Foundations & Fundamentals: Asset Identification and Characterization - Part II


Foundations & Fundamentals: Asset Identification and Characterization - Part II

Leading effective teams is a perpetual challenge for leaders such as CSOs, CISOs, and all types of security managers. Building an effective team is vital in conducting a risk, threat, and vulnerability assessment. The essential task is to gather and join together all the appropriate skill sets—often spread out over several departments within the organization—to ensure that every business risk is addressed, so that the organization’s bottom-line objectives can ultimately be achieved.

But to build and lead an effective team, leaders must first understand the immediate environment in which the organization is trying to accomplish its objectives. Often, this immediate environment, which is usually the specific market that the company operates in, exists within a larger complex ecosystem of regulatory requirements, standards, economic pressures, ongoing business processes, customer-vendor interactions, and security threats and vulnerabilities, with all components interacting via a throng of technologies.

This complex ecosystem can be difficult to navigate, so for a team to succeed, the different levels of the organization must be on the same page. Executive management must be willing to listen and participate in the process. Team members must be willing to adopt a different approach to achieving success. And all stakeholders must realize that, while not every effort will be prosperous, setbacks provide a valuable opportunity for learning and improvement.

Our next building block in the process must be the formation of an effective team and who will be assisting in the risk analysis and assessment process. This often brings up the dubious question as to who is responsible for risk within the organization. The simple answer is everyone. Everyone has their part to play within this process – “the whole is greater than the sum of its parts.” In order to complete a thorough and comprehensive review and assessment, it is a necessity that a team mindset is undertaken because each person has their own particular expertise.


Total effectiveness of the team, each interacting with one another, is different or greater than their effectiveness when acting in isolation from one another. Therefore, that combined knowledge and experience should be able to identify assets, assign value, and prioritize level of importance so that the team can create a well thought out risk mitigation plan in the process. This will include the aforementioned Communication plans, Evacuation Plans, Crisis Management Plans, Security Facility Design, etc. It will further serve to address the unfortunately common aspects that have developed in organizations today such as child abuse, bullying and cyber-bullying, and bus safety to name a few. Within in this team roles and responsibilities will be established so that everyone understands their personal accountability to the team.


Foundations & Fundamentals:  Asset Identification and Characterization - Part I


Foundations & Fundamentals: Asset Identification and Characterization - Part I

“Wise men say, and not without reason, that whoever wished to foresee the future might consult the past.”
- Machiavelli

“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.”

- Albert Einstein

So where do we start? To this point we have discussed Initiation, The Value of Risk Assessment and Critical Thinking. Prior to beginning any type of assessment, it is essential that each entity within an organization is aligning itself with what is being directed with the strategic mission, vision, and objectives of the organization. Common Language is the key element. There are a number of practical implications that support improved and consistent risk language and communication, such as delivering the accurate level of treatment and guaranteeing that the right treatment and countermeasure is delivered to meet an organization’s specific needs. Consistent scales and classifications in risk assessments will assist with establishing agreements on questions such as what treatment(s) and/or countermeasure(s) to use, how much of each treatment and/or countermeasure an organization needs, and the duration of each treatment and/or countermeasure.

The primary purpose of a common risk language is to enable management with the ability to gauge the thoroughness of its efforts in identifying events and scenarios that merit consideration in a risk assessment. Management has the option of either beginning a risk assessment with a blank sheet of paper with all of the start-up that choice entails, or common language that enables people with diverse backgrounds and experience to communicate more effectively with each other and identify relevant issues more quickly.




This needs to be the first step in the risk analysis and assessment process. A level playing field must be established. This points directly to nomenclature, teamwork, and setting of expectations. One has only to point to the US Department of Homeland Security when it was establishing its program in reviewing critical infrastructures – educational institutions being one area. Their initial step in identifying risks was to create a framework and guideline in order to have a clear and relevant comprehension of terms: “to support integrated risk management for the Department, the DHS Risk Lexicon:

  • Promulgates a common language to ease and improve communications for the Department and its partners;

  • Facilitates the clear exchange of structured and unstructured data, essential to interoperability amongst risk practitioners; and

  • Garners credibility and grows relationships by providing consistency and clear understanding with regard to the usage of terms by the risk community across the Department.”[1]

Terms are important as they can literally define how one is to proceed with the task at hand. This is why it is necessary to ensure, especially within an educational environment, that the definition of risk is well defined early in the process. Bear in mind that each elementary, secondary, high school, and higher institutions of learning have completely varying degrees of how to define risk and what that means to their particular environment. That must be taken into account prior to any type of process beginning.

