In fact, the actual process of identifying security issues has been called many different things. Some of the more common names assigned to this subject have been security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. Regardless of the title, they are all going after similar goals of identifying security weaknesses, risks, deficiencies, and even excesses, and then formulating a plan to address the findings with detailed recommendations based on industry accepted standards and best practices.

Most professionals would agree that how you go about the process of the assessment should be a uniformed approach. However, if there is one thing certain in life regarding such processes, it is that everyone who conducts such assessments does so in a variety of different ways.

Over the years, there have been numerous books that have covered different parts of a security assessment, so you would think that security practitioners would all be working from the same baseline. However, the opposite is true in many cases. Even among professional security consultants, all have different approaches and no two reports are the same.

Case in point—upon review of numerous security assessment reports written by independent consultants, it became clear to me that there are vast differences in style and project methodology. Some reports are nothing more than a statement of facts as determined by the author, followed by an extensive list of recommendations, most of which are not easily correlated within the report, nor are they explained in detail showing the reader what the recommendations will bring to the table if implemented. So this begs the question: if the report does not fully identify the security risk, tell the reader how to address that risk, or provide the reader with a sense of what the change will look like if implemented, what is the purpose of the assessment?

Quantitative and qualitative techniques are often used in an effort to measure and evaluate the security program’s effectiveness. The person conducting the assessment also needs to consider statistics when conducting a security risk assessment because the statistics are often the starting point in establishing a baseline of sorts for the program. You cannot effectively manage a security program if you do not track security incident reports and their outcomes. If the person doing the assessment (who will be referred to as the reviewer throughout this chapter) does not have information on historical security issues (e.g., past incident reports) to determine trends, he or she will be at a disadvantage and will likely be setting the baseline from scratch.

Another part of the security assessment is the process of identifying and defining the threat, as well as identifying what the target of those threats may be. As we often find, no two industries are exactly the same, and the process of identifying and defining security risks and threats is often different depending on your organization.

Take, for example, an organization that does research and development for high-end computer components and a retailer. The security threat for the research and development organization may be in the form of stolen trade secrets, products, or even patent infringements/violations. On the other hand, the security threats associated with the retail environment will often be theft of product or cash receipts. Therefore, in the case of a retail environment, you might be looking at implementing security measures that reduce the risk of robbery, burglary, shoplifting, or even embezzlement. As for the research and development company, security’s efforts may be more focused on preventing unauthorized access into research and development areas and unauthorized access to sensitive computer files. In both cases, security practitioners are often working in a proactive manner, which means they are trying to prevent an incident from occurring.

As most security practitioners know, security programs often operate in a proactive posture, whereas it is often the goal of security to prevent incidents from occurring. Law enforcement, on the other hand, is often operating in the reactive mode, meaning that they respond to calls for service as a situation is occurring or after it occurs. To conduct a security risk assessment is often being proactive, as you are looking at your program to see where you can improve based on industry standards. As part of that assessment, the security practitioner must look at past incidents, known threats, and potential targets, which in essence is being both proactive and reactive.

Today’s security practitioner must be flexible and must be able to not only look to the past but also plan for the future in their daily actions. The challenges of today’s security professionals are more complex than ever before. The industry in which you work has changed no matter what type of business it is. With the constant rise in workplace violence issues and threats, such as an active shooter, security professionals must adjust.

This book will only minimally touch on information technology (IT), due to the fact that most security professionals do not manage the computer systems of their companies. However, it is possible that some security practitioners are performing IT oversight to some extent, because we know there is a trend in many large corporations to bring all security systems and operations under one person, such as a chief security officer (CSO).

In most businesses, IT and security are separate, yet IT does play a role in security. IT protects the computer network systems, online presence, electronic records, and e-commerce, while the security department protects the corporate assets, which by nature of their responsibility, IT will fall under. If you are performing a security risk assessment at your organization and you are not considering your online presence or your computer network, you could be overlooking the most vulnerable portal into your organization. Although this book will address IT as it relates to the security assessment, it is not the focus and intent of this book to fully address all the security concerns associated with the corporation’s computer network. There are many resources available to fully address IT security, and we would suggest that security practitioners at a minimum have a basic understanding of their network systems.

What sets the tone for most security programs can often be described as the probability of “risks.” When you are assessing for risks you are evaluating for potential incidents of undesirable events. Real or perceived risks are those key factors that are the basis for the level of security measures instituted. In simple terms, if you do not believe that your company has any security risks, it is likely that you have minimal to no security measures other than a lock on the door.

