Over the past few years, we have been asked provide Threat, Risk and Vulnerability Assessments for many clients at locations across the globe. These clients range from academic institutions, mass transit agencies, government facilities and corporate offices.
Our approach to TRVs is based on a particular methodology. Methodologies by definition are applicable to any environment in which you work. And while the approach/methodology for TRV Assessments remains the same, it does not mean a boilerplate process is applied. In fact, using boilerplate to conduct TRV Assessments is likely to generate an assessment that fails to address all the client’s concerns.
While there are obvious similarities between protected environments – access, threats, issues of egress/ingress, perimeter … there are also key differences which boilerplate cannot meet. A security professional is trained to understand threat. But each client functions under a different culture, with unique politics, their own communication systems and the like. And these elements have to be addressed.
A security consultant who starts a TRV with the attitude that they already know everything is not open to learn/study the client’s environment and this will likely produce an assessment reports full of unattainable goals and impractical recommendations. The consultant first and foremost must be a good student, ready to learn. With each TRV we execute based on our methodology, our approach and process is refined.
Document versus Solution
To our mind, a TRV is not a document. It is a blueprint for a solution. If a TRV is being done only to check off a box, well, that’s easy. But if it is meant to actually be implemented to effect improved security then all influencing factors must be touched on. The security professional conducting the TRV needs to give themselves a crash course to become an expert in the client, as a whole.
The Right Questions
“If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes.”
Asking the right questions of a client that result in clearly seeing the big security picture is important.
For example, our independent school clients mostly work by consensus, with various administrators, parents, board members and teachers reaching decisions collectively. Our corporate clients manage things differently; usually a top executive makes final policy and procedure decisions. Corporate employees talk about getting their ‘marching orders’ an expression we never hear in the school sector. The way decisions are made and policies disseminated is an element of any successful security policy.
Along similar lines is the role of stakeholders. Again, physical security assessment is just one part of the TRV. All stakeholders should best understand the security threats, vulnerabilities, policies and procedures. They need to understand both the Why and the What of the security system they work within. Buy-in is crucial. How that buy-in is achieved depends on the nature of the business culture.
Don’t Make Assumptions about Assets
Defining the assets to be secured is another element that differs widely from client to client. A consultant doing a TRV is ill advised to assume from the get go that they know what the important assets are. This might sound odd but one company may claim that their Brand is the most important asset they have. Another company will say it’s their human resources. And yet other will want to protect their intellectual property, at all costs.
Too often, a lot of resources are invested in areas that are not in fact considered a high priority to the client. This is the fault of a poorly executed TRV or the complete absence of one. The person who called the shots on what to protect was not on the same page with the executives or administrators. Decision makers must be asked the right questions including what in their view constitutes their assets and their risks.
It’s not unusual for a Head of Security to come from a single background – either physical security, or training, or intelligence or maybe technology. This could cause a security program to be unbalanced, with emphasis placed in areas where they have expertise, not surprisingly. So another role of the TRV is to offer perspective on all security facets, covering all bases in a way that lets the actual threats guide the design of a security system.
With the example of intellectual property, often the focus is on preventing external threats perhaps via access control measures and technology. Yet it’s more often via internal threats that IP gets leaked or hacked, via humans and social engineering. The missing security components are pre-employment and in-employment screening, training and procedures that promote awareness and vigilance among personnel.
It may seem off subject, but politics plays an important role in the successful implementation of a TRV. An assessment done for a government agency or a large not for profit will not work if the political environment is ignored. Whether it’s the role of labor unions, ranks based on seniority and tenure, or just plain old intrigue and interests, politics can be a frustrating obstacle to getting full support of a given security agenda. It has been noted that the currency of government is not money, but credit. The goal is to get credit for the good things that happen and to avoid association with anything potentially controversial. This is just the way it is. Like it or not, security recommendations need to keep this dynamic in mind if the goal is successful implementation.
Matching Cultural Requirements
We conducted a TRV for a company located in a country where the labor cost is low and the politics differs from that of the U.S. in many respects. In one location, the client really only needed two security officers versus the four around that post. A reduction in manpower would have been the logical recommendation. But knowing the client’s socio-economic environment where firing employees could disrupt and foment discord, that move would have caused more problems than it solved. Instead, we suggested creative ways for better use all security personnel.
In South America, use of polygraph is an accepted way to vet employees and is quite common. In the U.S., polygraphs are used infrequently and in certain cases are a bit … awkward. And in the Netherlands, polygraphs are full out illegal.
Be a Chameleon
At the end of the day, the TRV is a critical tool for decision makers to make informed decisions about security. The TRV that is done for them should be meaningful and fully reflect all facets of their business. Achieving that requires that the security professional be, wait for it … a bit of a Chameleon. Learning how to adapt and transform in response to a given environment is something we at Chameleon Associates know a lot about. It is the impetus for our newest seminar. In Threat, Risk and Vulnerability Assessments we share real issues we have encountered, lessons learned, tools and tricks of the trade. Students learn interactively via table top exercises and abundant case scenarios. Spend two days with us this February in Los Angeles and go home equipped with the tools for conducting TRV Assessments.