Benchmarking Security Assessments
Ask three people: is the security here good? and you’ll get four different answers. Our notions about security tend to be qualitative. Sure, if a security system was recently breached that might skew the answer but even then, not necessarily.
This is why when a security consultant embarks on a security assessment, the first step has to be to benchmark. This ensures that everyone is on the same page when gauging the effectiveness of security.
What’s more, this ensures that the assessment will be based on objective criteria and not on a sense or on feelings. Having a benchmark also guarantees that the results of the TRV described in a final report are understood in the client’s context and are not some exaggeration or minimization based on the consultant’s personal view.
So, “benchmark” in this case refers to a standard that is set by leadership that takes into account the abilities and motivations of potential adversaries vis-a-vis a given protected environment. When we conduct a TRV, our first stop is a board of directors or CEO level executive who, using gathered intelligence and knowledge of the assets, makes the decision about the level of risk the company or agency is willing to endure.
If the leadership of an organization determines that they are dealing with threat from state sponsored terrorist organizations, the bar is set very high. Yet another client might acknowledge that very sophisticated adversaries could attack their assets but choose not to secure against this threat because that would be the responsibility of the government to do so. A bio-med client needs to decide if they are protecting against espionage from say, China, or from a domestic commercial competitor. The question is simply what scenario are you seeking to prevent?
A lone local criminal has very different capabilities than that of a foreign intelligence agency, and different motivations. A foreign intelligence agency has tremendous resources: lots of money, technology of the highest order both physical and digital, they have access to weapons and other materials, can operate over a long period of time and use diplomatic cover. The effectiveness of a system is measured against the motivations and ability of the adversary it wants to counter. As a security consultant, that’s the point of departure and, consultants have to be equally capable to work at any ‘benchmark’ or standard.
Come January, many of us will be making a New Year's resolution to lose weight. To be successful, we’ll set a goal for an optimal weight. Our optimum should be based on attainable health criteria and not the professional athlete or body builder next to us at the gym. It should reflect the amount of effort we are willing and able to allocate (personal trainer, two hours of daily cardio, forget about carbs or … we’ll get in a walk at lunch time and cut back on fast food). We’ll consider the risks associated with not reaching our target weight (according to our doctor - diabetes, osteoarthritis, sleep apnea) and decide which level of health risk we are comfortable with. It's a similar kind of benchmarking that takes into account risk, reward and effort. In either case, the benchmark helps secure success of the security program or, the health goal we embark on.
Sometimes the security standards set by clients we encounter are based on what they see their peers doing, a kind of keeping up with the Jones next door approach. Let’s use badges! (why?) Let’s get an armed security officer! (why?) One client was concerned about a potential military style attack on their location which would include enemy snipers positioned atop nearby hills. We encourage clients to make risk assessments and to set benchmarks that closely fit a reasonable, potential threat based on the best intel available. Whatever benchmark is chosen, the client needs to be able to allot the resources – financial, personnel, infrastructure, etc., to develop and sustain a security system that fits that bill.
The qualitative question, how good is our security system, can only be answered after determining what ‘good security’ is. And that determination can only be achieved when we clearly define the adversary or adversaries we seek to counter and their operational capabilities to plan and execute an attack against our security system.
Since our inception in 1992, Chameleon was tasked to perform hundreds of Threat Risk and Vulnerability Assessments (TRVAs) to clients from varied industries. In recent years, some clients have asked us to teach them our TRVA methodology so they can implement it internally and throughout their organization. To this end, we now offer a course on Threat, Risk and Vulnerability Assessment that is has been successfully delivered to several clients around the world. If your organization is interested in conducting a TRVA or you would like more information about our TRVA course, please contact us.