Three Steps to Avoid Security Theater
This has been a make-or-break year for physical security departments, and how they handle their response to the pandemic will pave the way for executive buy-in—or loss of credibility. From how people enter a building to how they interact with others onsite, physical security professionals have been tasked with mitigating risk and ensuring safety more than ever before.
To address emerging risks, many organizations are rushing to adopt security solutions to keep their businesses operational and compliant with newly established health and safety standards. According to recent research conducted by Traction Guest, the overwhelming majority (92 percent) of enterprise security and risk professionals report that physical security is of greater strategic importance to their organization now than it was before the pandemic. With onsite health and safety concerns at an all-time high, 87 percent of businesses plan to increase spending on physical security going forward.
While it’s encouraging to see businesses investing more in physical security programs, not all risk mitigation measures are made equal. When managers deploy countermeasures without first understanding and addressing the company’s own specific risk posture, they are contributing to “security theater”—a concept that refers to security measures that make people feel more secure without doing anything to actually improve their security.
In response to the pandemic, what steps should enterprises take to ensure they are truly securing their business and protecting employees and visitors versus simply participating in security theater?
Know the Risk
To provide value to the business without entering into security theater, a security leader must begin by understanding the risks his or her company is actually facing. Each company has its own unique physical security risks, and security professionals must allow those risks to inform how they implement new technologies and procedures.
While organizations should run risk assessments on a regular and ongoing basis, most risk assessments tend to take place after a specific event or incident. COVID-19 has created a point in time where all companies must reevaluate their physical security program to factor in both current and future pandemic-level threats. If you haven’t already, it’s time to dust off those risk evaluations and take a serious look at your security posture.
While there are certainly industry standards and best practices available as a framework for your program, there is no one-size-fits-all approach to physical security and protecting your business. In fact, the industry standard or buzzworthy solutions may not be the best fit for every organization.
Begin by assessing your company’s overall risk from a corporate, brand, and executive perspective. This high-level overview will provide you with a broad base of the most critical and potentially damaging risks your company faces.
Next, conduct risk assessments on a site- or location-specific level. While this task can be tedious depending on the size of your organization, this level of granularity is vital to an effective assessment. You will need to factor in location-based considerations, such as what type of facility you are securing, how much revenue the facility brings in, if there are irreplaceable assets or operations involved at this site, and any other facility-specific risks.
Once your location-specific assessment is complete, begin evaluating risk from a business unit perspective. Don’t forget to include the security department in this stage of the risk assessment; a worst-case scenario would be for your department to be the one that buckles in the event of an emergency situation.
Address the Risk
After completing a multifaceted risk assessment, you will be left with a comprehensive overview of all of the risks your organization faces. This assessment, however, does not include your company’s risk tolerance level.
Every company has a varying degree of risk it is willing to accept. Speak candidly with senior leadership, legal advisors, and other stakeholders about the level of risk your company is prepared to take on. Then you can begin to determine what the appropriate countermeasures are to address and mitigate your organization’s risk. These countermeasures can be both technological and procedural, but they must be tailored to meet the specific needs of the business.
For every countermeasure you put into place, you should determine how effective it is at eliminating your actual risk. For example, if you are trying to keep bad actors out of your facility, consider an access control system that can address that particular challenge. This step is critical in eliminating security theater, so as to not introduce systems that won’t have any substantive impact on the company’s risk posture.
Another strategy to tackle risk more effectively is to partner with your cybersecurity counterparts. Physical and cybersecurity leaders should focus on cooperation—whether that be through collaborating on response plans or conducting risk assessments together. This partnership creates a more comprehensive view of the organization’s overall risk posture and allows leaders to implement solutions that address risk from a unified security standpoint.
Enforce the Policy
Policy enforcement and governance are vital when establishing an effective risk management strategy. Many businesses today have great intentions when implementing new physical security technology. Without policies in place to govern and maintain these systems, enterprises are unfortunately unable to track whether the countermeasures they have put in place are effectively managing risk. Enter security theater.
Without managing systems properly, it’s easy to introduce new risks into the business. For example, a company may spend significant resources adopting a new access control system. But how many people at the company have multiple access badges? And how many employees lost a badge that might have fallen into the hands of a malicious actor? Improper management of countermeasures almost guarantees that there will be weak spots in the system. In fact, that shiny new access control system may be allowing more bad actors in than before.
As Physical Security Rises in Importance, Remain Focused on Risk
The pandemic has spurred the C-suite to recognize that ineffective health and safety protocols expose their people and their businesses to serious risk. As a result, senior leadership is more concerned with physical security than ever before, advancing many security and risk professionals into a strategic position within the business.
Physical security leaders must remain laser-focused on identifying risk, implementing measures with which to address that risk, and enforcing policies to keep those systems operational—only then can they provide true value for the business. We have entered into a new world order, in which effective physical security is of the utmost importance to the business. Security theater can place your company’s brand reputation on the line, not to mention lead to potential harm to employees and visitors. It is no longer about convenience or security theater, but instead about maintaining business operations and protecting the health and safety of everyone onsite.
Brian Phillips, CPP, PSP, is director of global security strategy at Traction Guest. He has held a variety of leadership roles at global healthcare, life sciences, and Fortune 500 companies. Phillips most recently served as the director of global security at Thermo Fisher Scientific, where he led the firm’s global security efforts for 75,000 employees and 450 facilities, integrating and scaling security technologies across the enterprise. Phillips is a member of the ASIS CSO Center and the Connecticut Chapter.