Security today

Risk UK talks to IJA about the changing face of security

What challenges do you face as security professionals on a day to day basis?

The personal challenges for any security consultant is keeping abreast of the latest techniques in security risk management, the updates to existing or the emergence of new legislation, innovations in security technology, and the ever-changing nature of threat and risk.  As a security and risk management consultant you are expected to have more than a basic knowledge of the various fields of security, and the experience to be able to advise those with security function. 

Aside from having the knowledge and expertise to advise clients on security matters, you are also required to have a certain understanding of business operations.  Producing recommendations to clients is only half the story.  Producing recommendations that boards see as more than just an expenditure, is a challenge in itself.  Being independent can help, though.  We are not under any pressure to sell products or use companies who can’t provide exactly what the client needs, and at the best price we can secure for them.  It is still, however, about understanding the customer’s requirements; both in terms of where their security arrangements leave them vulnerable, and what they actually need to allow the company to operate at its best within the budgets they have.

What part has the role of regulation played in the challenges to the industry?

The security industry has traditionally been type-cast in the minds of those who don’t operate within it, and much of this has been from the negative publicity it has had within the media. Wheel clampers, door supervisors and, to some extent, security guards were synonymous with the few within those sectors who operated sometimes outside of the law. This reputation did not help to attract the right types of people, or the levels of pay required to attract them.  As such, the situation could not improve without outside influences.  

At the other end of the scale were those involved in the ‘dark arts’ of investigations and risk management, and who’s language and practices often baffled clients. The introduction of proper background checks and training, and a set of identifiable competencies is a step closer to bringing a sense of professionalism to the security function. With this has come a certain amount of communication and understanding between those operating within the security industry and those they serve. Whilst there is still a long way to go before the ‘outside world’ truly recognises security as a ‘profession’ and not just a job, the image of many of the higher profile sectors is finally improving.

And how do you see your role evolving with the changes to the industry?

As advisors to many corporate clients, we have seen the need to guide clients through the various changes that are occurring to ensure compliance with the emerging legislation, and to manage periods of transition without negatively impacting business operations. As the industry changes, be it through regulation, legislations, or the evolving nature of threat and risk, consultants will need to adapt with it. We see the role of consultant as a challenging one, and long will it continue to be so, but it is a challenge our consultants continue to enjoy.

With talk of a recession, what affects do you think this might have on the industry?

There is no doubting that a slow down in the money markets tends to affect all businesses.  The natural reaction is for companies to tighten their belts.  Budgets often decrease, especially in areas that are often seen as ‘un-necessary’ expenditure.  When budgets are under review it is easy for the economists to see no point in spending huge amounts on security if the company never has a security issue.  If those people reviewing the budgets do not have a real understanding of the consequences of a possible threat in terms of losses not just in terms of assets but also in terms of lost time and damage to reputation.  Those that have experienced a security breach may only view the expenditure for risk prevention and mitigation as merely a cost rather than a benefit.  It is the task of the security expert to demonstrate the value of good security, and to ensure that all funds have been well spent.  Inevitably some companies will make the cuts, and we may see some reduction in investment in security goods or services. 

There is, however, also a flip side to this.  During periods of recession, we have seen many businesses looking to increase their competitive edge when fighting for their stake of the decreasing market.  In those situations, it can often be the case that budgets allocated to security are reviewed and actually increased, to prevent their intellectual property, financial or client information being compromised in any way.  It is often at times like these, that our Electronic Counter Measures (debugging) teams are at their busiest, and we see a surge in clients requesting security reviews and office penetration tests, to see how easy it is to gain access to company information or assets, and what security measures might need to be improved upon.

So what security products or services do you feel will suffer as a result of a recession?

It is always difficult to be 100% accurate when estimating how markets or people will react, however, during the last recession it appeared to us that the worst hit was the building trade which in turn meant a decrease in large design and system installation projects on new build sites.  With the building contracts already starting for the 2012 Olympics, and given that those unable to move to new premises will possibly be looking to make the most of their space by either sub-letting or refurbishing, it is likely there will still be plenty of systems design projects around.

