When you ask a security expert to perform a security assessment and risk analysis, you’re bringing in a consultant, and paying them to give you their professional opinion and recommendations for making your site more secure.
But what if, after the assessment and analysis, you don’t agree with the results? What if the security recommendations are at odds with your organization’s brand, site, or culture?
It can be jarring when a security expert makes recommendations you don’t want to implement, but it’s important to understand that you do have options when you don’t agree with the results of a security assessment and risk analysis.
What happens when a business doesn’t agree with security recommendations?
We once performed a risk assessment of a utility company’s payment center. The organization was renovating their lobby. They wanted to be stronger and safer, but also wanted to keep an open, friendly, and welcoming feeling at their site.
During the assessment, we discovered that there had recently been several armed robberies in the neighborhood, so we asked the payment center’s tellers how they felt. They were worried about their safety. They often saw angry customers, people who were upset about high utility bills, and had already received threats. The tellers felt it was only a matter of time before a disgruntled customer came in with a gun.
Based on these concerns, we recommended a much more protective environment in the payment center lobby to make sure the tellers were well-protected; bullet-proof glass, and other obvious security measures. The utility company didn’t like it because they’d wanted a friendly environment.
So what are their options in this scenario? Must they do everything we suggested or do they just ignore our report?
Ask the Expert: How Do I Identify If an Incident Is Probable?
What to do when you don’t agree with the results of a security assessment
The first thing to understand is that it’s not a black and white choice: an organization doesn’t have to follow recommendations to the letter, nor should they simply ignore a report they don’t like. The first thing you should do when faced with security recommendations you don’t want to implement is simple: say something.
Remember, an assessment should be about the objective (keeping your people from being shot), not the specific countermeasures (bulletproof glass).
If a security assessment suggests a countermeasure that’s at odds with your culture, ask if there’s another way to achieve the same objective. So, if a security expert says you need bulletproof glass in your lobby, ask them what other countermeasures will achieve the same objective. A good consultant will offer a variety of suggestions. They might suggest having a security officer at the door, or an unobtrusive weapons detective system hidden in the wall, like a PATSCAN system. There may also be ways to arrange your lobby that will make it safer for your employees and visitors.
The important thing to know is that there are almost always multiple ways to achieve a security objective. If your consultant is married to only the countermeasures they’ve suggested, it may be time for a second opinion.
Security consultants are not always right. You wouldn’t keep seeing a doctor if you didn’t agree with their diagnosis, so find another professional and see what they say.
It’s important to be careful when you choose a second security expert, however. Some experts are more interested in keeping you happy than safe and will ask you up front what you want or need in your security recommendations before writing a report to suit. That’s ethically wrong, and will create a false sense of security for you and your employees. You may not have liked the first set of recommendations, but if a security expert seems to be pandering to you, be aware that’s a red flag. (If the second opinion is the same as the first, however, it may be time to realize you’re wrong, and need to implement some protective measures, even if you don’t like them.)
The security expert isn’t always right
Sometimes security experts treat their recommendations as gospel; absolute recommendations that must be enforced to the letter. That’s not the case, and it’s a failing in the physical security industry, which needs to improve its reporting process.
As the customer, you should of course always follow a recommendation to protect your people, but when it comes to how, you should be given options, so you can choose how to keep your site safe.
Interested in the need for change in the security industry? Be on the lookout for the CSO Risk Council’s upcoming ebook about embracing a culture of risk in your organization.