Risk Management Series

Risks analyze, low risk

Click on a topic link or scroll down and start from the beginning

Introduction – What Keeps You Up at Night?
Part 1 – Risk in risk management systems.
Part 2 – Monitoring and Managing systems and components.
Part 3 – The Security Systems Management Platform.
Part 4 – Risk management through the SSMP.
Supplemental – Link to Security Magazine article: Why Security Silos are the New Unifier
Part 5 – Product Life-cycle Management Program


From the beginning:

  • Risk Management: What Keeps You Up at Night? Intro

    securety safety word cloud

    We all have them. Nights where our brains lock in on some issue that just won’t let us sleep. Hopefully, it is something that can yet be addressed to prevent future sleepless nights. Hopefully, it is not an actual event that now demands a recovery solution.

    If you are reading this blog, you are likely responsible for dealing with organizational or corporate risk management in some form. Judging from the number of views for my teaser post and survey, this topic hits home to a lot of people. So how can we get back to restful nights, where RISKS don’t drain our energy?

    Every organization has a myriad of issues for which they must be prepared. The priority of those risks will also vary depending on circumstances, even within the same organization, site by site and day to day. Any security manager who has been in a prominent position for any length of time has at some point felt like they are standing at the Whack-a-Mole game in the arcade, waiting for the next nasty issue to pop up.

    The successful security professionals must think dynamically at an enterprise level, with a future looking attitude. They no longer think in terms of stand-alone solutions that address one principle. Their responsibilities demand a holistic approach to risk management. Their challenges are no longer met with a chess game approach where you are only dealing with one sequence of events. That analogy only works if you think of them playing 20 or more games simultaneously, and threats from one board can suddenly jump to any other. That is where we live.

    Stay tuned…

  • Risk Management: What Keeps You Up at Night? Part 1

    securety safety word cloud

    Before I start discussing the support solutions I had promised in my first post of this series, I want to talk about the responsibilities of operating today’s sophisticated security systems. With much power, comes much responsibility.

    The intent of this series is to reduce anxiety, but it is important to understand that all of the amazing security technologies we have available to us today also bring risks of their own. While these solutions are valuable to address and mitigate specific risks, they must be implemented and managed so that new risks are not introduced to your organization.

    When implementing new systems and technologies, there can be operational risk. Without proper planning and training, security staff can become distracted from their responsibilities in the commotion to figure out the new systems. Also, poorly implemented systems can create havoc when they interfere with business operations. There is also a potential for liability risk. Without proper policies, training and management, systems that are not utilized correctly can actually create more liability than if you didn’t have them. There are, of course, also technological risks. Since nearly all security systems are now connected through the corporate network, unintended risks may be realized in new vulnerabilities to your infrastructure. There have been too many examples in the last few years of network breaches to major companies that were achieved by exploiting a weakness in a building automation systems communication. My point in this blog entry is that effective systems’ operations begin well before any equipment is purchased and continues throughout its operational life.

    For large organizations, the number one factor to help manage the unintended operational risks is to identify and empower personnel with that responsibility. It may be IT staff, a Security Production group, or an external resource, but someone needs to pay attention to systems health and operation. My personal recommendation for larger organizations is to have in-house Production staff. You can review my blog, Take Control: In-house Production Services for more information on that approach. Regardless of whether you develop in-house resources, or engage outside services, there are important solutions that can help monitor and manage your systems. We’ll start that conversation in my next posting.

    After that, we will start looking at solutions that help manage the overall operation of your systems and the information they use. That is what I call the Security Systems Management Platform.

    Stay tuned…

    Click on the Blog HOME button to read the entire series.

  • Risk Management: What Keeps You Up at Night? Part 2
    PSIM Introduction
    Situational Awareness

    Previously I talked about the unintended risks of managing security systems and technologies. While that is a serious responsibility, there are solutions that can help reduce that anxiety. Now we start getting to the meat of this blog. How you identify and delegate these responsibilities is a separate discussion for another time.

    Nearly all security systems have a means to monitor the health of their critical resources and connected devices. From properly installed end-of-Line resistors and video loss detection, to server services and network connectivity, your systems should be installed and configured to detect and report all faults. Fully supervised systems also provide the ability to ensure that operators are monitoring and responding to critical system events. It is crucial to make sure that all the built-in supervisory services are being utilized to help mitigate the risk of inoperable components or processes, by notifying the appropriate personnel when there are failures. While most integrators set up the common capabilities, there are usually many other aspects that get missed. A systems audit by a 3rd party service is recommended to ensure effective operations and fault monitoring, even if you have in-house staff to manage those responsibilities.