Those that will be most affected by the recession will be those that are unable to adapt to the market changes.  Those companies who only provide one service, or cater for one type of client will be most at risk.  As a client led organisation, we at IJA have provided services in response to demand, and as such, the types or projects we work on vary from month to month, and year to year, which keeps it interesting for us, and keeps us on our toes.

Having conducted a risk assessment for a company, what would you say are the best methods for addressing the threats and risks you have identified?

Much of how an individual or even a company chooses to respond to threats and risks that they face, will depend upon various issues such as experience, preferences, time, and of course budget. 

The often quoted options you can choose from are ‘acceptance’, ‘avoidance’, ‘transfer’, ‘mitigation’ and ‘prevention’.  Each of these options, will be decided once the probability and impact that each of the risks would have on the company have been calculated.  From here the priority levels will be set, and the methods for addressing the risk will be assigned.  For low probability, low impact risks, the company may choose to accept the risk, and not attempt to put any time or resource towards protecting the company from it or it’s impact.  For those with a higher probability or a significant impact, it is hoped that the company would choose to spend a good deal of the budget on preventing, avoiding or reducing the impact of risk.  Where companies feel they do not have the ability or expertise to bring in measures to address the risk, they will inevitably choose the risk transfer route.

Which options would recommend to your clients are the best?

In all cases prevention is the best option, but obviously reducing the impact or likelihood through mitigation methods is also high on every agenda.  There are few areas where risk avoidance is in reality an option, as in most situations the business case has already proven to outweigh the risk for the board to have pursued the course of action/market that exposes them to that risk.  There are some very obvious threats and risks for which risk transfer is an option, such as the impact that a flood or terrorist attack would have on the business.  In these situations some of the burden of financial cost that would result from such a problem can be transferred through insurance.

We would always, however, suggest that transferring risk either through transferring the costs of an impact (like in the situation mentioned above) to an insurance company, or if transferring responsibility for risk prevention or mitigation measures to other companies, that the clients make sure the legal structures are in place to make this work.  We are seeing more and more cases where insurance companies, are unhappy with paying out compensation for breaches in security as a result of poor security measures.   It is important that the management realise that the courts no longer believe that responsibility for ensuring adequate security is entirely transferred, when the company decides to outsource responsibility for security systems or services.  In essence, each company should make sure that as far as possible risk transfer should not be used as a back up for risk taking.

With many new security systems falling under an IT remit and guarding services under a facilities remit, where will independent security consultants fit in to an overall business plan?

For those companies where there is less emphasis placed on the need for security as a separate management skill, a facilities manager or IT department often manages it as an additional function to their own particular expertise. In those situations IJA can work in support and allow these people to dedicate more time to their main role by offering expert knowledge and advice to ensure that the security needs are being adequately addressed, particularly with the ever-changing technology, legislation and British or European standards. IJA are dedicated solely to security issues and solutions, and can call upon over twenty years of consultancy experience in the industry, to many corporate clients.

Businesses are becoming ever more accountable to owners and shareholders, and also in the eyes of the law. A progressive thinking facilities/IT manager will engage a consultant to evaluate and make recommendations so that, he or she can report confidently to superiors that all the risks have been identified and that appropriate controlling measures are either in place or are required. Thus giving them added impetus when seeking additional budget for immediate or future needs, and for providing the necessary security to protect the business and prevent any potential for litigation and shareholder action against the company.

With some companies employing their own security function is there a role in the future for security consultants?

Current repeat and new business indications clearly show there is a continuing demand for independent expert consultants. Whilst some of the larger companies continue to have their own corporate security management, IJA are often approached by these companies and  their managers to review or audit their existing policies and procedures or to provide an ongoing security health-check.  We can then tweak and complement what has been previously established or if necessary offer a complete overhaul in line with modern thought and best practice. Some managers even use an independent consultant to reinforce a message they have been trying to make!  We also offer more specialised high level security services that even the largest corporate bodies do not need on a permanent basis but occasionally require. Whilst we are working with clients, we may be able to give a previously unaddressed perspective on non-security related projects that help to safeguard brand image and reputation as well as people and assets.

For more information on IJA's range of services or to speak to a consultant: email info@ija.co.uk or call 0845 370 5433