Finding the solution to break the Risk chain
For Risk Mitigation the “Risk chain” needs to be broken in a cost-effective way. Risk chain components are required to be mapped with different Security layers i.e., Infrastructure, Equipment, Application, Processes, and Manpower to determine the optimal Security solution. Once a company starts mapping Security layers against Risk chain components, it will likely be possible to identify several measures that can be enhanced. It is important to involve Security as early in the planning process as possible. The best time to involve Security is in design phase where the 'Infrastructure', link (+) of 'asset', 'vulnerability' and 'weakness' can be broken or at least weaken.
Examples include :
While designing factory layout, keep separation between core operational area(s) and areas where external vehicles/personnel are required to come.
While designing the building Security, keep the visitor lobby outside core areas.
While laying hydrocarbon pipelines along the road, construct drains between roads and pipelines and/or keep low risk pipelines near the road.
Ensure adequate Standoff distance.
Implement a “Green belt” (an area void of other building and people) away from perimeter as a security buffer.
Plan Gates to include a screening point, a denial/rejection lane, adequate illumination.There may be other additional examples and all are best implemented during the initial designing stage using the concept known as Crime Prevention Through Environmental Design (CPTED). In addition to minimizing risk(s) using intelligent CPTED design may also help reduce manpower for Security enforcement. The majority the Security measures are implemented in breaking the link (+) between Adversary and Weakness i.e. Access Control wherein Adversary is kept away from the vulnerable assets, whereas this is not the most cost-effective way of not designed properly. As shown below a simple matrix can help identify the most cost-effective way to properly design physical and technical security interfaces.
Implementation of Security measures' (layers) dependents upon balancing three parameters –
- How much risk to mitigate? Or what is Organization’s Risk appetite? Please remember 100% Risk mitigation is not cost-effectively practical.
- How much cost can be allocated to Security? Implementing cost-effective Security helps meets Management expectations to spend as little as necessary to achieve an acceptable residual level of Risk.
- How much inconvenience to the user or customer is acceptable? How much will additional Security increase inconvenience?
Ideal Security provides an acceptable level of residual risk at lowest possible cost and minimum inconvenience to the users. The struggle for Security Manager is to find the optimum balance.
In next blog, each Security layer will be further examined and discussed in detail with implementation in isolation or in combination of multiple layers providing defense in depth.
An insightful note on fundamentals of Risk Management. Looking forward for the next series.
ReplyDeleteInsightful... Looking forward to upcoming blogs
ReplyDeleteThanks for sharing knowledge indepth .. Looking forward for more blogs ..
ReplyDeleteYes very true ..from enterprise wide risk mitigation ...Very few organisations consult security SMEs before the planing stage and then do nudging with faults caling for many change management practices apart unwanted cost and delagacy challenges within ..... Sandeep Moitra .
ReplyDeleteWell elucidated Author. Thanks for sharing. Looking forward to the next Blog.
ReplyDeleteBhuv
Risk is inevitable, if organisations do not realise to include Security at Planning & Designing stage. Its high time when Engineers, Startegists, & Visionories also involve Security SMEs to get the best.
ReplyDeleteGreat blog.. nicely brought out the building blocks of Security. 👍
ReplyDeleteValuable inputs, if the said planning if considered during initial stage of establishment of infrastructure, it will be well planned and safe in terms of security and safety aspect for any plant / organisation. Looking forward for the further blog.
ReplyDeleteCrisp & precise inputs,
ReplyDeleteJSD
Knowledgeable blog
ReplyDeleteIts really Helpful to have a greater vision in the part of Physical security
ReplyDeleteGreat blog and well written blog for this topic thanks for sharing this info I find this info very useful for myself in my PGDM course which I am pursuing in finance form distance learning center.
ReplyDelete