Too many organizations rush into the purchase of security systems without really understanding the vulnerability they're trying to address. They're throwing darts at the problem, hoping they get a bulls-eye. Although there is a chance they will hit the target, more often than not, they will miss.
Although technology is an important part of a security program, it may not be an effective control against specific vulnerabilities. Establishing a security program requires broad security controls. It is a comprehensive approach that uses physical, technical and operational controls. The complexities of a security program cannot be underestimated — and cannot be achieved by implementing a single control. The one-size-fits-all approach will never be applicable to a security program and the management of broad security vulnerabilities.
Security is only one of many broad risks to an organization. A security assessment or security vulnerability analysis is a subset of a process called enterprise risk management, which involves evaluating and prioritizing all risks to an organization, security being one of them. For instance, from an enterprise risk management perspective, the security risk could be: vulnerability to assets, people, business, brand and reputation. To examine this risk, a security vulnerability analysis would evaluate an organization to identify, validate and prioritize vulnerabilities that could produce a security incident. This incident could be as mundane as product loss or as catastrophic as a shooting in a facility.
A security vulnerability analysis seeks out root causes for a security vulnerability and applies physical, technical and operational controls to deter, delay and minimize the impact on the organization for an incidence.
The security vulnerability analysis validates vulnerabilities to upper management and helps procure money for improvements. These improvements could be establishing a security program, purchasing technology, performing upgrades to lighting or physical security, training, improving awareness, and so on.
The security vulnerability analysis is the basis for a business proposal; it is what a manager needs to communicate to executive leadership the need for an expenditure. Once a broad security risk is identified by an enterprise risk management or other process, the implementation of security controls will be necessary. Unfortunately, once security has been identified as a risk, some organizations haphazardly apply security technology as an inclusive fix, without taking the time to conduct a security vulnerability analysis.
In one instance, an organization was experiencing product loss. Initially, the manager implemented a very sophisticated camera system to determine the cause of the loss, which he believed had occurred at the dock. But the loss continued. A closer look revealed that it was a result of improper paperwork. No one was stealing from the dock; rather there were multiple errors in the inventory, delivery and accounting process. The organization did not need the camera system, but rather needed to identify and prioritize the areas of vulnerability.
Here's another example: A car dealership was experiencing thefts. As a result, management set up a sophisticated perimeter detection system, which was tied into remote a video surveillance system service. On top of that, the car dealership hired security guards and, later, off-duty police officers. Instead of decreasing, the thefts increased despite all the steps that had been taken. It took a security vulnerability analysis to identify the multiple root causes for the losses. For one thing, the dealership was in an area with a high crime rate. For another, the perimeter detection system was the first and only level of security. On top of that, keys to vehicles were stored outside in unsecured locations. Moreover, inventory was not taken regularly.
The security vulnerability analysis prioritized the vulnerabilities of the dealership, which turned out to be much more than property loss. As a result, all guards were removed and the perimeter video system was eliminated, while losses of vehicles decreased. In addition, the dealership implemented additional cash handling procedures for the protection of its staff.
A Security Vulnerability Analysis Helps Identify Real Threats
Security Analysis Should Go Beyond Checklists, Include Recommendations