    If you are concerned about the end-to-end health of your systems, you start to realize that there are components and functionality that cannot be monitored through the internal supervision of your security systems. Take electric locks as an example. The Physical Access Control System (PACS) doesn’t have a means to monitor the condition of those devices. We can use events such as “Valid Access No Entry” or latch sensors to possibly monitor that situation, but those are not always effective fault indications. Additionally, there are can be circumstances where the system itself has a fault or is not able to detect the failure. I have seen events where a DVR created an internal video stream loop and did not trigger a video loss event. When video was needed to review an event, all that was available was a 20 second clip from an earlier date played over and over. Yes, we still need to configure these features, but sometimes we need additional help. This is where the fun begins.

    The solutions I will be talking about go beyond the basic supervisory capabilities each system can provide on its own. We now have secondary solutions available to identify device outages and sometimes identify trouble before the outage occurs. My definition of a superior support program is when the end user does not even know it exists. When we can get to the point that we identify and resolve potential issues before they fail, risk and anxiety will decrease, while ROI will dramatically increase along with client satisfaction.

    Let’s start by looking at power supplies. There are now power supply systems that provide their own monitoring services and can report when a lock output deviates from its expected voltage or current range. This capability not only helps you know when an electrified locking device fails but may also provide indication before it fails. These power supplies also monitor all their own health aspects and notify support personnel of service events such as battery replacement and inspection schedules. Many PACS are incorporating these power supplies into their own systems to augment their supervisory capabilities and provide unified enclosure panels. The same principles are also applied in power supplies for CCTV, Fire and other security systems.

    One of the newest and most promising solutions for enterprise systems monitoring, are those that provide in-depth supervision of network attached devices. These systems provide separate monitoring of multiple criteria that are relevant to the health and operation of each device, presenting information on a dashboard and sending notifications to support staff when thresholds are exceeded. In the example I provided of a video recording failed due to an internal DVR video loop, the camera bandwidth sensor would have alerted that it was below the normal expected streaming bandwidth. Other sensors for IP devices include, HTTP status, processor status, CPU load, temperature, voltages, uptime and many other conditions depending on the device. While there are common IT systems that monitor servers, network gear and infrastructure conditions, they do not handle device monitoring as well. The security device monitoring systems can provide the infrastructure services as well, or just monitor security systems and devices.

    Another tool available to network-based security device management is that of network PoE switches that provide monitoring and control capabilities for attached devices. These switches can provide reports that show operating conditions, diagrams of network architecture, connected device inventory and other valuable system information. When network devices become inoperable or problematic, support staff can cycle the power to that network port remotely, effectively resetting the device to see if that resolves the issue. Additionally, some switches can be configured to automatically cycle power on a port when it detects predetermined bandwidth conditions. If this happens too frequently, it will notify the support staff.

    These are just a few examples of great tools to help augment security systems management. The primary objective of developing these capabilities is to reduce risks from system and device outages. The quicker we can identify and correct faults, the less likely a critical event will be further compromised by systems and resource outages.

    We are not done yet. In the next blog, I’ll start talking about the benefits of a Security Systems Management Platform. I believe this is the future of Enterprise Security Risk Management.

    Stay tuned…

    Click on the HOME link at the top of the page to see previous posts.

  • Risk Management: What Keeps You Up at Night? Part 3

    In the System Monitoring Room Two Senior Operators Work on a Big Interactive Map. Facility is Full of Screens Showing Technical Data.

    Throughout this series, I’ve been leading up to this discussion on the Security Systems Management Platform, which is likely a new term to most, but is composed of familiar systems. The concept behind this is not that it replaces any conventional security systems but ties them together with other relevant systems, such as HR and Active Directory, to help produce efficiencies and greater effectiveness which ultimately reduce risk.