Risk and Risk Assessment should be defined and based on the “process of managing uncertainty of exposures that affect an organizastion’s assets and financial statements using the five steps of: identification, analysis, control, financing and administration,” as stated by Stacey Corluccio, an Academic Director of Risk Management Programs at The National Alliance for Insurance Education & Research.Security practitioners should further their scope by including best practices as well as established standards and guidelines such as those put forth by ISO 31000:2018 Risk Management – Principles and Guidelines and ANSI/ASIS International/RIMS Risk Assessment Standard.[2]. Both documents serve as excellent guides to defining risk, establishing a risk assessment process and forming a risk analysis and assessment program that meets the set objectives of the organization.

[1]US Department of Homeland Security website,

[2]ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies. The American National Standards Institute (ANSI) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The Risk and Insurance Management Society, Inc. (RIMS) is a professional association dedicated to advancing the practice of risk management.



Foundations & Fundamentals: The Importance of Critical Thinking in Risk Assessments

“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.”

- Albert Einstein

In Part III of this series we examine Critical Thinking. So, how does one conduct a risk analysis and assessment in this environment? There are numerous ways in which to conduct this process and, depending on your situation, every way is done differently. Potentially, every one of these approaches could be correct. It simply depends. However, it has been my experience that nothing can be left to chance. The order of things has to follow a logical, detailed, and systematic process. A venerable and esteemed colleague of mine, Thomas Norman, in his book – “Risk Analysis and Security Countermeasures Selection,” said it best:

“Critical thinking is to thinking as economics is to money management. Critical thinking applies a scientific process to the act of thinking that helps result in far superior conclusions and helps the thinker to support his/her conclusions with rational and defendable arguments...

Critical thinking helps assure that personal weaknesses, prejudices, or personal agendas are not forwarded as part of the conclusions...

Critical thinking is important because it enables one to think about a problem more completely and to consider many factors that may not be intuitively apparent.”[1]

We exist in a knowledge-based culture. The more critical you think the better your knowledge. Critical Thinking equips you with skills to analyze and evaluate information so that you are able to obtain the greatest command of knowledge presented. It establishes the best foundation for making the correct decisions and minimizes risks if a mistake does occur.

Critical Thinking will lead to being a more rational and disciplined thinker. It will reduce your prejudice and bias and provide you with a better awareness of your environment. Critical Thinking will provide you the skills to evaluate, identify, and distinguish between relevant and irrelevant information.

The Importance of Critical Thinking

Critical Thinking:

  • Assures that conclusions are all relevant to the issue under consideration.

  • Helps the thinker reach conclusions that are true to the purpose of consideration of the issue.

  • Helps assure that relevant theories, definitions, axioms, laws, principles, or models underlying the issue are considered in their proper context.

  • Reduces the likelihood of personal biases, prejudices, self-deception, distortion, misinformation, and so on being injected into the conclusion process.

  • Assures that all relevant stakeholders’ points of view are considered, including their concerns, goals, objectives, and intended outcomes.

  • Considers all relevant evidence and excludes irrelevant evidence, including relevant and irrelevant data and experiences.

  • Clarifies for the thinker what assumptions are being taken for granted and considers the relevance of those assumptions to the issue at hand.

  • Considers the implications and possible consequences of various possible recommended courses of action.

  • Helps the thinker infer conclusions from the evidence in the light of all other considerations listed above.

