Viewing entries tagged


The Value of Security Risk Assessments

In many organizations there is often a pattern of behavior that if nothing goes wrong, or at least has not occurred for a long period of time, there really is no need for improvements in security or identification of those respective risks. Obviously, this is not a good pattern to follow. The value of conducting continual risk assessments is critical because of the ever-changing environment that organizations encounter.

Every organization and its respective departments have varying risks. These risks influence how the they achieve their objectives and goals, thereby affecting profitability and value of the organization. While many organizations may dedicate an enormous amount of time to identifying the risks that could impact business, it is important to measure and prioritize risks so that the organization can respond to any given situation appropriately, efficiently, and effectively ensuring the least amount of operational loss.

Comprehensive Risk, Threat, and Vulnerability Assessments (RTVA) offer an organized and systematic approach to assessing risks of the organization. Providing an informed decision-making baseline to determine a particular course of action is the main focus. This "all-hazards" approach provides the analytical framework for risk management. An RTVA should identify key assets that need to be protected and determine how critical each asset is to the business and its operation. Practitioners in our profession associate doing an RTVA with concentration in only one segment of the overall process. For example, security practitioners may focus on the electronic aspects of physical security instead of understanding the overall security program viewpoint respective to that of the corporate risk strategy.

Comprehensive RTVAs involve not only physical, informational, and operational security understanding but how these aspects affect the individual business unit. One way to solicit this information is to have each unit conduct a business impact analysis. The importance of this key aspect of information gathering is to identify departmental risks, their respective value, and how they affect the overall aspect of how an organization achieves its strategic objectives. In this day and age risks are always changing and dynamic. Therefore, it is necessary for organizations to re-evaluate and monitor on an ongoing basis those potential risks that affect them.

The information age and the 24-hour news cycle make it imperative for organizations to track the rate at which risks change. For instance, some organizations utilize near real-time monitoring capabilities for varying conditions using artificial intelligence and deep learning, big data mining, text analytics and data visualization techniques. These Intelligent Control Centers analyze and disseminate actionable information to decision makers in order to establish a comprehensive risk, threat and vulnerability assessment.

So, what can RTVAs offer, what is their significance and what can the organization take away?

They can:

  • Reduce Long-Term Costs

  • If completed by Knowledgeable Experts, Improve Future operations and achievement of strategic objectives.

  • Break Down Barriers

  • Provide Important Self Analysis

  • Facilitate Communication

  • Help You Avoid Breaches



Foundations & Fundamentals: Basis for Proper Planning

"Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide Holdings, Intercontinental Hotel Group, and Hyatt Hotels."


Headlines, incidents, and occurrences like this are becoming too prevalent in and amongst our organizations and institutions. It is with this backdrop and what has occurred to date that we must endeavor to be more vigilant and knowledgeable about the foundations and fundamentals of security awareness and assessment. It is an essential preamble to: “Back to Basics.” Therefore, understanding the definition of risk and the process of a thorough and comprehensive risk analysis and assessment is indispensable for developing the foundation of a security master plan or comprehensive blueprint for any level of educational institution, organization, or corporate entity. In many instances our institutions have neglected this aspect due to many compromising variables – budgetary, regulations, compliance, quick fixes, policy & procedures, etc.

What is emblematic in every one of these instances is the lack of focus on risk analysis and assessment. It is the disregard and neglect in being aware of our surroundings and comprehending the operational aspects of any organization. These crucial aspects set into motion the necessity to establish a thorough risk analysis and assessment process that can be the basis for proper security master planning and will ultimately assist in the development of subsequent and critical plans – Communication, Crisis Management, Active Shooter Training, a Workplace Violence Plan, etc.

What is tantamount is, therefore, an understanding and awareness of the environment in which these organizations reside. Considering that the people, property, proprietary information, business reputation, and infrastructure are the life-blood of our institutions, it is critically important that this understanding of risk, the process of risk analysis and assessment, and the eventual planning are done meticulously. It goes to the very essence of not only protecting our greatest assets, but also to our culture’s future.