    Applied to Physical Security operations, this approach produces benefits to help achieve greater security risk management, but let’s shift to an enterprise approach. By enterprise, I am referring to all activities across the organization in the Physical and Logical realms. The systems you probably recognize are Physical Security Information Management (PSIM) and Physical Identity and Access Management (PIAM), also known as Credential Management. While these systems are starting to blend physical and logical security activities, the Security Systems Management Platform provides those and other capabilities at a truly enterprise level, effectively converging the two realms. For that reason, a better name is Enterprise Security Management Platform (ESMP). In this solution, actual user operations can be as integrated or as isolated as desired for physical and logical activities. Even if IT and Physical Security operations remain independent, they can easily share and collaborate as needed for their respective activities within the Enterprise Security Management Platform. I define this as a platform and not another system because in itself the ESMP is not useful without the systems it connects, and it becomes the platform to support operation of the other systems. Think of the ESMP as the webbing that not only integrate these systems, but assimilates them into a robust, unified security solution.

    An in-depth discussion of the Enterprise Security Management Platform would take a long time, but there are some key principles that really drive its power.

    1. Systems integrations – Through robust connectivity and data management of enterprise systems, the ESMP can retrieve, present and distribute information between systems and users in real time to provide automated or assisted transactions, and to deliver critical data to operators as needed for monitoring and control.
    2. Policy driven processes – Building on corporate policies already in place, the ESMP allows development of automated and assisted processes to manage and direct administration of system resources, as well as event monitoring, response and control.
    3. Automated workflows – ESMP workflows remove manual actions that can be missed and introduce potential for errors. Workflows can provide notification, direction and auditing where manual activity is required.
    4. Role based assignments – By defining resources, privileges, operations, responsibilities and other operational dependencies based on Roles, errors and omissions are eliminated and administrative efficiencies are achieved.
    5. Enterprise level monitoring & control – Through the integrations with all relevant systems, the highest level of situational awareness is achieved, and event response can be driven across all enterprise systems.
    6. Audits and Reports – With all systems, users, events and actions managed through the ESMP, reports can be created and scheduled to meet any management criteria. Through internal auditing processes, the ESMP alerts staff where risks and compliance deficits exist.

    This is not an exhaustive list of how the Enterprise Security Management Platform helps manage operations but hits key concepts that are used to augment the conventional security systems.

    The conventional physical and logical security systems such as Surveillance, Access Control and Intrusion Detection all address specific concerns. With the supervisory tools we discussed last time to keep them operating at or near 100%, these systems should be able to accomplish their objectives. However, there are administrative activities that also drive effectiveness. Anyone who has worked with these systems for very long understands that they are only as effective as the administrative work that goes into them. In other words, the Human Factor ultimately determines the success of your systems. Another factor that challenges the conventional security systems is that of technology development. Advancements in technology not only benefit productive endeavors, but also malicious activities that threaten the organization. As threats become more sophisticated, so must our solutions to detect, deter, defend and diminish them.

    In the next session, we’ll start to look at some of those risks that can cause anxiety and see how the Enterprise Security Management Platform can help bring them into check and why I believe this is the future of Enterprise Security Risk Management.

    Stay tuned…

    Click on the Home link at the top to see the previous blogs.

  • Risk Management: What Keeps You Up at Night? Part 4

    Risks analyze, low riskWelcome back! I hope you are finding this series informative and useful in developing your approach to Security Risk Management. We have covered quite a bit of ground and we are getting to the heart of this series. This blog is primarily looking at risk concerns and tools to address them, but also watch for your September issue of Security magazine. I have an article there challenging the notion that “enterprise silos” are always a bad thing and discusses how the Security Systems Management Platform can help bring unity to the enterprise. As soon as the digital version is available online, I’ll provide a link to it.

    So let’s look at some specific risks and see how the Security Systems (or Enterprise Security) Management Platform can help prevent sleepless nights.

    The Human Factor – On this subject, I am not talking about malicious activity but rather errors, omissions or compliance issues related to manual data entry and administrative processes. If you look back at the list of key concepts to the SSMP, most of them deal with approaches to reduce the human factor or provide means to ensure proper engagement and accuracy. The SSMP not only guides each activity but validates key data points along the way to ensure effective completion. Additionally, by tying employee resources and privileges to roles, a change in position or termination will automatically adjust or remove privileges because of the integration with HR systems, and notify the appropriate managers. The SSMP addresses Regulatory Compliance, Corporate Governance, (following business practices to meet company and management objectives) and tightens up security control by ensuring physical and intellectual property are only accessible to those approved.