Elements of Thought

Elements of Thought.png

Point of view is unquestionably “the origin” from which you observe something. It involves perspective and outlook. It is necessary to comprehend your limits and take into consideration other relevant viewpoints. Next is your purpose that defines your objectives, direction, and what your trying to accomplish. This leads to what the exact issue at hand is leading into what information, data, facts, and observations you will need to uncover to fully give substance to your thoughts. The succeeding three steps stem from that data gathering and influence the necessary interpretation, applicable laws and principles and, eventually, assumptions that need to be considered. Ultimately this causes certain implications and consequences - essentially, thinking through scenarios before acting upon the information you have.

[1]Norman, Thomas L. Risk Analysis and Security Countermeasure Selection, Second Edition, p. 71. CRC Press.

Critical Thinking Principles.png

The whole point is to be thorough, accurate, systematic, and methodical when reviewing and looking over risks that affect projects that are being worked on or the business itself.



The Value of Security Risk Assessments

In many organizations there is often a pattern of behavior that if nothing goes wrong, or at least has not occurred for a long period of time, there really is no need for improvements in security or identification of those respective risks. Obviously, this is not a good pattern to follow. The value of conducting continual risk assessments is critical because of the ever-changing environment that organizations encounter.

Every organization and its respective departments have varying risks. These risks influence how the they achieve their objectives and goals, thereby affecting profitability and value of the organization. While many organizations may dedicate an enormous amount of time to identifying the risks that could impact business, it is important to measure and prioritize risks so that the organization can respond to any given situation appropriately, efficiently, and effectively ensuring the least amount of operational loss.

Comprehensive Risk, Threat, and Vulnerability Assessments (RTVA) offer an organized and systematic approach to assessing risks of the organization. Providing an informed decision-making baseline to determine a particular course of action is the main focus. This "all-hazards" approach provides the analytical framework for risk management. An RTVA should identify key assets that need to be protected and determine how critical each asset is to the business and its operation. Practitioners in our profession associate doing an RTVA with concentration in only one segment of the overall process. For example, security practitioners may focus on the electronic aspects of physical security instead of understanding the overall security program viewpoint respective to that of the corporate risk strategy.

Comprehensive RTVAs involve not only physical, informational, and operational security understanding but how these aspects affect the individual business unit. One way to solicit this information is to have each unit conduct a business impact analysis. The importance of this key aspect of information gathering is to identify departmental risks, their respective value, and how they affect the overall aspect of how an organization achieves its strategic objectives. In this day and age risks are always changing and dynamic. Therefore, it is necessary for organizations to re-evaluate and monitor on an ongoing basis those potential risks that affect them.

The information age and the 24-hour news cycle make it imperative for organizations to track the rate at which risks change. For instance, some organizations utilize near real-time monitoring capabilities for varying conditions using artificial intelligence and deep learning, big data mining, text analytics and data visualization techniques. These Intelligent Control Centers analyze and disseminate actionable information to decision makers in order to establish a comprehensive risk, threat and vulnerability assessment.

So, what can RTVAs offer, what is their significance and what can the organization take away?

They can:

  • Reduce Long-Term Costs

  • If completed by Knowledgeable Experts, Improve Future operations and achievement of strategic objectives.

  • Break Down Barriers

  • Provide Important Self Analysis

  • Facilitate Communication

  • Help You Avoid Breaches



Foundations & Fundamentals: Basis for Proper Planning

"Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide Holdings, Intercontinental Hotel Group, and Hyatt Hotels."


Headlines, incidents, and occurrences like this are becoming too prevalent in and amongst our organizations and institutions. It is with this backdrop and what has occurred to date that we must endeavor to be more vigilant and knowledgeable about the foundations and fundamentals of security awareness and assessment. It is an essential preamble to: “Back to Basics.” Therefore, understanding the definition of risk and the process of a thorough and comprehensive risk analysis and assessment is indispensable for developing the foundation of a security master plan or comprehensive blueprint for any level of educational institution, organization, or corporate entity. In many instances our institutions have neglected this aspect due to many compromising variables – budgetary, regulations, compliance, quick fixes, policy & procedures, etc.

