrics and reliable recognition
� Stand-off detection and automated tracking
� Physical Security Information Management (PSIM).
Operations-based Solutions
� Unified command and control – moving security to business
areas that are the ERM focus
� Human Capital Risk – managing the insider threat
� Boardroom education to value adds
� ‘Red-teaming’ – thinking adversary
� Professionally develop your capable guardians
13
� Professionally develop your capable guardians
� Test and validate plans
� Sharing best-practice – co-ordinate resilience planning with
other stakeholders (e.g. telecoms and lifeline utilities, local blue
light responders etc).
� Professional organisation memberships – e.g. CSARN.
Standards, Best-practice and References
� BS 25999-1:2006 & BS 25999-2:2007 - business continuity management code of practice
� ASIS International SPC.1-2009 – Organizational Resilience: Security, Preparedness, and Continuity Management Systems – Requirements with Guidance for Use and other references
14
� US National Fire Protection Association 1600 -Standard on Disaster/Emergency Management and Business Continuity Programs
� The Conference Board report - ‘Preparedness in the Private Sector – 2011’
� Organisation specific e.g. BCO.
Key Takeaways� You cannot mitigate everything, so figure out what you can
handle as risk appetite – easier said than done
� Doing nothing is not an option, but mitigation sufficiency is
linked to risk appetite
� Get a risk assessment done and one that offers deductions for
best protective fit against form, function and budget
15
� Scalability – things change (think about review programmes)
� Have an audit trail for what was agreed on and why
� Do it early because security as an afterthought is ugly and
expensive (and think sustainability)
� Think about balances between security technology and
operations – ROI is important.