    Insider Threats, Employee and Contractor – These threats can be difficult to catch because the perpetrators exploit vulnerabilities through their knowledge of systems and practices. An effective solution to this issue is the ability to close those vulnerabilities with the capabilities of the SSMP. It is not that you can’t run a tight ship without the SSMP, but it can be the means to help manage and audit those processes. The additional capabilities it can provide are those of operational analytics and user activity monitoring. Operational analytics is the ability to perform audits across multiple systems to identify conflicting activities. User activity monitoring identifies deviations in a user’s routine and invalid activity attempts to create a “risk score” which can notify management at a threshold level. Many times, because contractors can be more administratively intense, they are not managed as tightly as employees for access privileges. Through contractor management processes, the SSMP can ensure contractor personnel only have access and resource privileges when and where they are needed.

    Theft of Goods or Assets, Physical and Intellectual – Theft related risks are reduced by the Security Systems Management Platform because of tight integration across all security systems. Surveillance is heightened when information is shared and correlated to create a bigger picture of the enterprise landscape. Some conditions can be automated to alert staff when specific circumstances arise, such as staff presence at one location, when their logical access shows they are at a different location. When operating a Security Operations Center, the more supporting data you can provide operators will help them be more effective. The SSMP notifies operators of critical events and provides visibility to all available surveillance information, a knowledge base of past and current conditions, and directions for response activity. Security will always be about surveillance and the SSMP leverages all systems to create a unified, enterprise approach.

    While we haven’t touched every risk or expanded these applications to their fullest potential, I hope it has demonstrated the benefits of a Security Systems Management Platform and how it is able to augment all aspects of enterprise risk management to achieve unsurpassed capabilities. Yes, there is a cost and time investment to establish an effective Security Systems Management Platform, but the payback can be significant not only in risk reduction, but also cost reductions through labor savings and prevention of compliance violation fines.

    We are winding down in this series, but I have one more topic that I believe is critical to include in this discussion. The effective operation of security systems includes a product life-cycle management program. I’ll discuss what that involves and how it benefits overall security operations next time.

    Don’t forget to watch your mailbox for the September issue of Security magazine and check out my article “Why Security Silos Are the New Unifier.”

    Stay tuned…

    Click on the Home link at the top to see the previous blogs.

  • Risk Management: What Keeps You Up at Night? – Supplemental

    GroupSecurity Magazine article – Why Security Silos are the New Unifier.


    For my blog contribution this week, I am providing this link to my article in Security Magazine.  It fits right in with Part 4, talking about how the Security Systems Management Platform provides bridges between various company resources to provide enterprise level risk management.

  • Risk Management: What Keeps You Up at Night? Part 5 & Series final

    Sketch of predictive maintenance keywords on white

    Thanks for following this series. I hope it has been informative and thought provoking. For my final entry in this series, I want to present the product life-cycle management program. This is more than a preventative maintenance program, as it looks all aspects of maintaining devices and assemblies of one or more security systems. This is another security program approach that takes your operations to the next level, ensuring the highest ROI on systems investments and reduces risks from outages, poor performance and outdated product.

    To effectively manage this program, it is important to have a robust management software application to track all products. Ideally, this solution will include or be integrated with a ticketing system so that all service activities and costs are associated with all components. In the IT realm, ITIL and Service Desk programs provide the inventory and tracking of system components. There are some excellent solutions that are primarily intended for IT management, but can easily be adapted to physical security systems. In the Facility Management realm, there are also some great solutions to provide these activities.

    Along with the management system, it is important to have up-to-date security systems documentation. If your organization has not maintained all as-built documents and devices schedules in a master documentation program, it would be important to start that development as well. This may take some time and money to establish, but will provide long-term benefits for your production program. If device schedules have not been maintained, you should be able to produce configuration reports from your security systems to establish your device and assembly inventories. Some components will track as individual devices such as cameras, where assemblies will refer to multiple devices that make up a security location, such as an access controlled door. Even in an assembly, specific devices like card readers and electric locking devices will be tracked for activity and cost.