What is emblematic in every one of these instances is the lack of focus on risk analysis and assessment. It is the disregard and neglect in being aware of our surroundings and comprehending the operational aspects of any organization. These crucial aspects set into motion the necessity to establish a thorough risk analysis and assessment process that can be the basis for proper security master planning and will ultimately assist in the development of subsequent and critical plans – Communication, Crisis Management, Active Shooter Training, a Workplace Violence Plan, etc.

What is tantamount is, therefore, an understanding and awareness of the environment in which these organizations reside. Considering that the people, property, proprietary information, business reputation, and infrastructure are the life-blood of our institutions, it is critically important that this understanding of risk, the process of risk analysis and assessment, and the eventual planning are done meticulously. It goes to the very essence of not only protecting our greatest assets, but also to our culture’s future.




Trends in International Security & Organizations Operating in MENA

A few days ago, I had the distinct pleasure of being part of a panel discussion sponsored by Concur that focused on trends in international security and organizations dealing with threats in the Middle East and North Africa.  I thought it would be beneficial to pass along some of the exchange.  

Using the studies put out by the World Economic Forum, National Intelligence Council, and the Atlantic Council, they gave the baseline as well as great perspective when viewing current risk and developing strategies to risks and threats for corporations moving forward on risk strategies.

Strategically, we would be seeing Increased Cyber Attacks, Extreme Weather events and climate change, Water and Fiscal Crisis, Unemployment/Underemployment, Political & Social Instability as well as a Global Governance Failure.  Organizations would need to focus on how they would adapt to the reality of a shifting climate and breakneck technological innovation.

Further awareness needed to be paid to the dominance of the West in international affairs will fade and global power will become more evenly distributed between the West and the rising powers in Asia.  As society and the distribution of global power changes, the challenges to defense and security will increase.

Panel Question:  Given that you manage risk for organizations, what are the most important points you address in developing comprehensive risk, vulnerability and threat assessments?  What sources do you use for creating assessments?  What are absolute priorities?

Reply:  You need to examine the entire landscape of your organization's reach as well as its position within the market.  Critically important is understanding of the corporate Risk Management strategy.  That will play into how risk is defined and ultimately how risk assessments are performed.  A Comprehensive Risk Assessment is designed to consider the organization’s vision, mission, values, and culture, as well as strategic and tactical objectives.  It may consider an organization's broader objectives and activities or some specific goals and objectives but in all cases it assesses what can affect the achievement of these both positively or negatively.

I use a customized tool that can be used on a tablet.  I created in conjunction with a technology firm that makes the risk assessment completely digital and in real-time.  We are in current stages of refining the criticality piece that will be the first of its kind in the industry.  Other sources for laying best practices is looking to the standards developed and modifying other assessment tools utilized in various industries that I have been involved.  What is an absolute is having a logical, structured and consistent approach to assessing risk.

Panel Question:  We’ve heard a lot about social media and the potential for reputation risk and image damage for organizations. How do you monitor and address reputation risk created by social media?

Reply:  It boils down to having a reputational management strategy prior to even getting to the point of dealing with Social Media.  Social Media only exacerbates the issues of how you handle any given incident or crisis.  The main point to embrace social media and see how it can benefit the company as well as monitor the pitfalls.  Having a good policy around the social media aspect internally is equally necessary.  

Particularly, you should be paying close attention to the following four points:

  • Overcoming direct challenges from influential activist and political forces
  • Managing corporate scandals, including executive compensation
  • Use external, seemingly unrelated events to boost reputation
  • Build a reputation management process into everyday operations    

Panel Discussion:  How do your clients deal with the threat of Jihad in countries in which they operate? 

Reply:  I try to educate and advise clients on what Jihadism means to them personally and to their company.  Take for example the term "Jihadist Globalism." It is often used in relation to Jihadism as well as  Jihad Cool,  a term used by Western security experts concerning the re-branding of militant Jihadism into something fashionable, or "cool", to younger people through social media, magazines, rap videos, etc. and other means. It is a sub-culture mainly applied to individuals in developed nations who are recruited to travel to conflict zones on Jihad.

It simply goes back to a structured but flexible travel risk management strategy and plan developed on travel habits of the corporation as well as ensuring employees are situationally aware of their environment.