When it comes to the application of security measures there are many different ways of doing the same thing; some mandated, some not, and some based on best practice. But one thing is for certain: one size doesn’t fit all. Or does it? Let’s take a look at some of the processes that are out there.
Security by the book
I am ex-military, and the application of security in the military was relatively straightforward. There was a manual that told you what you had to do: the Joint Service Publication (JSP) 440, the Defence Manual of Security in 3 volumes.
Volume 1 covered the principles of protective security, the responsibilities of those concerned with applying them, and physical security policy. Volume 2 was about personnel security policy including the vetting system, line manager responsibility and travel security. Finally, Volume 3 gave guidance and policy on the security of Communications and Information Systems (CIS).
However, there is one thing wrong with this approach to security; it demands that you take action no matter what the circumstances, and not based on the threat. There is a fundamental question that has to be asked when approaching any security requirement: if there is a threat at all. And, if there is no threat then why put a lock on the door?
However, the military are not the only organisation that has mandated security standards based primarily on a generic risk with the ability to scale up or down as the threat changes.
The active threat management security approach
The UK Civil Aviation Authority (CAA) has been responsible for aviation security regulatory activity and compliance monitoring since 2014, after these functions were transferred from the UK Department for Transport (DfT). Both retain a responsibility for Aviation Security but their respective present roles are outlined in a Memorandum of Understanding and its annexed Statement of Responsibilities. In the UK, just before Christmas, this approach was found to be wanting when Gatwick Airport was closed because of illegal drone overflights for 36 hours. The police have still not apprehended any suspects.
The inconsistencies get worse. Last year, the UK Home Office, on behalf of Her Majesty’s Prison and Probation Service (HMPPS), put out a tender for technology solutions to enable prison visitors to be logged and verified. This need came about as authorities got to learn that some visitors were using multiple identities and acting as drug and contraband mules, delivering items to prisoners in different prisons through normal prison visits. The current security processes couldn’t verify individuals identity and gather identity intelligence for use in other prisons.
Lee Doddridge from leading security consultancy Covenant, said, “you must understand each sector you support and work closely with all key stakeholders. Once you understand the requirements, produce a Security Needs Analysis and complement this with a detailed Security, Threat and Risk Assessment.” He goes on to add only after having done those would you be able to properly identify the level of security required balanced against any identified risks.
The security needs for one customer can be markedly different from those of another even if at the same location. For example, the threat to a prison will be very different to a school, but both have security requirements.”
Developing a culture of security across industries
This all seems obvious, but organisations that have regulated security tend to apply regulations by the book. Organisations that don’t have mandated regulated security base their answers on assessments carried out by consultants; here is where the dilemma is. If a consultant has come from a regulated industry, they often adopt those processes, if they don’t, then they tend to look at the risk and provide a more appropriate solution.
Andy Blackwell, former head of Security with Virgin Atlantic and now a registered independent security consultant, argues that the two approaches described above don’t have to be mutually exclusive. Andy, who comes from the tightly regulated aviation sector, says, “In a regulated industry, a risk-based approach to security can certainly help reduce costs and improve efficiencies by targeting security measures appropriately and measuring their performance.
He advocates for a Security Management System (SeMS) approach – proven in aviation but adaptable to any industry. Similar in concept to the physical security industry’s celebrated ESRM approach, it advocates the proactive development and maintenance of an ‘effective oversight and quality assurance process within your organisation.’ Like ESRM, it drills down the importance for building and sustaining a culture of security.
Andy goes on to add that ‘being compliant with regulation alone doesn’t necessarily mean that all security risks have been identified and are being managed. A SeMS approach will deliver peace of mind to organisations.’
Risk-based security assessment
Lee Doddridge agreed with Andy Blackwell when he said, “We use a security risk management tool called VSAT, the Vulnerability Self Assessment Tool. VSAT enables you to conduct a security audit to the UK Government and internationally recognised standards. By answering a number of detailed questions on a range of security related areas, you can quickly, effectively and efficiently understand the level of risk you might be carrying on one or more of your sites. This allows for a totally risk-based approach and can take into account regulatory standards as necessary.”
Thus, in conclusion, whether a regulated industry or not, a risk-based approach seems to be the most cost effective and sensible when it comes to the application of security measures.