    For each device, the life-cycle management system tracks warranty periods, identifies preventative maintenance schedules, reports total cost of services and helps to track repeat repairs that could identify other issues that need to be addressed. The system provides notifications to appropriate staff for all tasks and events. Device profiles are developed for each type of device and assembly to define scheduling, tracking requirements and life expectancies. As a device reaches the end of its life-expectancy, the system can help determine when the optimum replacement time is pending. Reports can provide predictable costs for budgeting purposes in upcoming years.

    As a final thought on product life-cycle management many organizations develop financial mechanisms to help manage long-term operational costs. This approach may be have a variety of titles, but an escrow best describes the concept. Typically, initial purchases are made with capitol funds and then those costs are divided by the number of months in the life-expectancy to identify a regular operational budget amount which is set aside for replacement costs. This program can be applied to existing products, but obviously will have a higher operational budget to compensate for the products history. Your IT department may already have a financial mechanism to accomplish.


    This blog series has primarily been about physical security solutions and management processes, but hopefully it has provided some insights you can use to address issues that cause risk anxiety. My primary objective has been to drive discussions and developments around the big picture of enterprise risk management. I always appreciate comments and personal experiences related to these topics. Of course, I am available to help your organization develop any of these solutions.

    If you would like to review this series in sequence from the beginning, click on the Risk Management Series link at the top of the page.



  • Chasing Tech: Physical Security Distractions

    Global business“We have our physical security program well under control with all risks in check,” said no security manager, ever. 

    Aside from the demand of security responsibilities it is human nature not to be satisfied with the status quo, and especially in our current society.  If that were not so, there would be no commercials on TV, radio or (insert your favorite social media).  Physical security is no different.  Sure, the motivations are different and likely appropriate, but the push for the next great thing is still there.  If I just had that AI embedded, video facial recognition, biometric access, false immune, self-monitored, automated enrollment… uh, what was I talking about?  Oh yes, distractions.  Ok, that may be a very sarcastic view of new technology, but I think you get the point.  Before I alienate my manufacturing friends, let me say that progress and technology advancements are a good thing, and you definitely don’t want to be herding dinosaur bones, but where is the balance?  Let’s take a look at the big picture of physical security management through the lenses of three common pitfalls, and then we’ll look at the well-focused approach.

    Lens 1. Wide-angle

    This approach is many times called the whack-a-mole approach where you try to engage everything that pops up with the same priority.  This is also the mile-wide inch thick mentality.  These managers cover a lot of territory, but not very effectively.  What ever you call this approach to new technology engagement, the results tend to be a lot of money spent with very little value to show for it.  There is not enough effort put into implementation, training and process development, and even if the new solutions somehow managed to remain in operation, they don’t meet their full potential. This risk is that everything has holes and vulnerabilities because it never matured in operations.

    Lens 2. Telephoto

    The other end of the spectrum is the approach where security managers spend their time chasing “bleeding-edge” technology, but never pull the trigger because something else comes along before the last one matures.  Squirrel!  If a new solution does somehow get implemented, again, it has not been developed and established well enough to become a valuable part of the operation, and usually presents more risks that it resolved. 

    Lens 3. Hey, the cap is still on!

    This security manager is oblivious and just keeps plugging along with what they have.  They may have everything operating at top performance, but the world has passed them by.  The risk in this scenario is that anyone can buy a hack for the old technology and process can’t plug the holes anymore.  Lack of time or budget are usually the excuses given, but sooner or later an event will occur that will cost even more time and money.

    Now let’s consider a well-focused, varifocal approach.  

    The balanced security manager is not distracted by the next big thing, nor are they scrambling to address all challenges simultaneously, but they are trying to be pro-active.  Wisdom tells them to evaluate their security environment, identify and prioritize the risks and then find the most effective approach to mitigate each risk appropriate to the need.  They identify the needs then identify the solution, rather than buying a tool and then trying to find the problem to fix with it.  Sometimes new technology is the best solution, but other times it may just require refitting existing resources with new processes.  In both approaches, developing a thorough program that defines objectives, provides training, documents implementation procedures and generates accountability will win the day.  

    There are times where a new product will present itself as a possible solution to a known operational challenge.  In this scenario, it is appropriate to investigate that opportunity based on the need and priority that has already been identified.  It must not distract from higher priorities. 

    It can be tempting to try and do all this work internally, but that is not always the best approach.  Engaging an outside, non-biased resource can help see through the day to day routine, and will have time and experience to help develop these programs, ensuring the highest level of success.  Advanced Security Consulting can help you see the big picture and focus on what is important for your security operations.  

