Cybersecurity is Constantly Assessing Risk. Physical Security Should Do the Same

How often does your organization assess your physical risk? Annually? Every six months?

Now, how often do you assess your cyber risk? Probably on an ongoing basis, right?

Cybersecurity experts recommend that risk be formally assessed on at least an annual basis, but due to the fast-evolving tactics used by cyber criminals and the high financial stakes, organizations should monitor cyber risk much more often, ideally continually.

What if I told you physical security should do the same?

Cybersecurity and risk

The average cost of a data breach in 2023 is $4.45 million. The longer a breach goes undetected, the more it will cost, so companies are particularly invested in detecting suspicious activity quickly. More than half of companies surveyed by IBM are planning to increase their cybersecurity spending this year as the result of a breach.

The financial and reputational repercussions of a data breach or attack, as well as data privacy regulations like GDPR mean that many of the teams assessing cybersecurity are constantly scanning for new threats and trying to understand the probability of risks. Many of the cybersecurity tools in the tech stack are specifically developed to assess risk, often in real time or on a continuous basis.

Why aren’t we doing the same thing with physical risk?

Physical risk is just as serious as cyber risk

I’ve heard people say that physical risk is not as serious as cyber risk, but there are plenty of physical risk scenarios on par with the threat of a cyber attack. The prototype of a product you’re developing might be stolen and sold to a competitor. Your CEO might be kidnapped. An active shooter might enter your building.

All of these scenarios come with significant physical, financial, and reputational risk, and can have a huge impact on your company. Also, just as cyber risk evolves, so does physical risk. Certain trends are worth monitoring, as are the changing tools, tactics, and procedures (TTP) of the criminals most likely to target your business.

Why doesn’t the physical security industry analyze risk the way the cybersecurity industry does?

Most physical security experts don’t truly understand risk. They’ve spent their entire careers focused on physical security, but not on risk analysis. There is a huge difference between security and risk.

• Physical security focuses on the response to a threat. As the precursor to policing, security has always been reactive. Security officers were employed to respond to threats and protect assets. While risk was assumed, it was never analyzed. This began to change in the 1990s when active shooters started to ramp up, but most physical security experts have not been trained in risk management. In fact, the term “enterprise security risk management” was only coined in the late 2010s.

• Risk is concerned with proactively identifying and preventing threats. This means foreseeable threats are analyzed to determine which are most likely. Cybersecurity experts need to understand risk. Unlike physical security experts, cybersecurity professionals can’t see their attacker approaching. For this reason, they analyze foreseeable risk to understand what is most likely.

How often should you assess physical risk?

If you can reasonably imagine something happening, it’s foreseeable. If it’s likely to happen, it’s probable. If you’re ignoring something that can happen because it hasn’t happened at your site before, you’re opening yourself up to risk.

We should take a page from the cybersecurity playbook, and be proactive about risk analysis, and that means evaluating your site’s risk every day. Daily risk assessments may sound like a tall order if you’re used to annual risk assessments, but it’s not — if you’re using digital solutions, your officers can assess risk on their rounds. They’re already on patrol, and can easily use a tablet to assess physical risk by using a checklist and taking photos of potential risks.

How to do daily risk assessments

Circadian Risk’s platform makes it easy to do daily risk assessments. Our mobile app generates automatic reports from the data you capture during your inspection. There’s virtually no writing to do, and you can cut your report time by 80%.

It’s the only solution that lets you:

• Create effective, comprehensive reports in record time

• Tag every vulnerability, risk, and compliance issue on the premises

• Track and assign improvements with a detailed corrective action plan

• Analyze risk over time

Circadian Risk can help you keep your clients safe—and more affordably than any other method. Find out more about our solution.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.