Take, for example, a farmhouse in a very remote area. At this farmhouse, you are likely to find that the doors to the house and outbuildings are not locked, even when no one is on the property, and you may often find the car keys in the ignition. The owners believe that they have no real or perceived security risks, therefore they have no security. For them, this is a matter of choice.

On the other hand, when you look in the inner cities you will often find homeowners who go to great measures to secure their property. Those security measures will include deadbolt locks, bars on the windows, alarm systems, fencing, guard dogs, security cameras, and many other protection measures. They often do so because of the risks associated with their environment or geographic area. Either they have been a victim of a crime or someone they know has. It could also be that they have educated themselves in the risks around them and they are intent on protecting their assets. Again, it is a matter of choice, but the difference with them versus the rural homeowner is the real or perceived security risks.

When talking about businesses, you will likely never find a business, even in a very remote setting, that does not incorporate some type of security. However, not all businesses have a dedicated security professional responsible for the protection of the company’s assets. In fact, the majority of businesses have no such person on staff. Although that may be the case, there is often a member of management that does have some oversight regarding safety and security matters.

As an example, large retail businesses often have loss prevention staff in place to reduce inventory shrinkage. For the most part, those staff members may also be responsible for many of the security protocols, policies, and technology in use. However, not all retailers have such protocols or measures in place, and what they do have barely touches on “security.” In fact, if you look closely at some of the largest international retailers, you might be surprised to find that they have no security policies to speak of and their focus is only on loss prevention measures.

Some types of businesses, however, are required to have security policies and protocols in place, and healthcare is a prime example of this. Oftentimes the requirements are due to accreditation standards, yet there are also a few state laws that require security services. For example, in the state of California, healthcare facilities are required by law to conduct security risk assessments due to the high number of workplace violence incidents against healthcare staff. With that being the case, you would think that every healthcare facility had a professional security manager on staff to manage the program. However, to assume that would be incorrect. There is no requirement to have a security practitioner at the helm who takes responsibility for his or her organization’s security. In many cases, smaller hospitals have no security staff at all, or they may just have one guard working the overnight shift. In these cases, they rely solely on operational protocols and policies. They will, however, have a member of the management team who is responsible for the security oversight. This person could be the director of facilities, director of information technology, the risk manager, or the safety officer. These are just a few examples of how hospitals use staff for security oversight that are from backgrounds far removed from security. Regretfully, in most cases the people that oversee the security of the organization have no security background prior to assuming this role.

A familiar scenario is that of a former police officer who has changed careers and is hired to run a security program for a private company. Those who have been in law enforcement understand that police officers do not normally conduct security risk assessments, as defined at the beginning of this chapter, as part of their normal law enforcement duties. I am not implying that no police officers have any experience in this, because in fact those officers that normally work in the crime prevention bureau of the police department have some experience with this task. Also, remember that due to the nature of the law enforcement profession, the vast majority of police officers are experienced in being reactive rather than proactive. However, a law enforcement officer who changes careers and becomes a security leader will normally grasp the concept and intent of the security risk assessment due to his or her past experiences as a police officer. Their basic knowledge base will come from a crime prevention approach from their experiences on the street, and in most cases their learning curve to understand the risks faced by their employer will not be overly steep.

Therefore, when we talk about the “intent” of the security risk assessment, we are talking about what it is we are looking for, why we are looking for it, and what do we view as being a threat or risk to our organization. Of course we also need to consider what changes should be made to our security program to mitigate any risk.

A substantial part of the security risk assessment is also to determine how effective the existing security program is at the present time. We will also look to see if the intent of the security program is being fulfilled, and of course if the intent of the program is reasonable and within industry standards or expectations.

Another driving factor for conducting a security risk assessment is often a direct result of a serious security threat or incident that has happened at your organization. Many times organizations will also conduct an assessment when a serious incident has occurred at a similar business, or even at a neighboring business.

Case in point—after each mass killing or terrorist attack within the United States, there is often an internal review conducted at many organizations, many of which may have no direct relation to the business or facility where the attack occurred. Of course those organizations that had the security incident happen at their location are often responding to, and eventually preparing for, criminal or civil actions as a direct result of the incident. The unfortunate thing is that an incident has already occurred and the organization may just now be attempting to identify its security risks. In this case, the intent for the assessment is more reactive and along the lines of damage control. In addition, if the organization completed a security risk assessment in the past, it will also likely be looking at that document as part of its review.