  • Mental Radar

    radar screen digital interface with world map  Concept future in computer network technology time data communication on green dark background. vector illustrationI am deviating from my typical technical topics to think about our approach to responsibilities in life.  I’m not sure what caused me to develop this, but I felt it was worth sharing.

    In the security industry, we all understand the concept of situational awareness, at least when it comes to securing people and property.  But situational awareness should be a priority in all areas of life.  In other words, the opposite of clueless!  In sports the great athletes are the ones who “see” the whole field or court and are able to make great adjustments in real-time.  They know where the issues and the opportunities are going to be, and they are able to stay ahead of the game.

    When I was teaching my kids to drive, I tried to get them to visualize their environment and create a “radar screen” in their mind from their entire vision including mirrors.  Even though they may not be looking at all the cars or obstacles around them, they mentally realize where they are and then update that image from each new glance.  Of course, car companies are building the cars to do that for us now, but the human ability is no less important.

    Situational awareness as a human trait is stronger in some than others.  To a point it can be learned, but it always requires focus.  Some people can appear to focus on multiple tasks, but one will always distract from another.  One person may be able to aptly manage 5 activities simultaneously better than others can manage one, but to do the best at anything requires focus on that one thing.  I was reminded of this recently when rereading Peter Drucker’s timeless book, The Effective Executive, which is probably what started me on this blog topic.

    There are so many applications here that it is hard to pick a single direction, but my point in this blog is simply to bring awareness to the concept of awareness in all areas of life.  Develop that same ability you used to excel in sports, business or whatever, to also build your family life, spiritual well-being, health and yes, your driving.

    I believe one of my gifts is the ability to create a mental radar of activities I am involved with.  Whether developing and managing security systems, finding my way around a new town or engaging in a group collaboration.  Being able to visualize the big picture helps me to understand the objectives and challenges to achieve the best outcome.  I admit, I can do better at this in some areas of my life.

    The bottom line is, it is a choice.  We can go through life oblivious or make the effort to fully engage in each of our environments and bring out the best in all of them.

    Ecclesiastes 9:10 Whatever your hand finds to do, do it with your might…

  • Door Hardware Headaches: Some Things Never Change


    Security Concept

    With all the new technology we have at our fingertips today, it is still the field hardware that seems to cause the most challenges in project development and installation. Even though it is not my most valuable skill nor is it my favorite activity, I’m pretty sure I could retire quite wealthy if project managers would just hire me to review and correct door hardware schedules for their card access control applications. Part of the challenge is that there are usually at least 5 trades involved in construction of the access control doors; architect, security, door hardware, construction, electrical, and sometimes even a low-voltage contractor. Additionally, the door hardware seldom is available from a single manufacturer or supplied through a single vendor. An experienced security contractor typically has the best handle on coordination, but many times they are not engaged until most of the hardware is already purchased. Unfortunately, unless someone who really understands how everything fits together gets involved early on, most issues end up getting resolved through change order, after change order, or at the end of the project.

    While some manufacturers have good tools to help piece applications together, they are limited to their own products. The biggest asset to effective door configuration always starts with a Sequence of Operation that addresses how the door is expected to work to meet the operational and security needs. Even that takes a certain skill to understand and document all the functional aspects of more complex door assemblies. From the SOO, the proper hardware and installation can be specified and detailed. Of course, aesthetics, finishes and construction techniques always play a part and will limit the hardware and vice versa. There is always a trade-off between looks and operation that should be determined early on in project design.

    There are many aspects of door configuration that have to be considered, such as codes, swing, handing, latching mechanism, egress requirements, wire routing, power supplies, frame and door type, sensor placement, etc., etc. Just about the time you think you have everything all figured out, a new building code pops up and your back to the drawing board. Those details affect the plans and materials provided by each of the contractors involved in a project. Doors and frames are prepped from the factory for the hardware to be installed.  Conduit is run to the rough-in location of devices.  Locking hardware is ordered to meet the design and security equipment is configured to control the hardware.  If you don’t get the details right to start with, project costs can quickly get out of hand resolving them during construction. All this discussion to show one example where engagement of a security consultant such as Advanced Security Consulting will likely save money and time on the overall project, and will definitely reduce headaches.