Leo Tolstoy said: “Everyone thinks of changing the world, but no one thinks of changing himself” or in this instance, the nicely bound documents in the office bookcase. The company has a business plan, a marketing plan, a business continuity plan, a security risk assessment and many other documents, all sitting on the top shelf. We know that they should be pulled down occasionally and reviewed but usually we are too busy and nothing much appears to have changed.
The reality is everything changes, all the time, and if those documents are not revised, not only do they become outdated and irrelevant, they become dangerous. This is particularly true of the security risk assessment (SRA) as the organisation may be facing new risks that it may not know about or wasting resources on risks that are no longer valid. This article concentrates on the in-house security risk assessment and why, when and how it should be revisited.
Unfortunately, few of us review our business as often as we should; the over-arching business plan should be reviewed annually to confirm that the organisation is still on track and to ensure new markets and services are reflected in the plan. Revising the business plan annually also provides an opportunity to reassess the broader business risks; assessing if the markets, products/services, governance requirements, financial exposures and opportunities have changed over the last 12 months. Change will, almost certainly, have occurred in this time: businesses may shrink, grow or change with the pulses of commercial life. This movement can drive the acquisition or loss of assets, impact management structures, and create new business opportunities. All of these may create additional security risks. New or amended legislation and regulations also require security assessments to ensure compliance. Changes to controls over OH&S, governance, working with children, financial transaction monitoring, privacy and so forth all have corporate security implications as they define specific assets and the need to protect them from deliberate human action.
As part of the broader business risk review, an initial strategic SRA should be conducted. This defines what assets are worthy of protection (people, information, equipment and reputation – PIER), why someone would want to take or damage the assets, where the exposures lie and what can be done to reduce the likelihood of the event occurring or to mitigate the consequences should the risk be realised.
An enterprise-wide ‘strategic’ SRA is not so much about locks and doors but rather about understanding what is important to the business and how to protect it from deliberate human action. Strategic SRA should consider the eight or so risks that affect the whole business. A strategic security risk may be “failure to protect sensitive corporate information” with recommendations relating to policies and procedures for all staff. Under the handful of strategic security risks a larger number of subsidiary, detailed risks will probably be identified that require more specific responses such as “all information related to tender submissions are to be stored in XXX with access granted only to YYY”.
A strategic security risk assessment may be done as part of the organisation’s start up or as a one-off review once the business is operating. While this is a good starting point, it is important to understand that the SRA needs to be reviewed and adapted to ensure that it reflects risks associated with the business’s changing corporate goals. The detailed risks are fluid and need to be changed as business assets, functions, sites and processes alter.
Having raised the initial security risk assessment, a corporate risk now becomes “security risks are not identified or reviewed as the business changes”. The way to manage this risk is to know when, why, and how to revisit the security risk assessment.
The need to review security risks is not limited to the corporate sector; government agencies also face constant change particularly after a change in government or policy.
The question of when the security risk assessment should be reviewed is linked to why it should be done. At the strategic, enterprise-wide level, the security risk assessment should be reviewed annually in conjunction with the business plan. This will ensure the two are still aligned and that, what the business has, and does, is being protected.
As well as a periodic (annual) review there are trigger events that should cause a review of the security risks:
- Changes in the business assets including new equipment, IP, more staff, new facilities and locations (including interstate or overseas), and online assets including e-sales
- New assets, which may result in new threat vectors, different sources of harm or loss from those who will seek to find exposures and exploit them
- New business opportunities – ideally the new security exposures should be a factor in the business case and the cost-benefit analysis
- Changes to the physical environment, including new neighbours and changing social activity around site – it is not just deteriorating social conditions that can have an impact on security risks: improved social conditions can lead to a ‘better’ class of criminal
- Changes at state, national and international levels with new government polices and regulations, changing threats and exposures, potentially enabling the migration of specific crimes into new geographic areas.
When a risk is realised and a security incident has occurred the risk assessment needs to be reviewed:
- How did the incident relate to the risk assessment?
- Given that the incident occurred, were the likelihood and consequence ratings appropriate?
- Were the mitigation treatments as effective as could have been reasonably expected?
One key issue that is often overlooked is how other amended business plans may impact the SRA. For example, in the business continuity plan, have security incidents been considered when determining the trigger points that will cause the BCP to be implemented? What exposures to company assets are generated by the BCP requirements for off-site access to information and staff? In relation to emergency plans, how will the site and assets be protected if the site is evacuated? Security events may require additional considerations for related plans such as disruption to staff, sites and information due to law enforcement investigations. Compatibility and consistency between documents will assist in providing a safe and secure environment.
Other corporate changes can also require a reassessment of security measures. Alterations to staff counselling services, facility maintenance contracts, insurance coverage and exclusions, legal support, and changed staff travel contracts all relate to likelihood and consequence mitigation treatments. Depending on where the manager responsible for security sits in the organisation, they may not become aware of corporate level changes until after they have been implemented. In which case, they should review the related risks to see what, if anything, needs changing.
Another trigger point can be the removal of assets and functions, a review of the related risks may show where mitigation measures can be reduced or even removed, thereby supporting the bottom line.
Out of date security risk reviews are dangerous because the results of an outdated SRA no longer reflect the operating environment. It is likely, if not probable, that related documents will have been reviewed and amended; unless there is a strict document management system in place, the result will be conflicting requirements, policies and practices. Old assessments also reflect old legislative and regulatory requirements and expose the business to claims of non-compliance.
An unrevised document will not reflect current best practice or knowledge. This links to the question of who should review the security risk assessment. Security is a management discipline with its own body of knowledge and research and a wealth of peer opinion and experience. An enterprise-wide security risk review should be conducted by a security professional who keeps up to date with new threats and new protective and response measures. Active membership of professional associations, attendance at meetings and workshops, subscription to and reading of professional publications and ongoing professional development should be standard for anyone claiming to be able to conduct such a review.
As with any security risk assessment, it is essential the assessor takes the time and effort to learn the context in which the assessment is to be conducted, particularly the business drivers, the operating environment, the structure of the organisation, the regulatory environment, and the internal and external relationships. If the assessment is provided by an in-house resource, they must understand all aspects of the business: the functions, aims, and aspirations of the organisation.
The world changes, the business changes, the security risks change, having a risk assessment on the shelf that does not change is a waste and a corporate exposure. If business planning documents are not reviewed both regularly and when changes are observed they become outdated, irrelevant, and dangerous. Taking the time to review the security risks will protect the assets and functions of the organisation.