As a security consultant, you’ve spent years building your expertise in physical risk and security. You’re a trusted resource that your clients depend on to get accurate evaluations of their risks and vulnerabilities. But chances are, you’re forgetting important considerations during your on-site risk assessments.
An incomplete assessment means your clients aren’t getting everything they need to reduce the risks and vulnerabilities at their facilities. Here are some of the most common things security consultants forget about. Are you forgetting any of these?
It’s your job to help your clients make it increasingly difficult for an adversary to get to an asset by maintaining each layer of security: deter, detect, deny, delay, defend. But outdoor perimeter security is one of the most overlooked areas of physical security.
It’s easy to get distracted. Security consultants tend to focus entirely on the point of contact’s (POC’s) greatest concerns during the interview. Often the first thing they do is ask about any recent incidents or major concerns. The POC might mention something like the latest headlines or a rash of thefts they have had. The consultant asks for details, and before you know it the layers of perimeter security get pushed aside to deal with the POC’s worries.
It’s important to address your client’s concerns, but it’s critical that they reduce the highest priority risks—and those may not be the same thing.
So how do you listen to your customer without dropping perimeter security? Here’s what I do. I start with a full risk analysis—I look at both the threat and impact assessment to determine the most severe and the most probable events that might occur. Then, I ask if they have had any incidents occur within those events.
I’ll then adapt my vulnerability assessment process surrounding the most severe and most probable events identified. That way I can key-in on the high-impact things that really will disrupt their services or products, while also focusing on the highly probable issues that they face.
Always consider your client’s concerns, but never let them distract from proper security and protection.
Time of Day, Time of Year
What time of day do you conduct inspections for risk assessments? At the start of the workday? Evening? Whenever your schedule matches your client’s availability?
Conditions change during the day, and various physical risks and vulnerabilities become clear under different conditions. Peak times bring out different risks than slow times. Night hours reveal different vulnerabilities than daylight does.
Weather impacts the risk of a facility as well. Conditions are different on rainy days or snowy days than when it’s dry and sunny. Heat waves are the deadliest natural phenomenon—can your client’s facility handle soaring temperatures as well as blizzards or tornadoes?
Events can occur at any time—not just during work hours. Don’t settle for a one-and-done site visit. Your client needs a 360-degree risk assessment that reveals all of their issues.
Most security consultants produce reports that nobody actually uses. Customers don’t take any action on the findings, because reports aren’t actionable. They’re reviewable, but they’re not actionable.
That’s the Number One problem: getting customers from awareness to action. They’re aware of their problems, but now they need to correct their problems. Paper-based reports do a great job of providing information, but they don’t spur customers to actually make improvements.
Your client needs to identify the problem, assign it to someone, make the improvement and mark it done. And they need to do that for every issue. But only a project management system (PMS) is capable of doing that kind of tracking. When your report comes to the customer, all they can do is the first step—identify the problems. But the security industry doesn’t have a widely adopted PMS to help your clients move through all the steps in the improvements.
We’re not actually helping our clients reduce security risks.
Circadian Risk assessment software comes with an automated corrective action plan. With Circadian Risk, your clients can view each issue, see the recommended fix, assign it, prioritize it, set a cost, select a due date, and resolve it.
When you give your clients a Circadian Risk report under your own brand, you give them the tools no other security professional in the industry is providing.
Risk is dynamic, and it changes based on the assets (including people) on the premises. Special events can introduce new risks, and the facility should be assessed for those risks before each event.
For example, a high school’s risk level is lower when the building is empty. Risk increases during the school day, and it increases even more at Homecoming, graduation, or at a pep rally when all the students are in one location. Likewise, Friday night football games have a different set of risks than the school’s science fair day.
Events aren’t limited to programs, either. Anything that impacts an organization’s life is an event. For example:
- Road construction in front of the building
- A nasty round of layoffs
- A fire next door
- A rash of thefts in the area
- Political rallies down the street
Every physical risk and vulnerability assessment you conduct should consider planned events and potential unplanned events. And if your client is planning an event, recommend an assessment for the event itself.
Handpicked related content: How Often Should You Do a Risk Analysis? More Often Than You Think
Be the Top-Shelf Security Expert for Clients
When you include these four considerations in your physical risk assessments, you can provide a service other security professionals don’t. Circadian Risk can be your partner in providing that extended level of service.
Get more tips for your security consulting business—subscribe to the Circadian Risk blog.