The most effective security planning begins with installation design.  A pre-installation Risk assessment via a Security Site Survey guarantees efficiency and reduces the organization’s future costs.   An interview with Uri Aharoni, Physical Security Expert.

A leading telecommunications company with more than 2,000 employees in its headquarters in Eastern Europe received two bomb threats in just one week. On each occasion, the company decided to immediately evacuate the building as a precautionary measure, suspending work for more than five hours each time, and costing the company of almost one million Euros in losses.

After the incident, the management decided that the company’s security planning needed to be reconsidered. They sought out the help of an external security consultant who specialized in risk-assessment and security planning. At the start of the program, the consultant provided the security staff with the necessary tools to analyze the nature of the anonymous calls and to distinguish those that posed a real risk from those that were simply prank calls.

Several months later, that same telecommunications company received another bomb scare. This time, security personnel used the tools provided to them by the consultant’s training, and reached the conclusion that the call was indeed a prank call. They did not evacuate the building, work continued without interruption, and the company saved more than 500,000 Euros.

“This is just one of many examples proving that risk assessment contributes to efficient decision-making, and reduces a company’s costs”, explains Uri Aharoni, a physical security expert who served over 25 years with the Israel Security Agency, and over 10 years of experience as a security consultant in various countries.   The number of private and public organizations in the world who carry out risk-analyses is growing. Their aim is to uncover and reduce the company’s level of vulnerability before they are threatened, thus maximizing protection against potential risks.

Another example: a high-security enterprise that used fixed, daily access-control measures for the entrance of 600 employees noticed that this process contributed to the loss of about 1,000 hours per month. The management contracted the services of an external security consultant who assessed their access control processes, and then made recommendations as to how to improve their system.   Over the course of three days the consultant observed the daily and nightly access-control procedures. He then suggested that the company invest in more advanced access-control technologies, and train staff in selective screening. The initial cost of the proposed solution was equivalent to eight months of expenses using the old access-control measures.

There were several crucial benefits: The process reduced the initial time-demand by 60-70%, within several months the company realized a Return on Investment, employees were happier because they no longer had to wait in long lines to enter the workplace, the company saved money, and productivity was maximized.

What are the advantages to an organization that chooses a Risk assessment, and what are the consequences to a company that does not implement a Security Site Survey?

Every company has resources that it must protect. This includes physical assets, such as products, equipment and inventory; information assets such as data and system infrastructure; and the staff and personnel who are the human assets.   Those organizations that choose to not conduct an independent Risk assessment are essentially in the hands of those installation and security guard subcontractors, whose interests are not necessarily in parallel with those of the company. For example, a subcontractor may install expensive, advanced technologies that don’t necessarily match a company’s specific needs. Likewise, installation may turn defective due to lack of proper inspection and/or supervision. In many cases, the final system does not meet the company’s true needs.   On the other hand, an organization that decides to entrust the survey and planning of their security system to the hands of contracted experts, can be sure that it will receive the best solution tailored to meet the organization’s specific needs and characteristics, which is a guarantee of efficiency and savings over the short and long run.  

In which parts of the world do companies undergo Risk-Analyses?

In general, high-crime areas tend to carry out Security Site Surveys more frequently than low-crime, non-threatened regions. It’s safe to say that the greatest demand is in Latin America, Eastern Europe, and Africa. In recent years the United States has increased its demand for this service, generally contracting local consultants.   There is less demand in Western Europe because in general these areas experience low crime rates.  

How is the global economic crisis affecting the demand for this type of service?

As we know, companies tend to save in those areas where visible benefits are not seen. They are willing to take investment risks so long as they don’t incur a cost increase.

The Security Site Survey process

According to Aharoni, in the field of Site Surveys there are two types of projects. “The optimal time for a Security Site Survey is in the pre-installation, planning phase. By carrying out the Survey at this phase, the company saves costs that would be incurred in the future due to poor global planning or installation mistakes. The other type of survey is carried out when an organization contracts a consultant to carry out a Risk assessment of the present security system, who then offers recommendations to improve the system and minimize risks”.   The first phase of a Security Site Survey is comprised of three stratums.

1.      The gathering of statistics regarding the local crime rate and the economy of the country or state, including its exposure to terrorism, felonies, or other aggressive acts. The information is gathered from different databases, both public as well as classified.

2.      A meeting with the client, wherein the client reports its estimate of the present risks, and to what level they are of concern.

3.      The consultant shares his professional insight and perceptions.

Most companies aren’t aware that approximately 75 percent of the damage it incurs is caused by internal personnel, whether intentional or unintentional. A curious employee may access an information system, and unbeknownst to him, damage the system. Another employee, for example, may intentionally sell inside information to a competitor.

After data-gathering in the first phase, the consultant creates a matrix outlining the three main areas that pose risks for the organization: crime (theft, espionage), natural disasters (fires, earthquakes) and terrorism (abductions, shootings, bombings). The matrix reflects the probability with which these risk may occur, and in which areas the risk is low, medium or high.   The second phase of the Survey presents the security concept that the organization must adopt in order the adequately deal with the risks. For example, what type of access-control system do they require, or, what is the level of compartmentalization needed between different departments within the organization.   The third phase is the construction of a security plan consisting of the following parts:

• Physical security requirements
• Technological security requirements
• Quantity and quality of the human resources required
• A list of work protocol/procedures

In the fourth phase of the Survey, the organization is presented with findings and recommendations. The implementation plan for the project is discussed, along with specification of the necessary technologies, and the selection of a company to install the plan.   As soon as the plan is ready, the company sends out a Request for Proposal (RFP) to potential contractors. Proposals are then examined to see if they meet requirements and if the contractor is actually capable of completing the project. The selection of a contractor consists of three phases: the first is an analysis of the submitted proposal, the second is a meeting in which the nature and quality of the contractor is assessed, and lastly, an examination of the costs and helping the client through negotiations to receive the best possible price. The consultant advises the organization to choose the most suitable contractor.   During the installation phase of the technical requirements, the consultant supervises the labor of the contractor to be sure than the process is being carried out correctly, that the installation is functional, and that the materials are according to specification, both in number and type.   At the projection’s completion the consultant writes up a list of possible scenarios (between 70 and 300, depending on the size of the project) that could potentially harm a certain part of the organization. This list is then sent to the contractor to enter into the security management system.   “We’re talking about completely integrated, intelligent management systems”, Aharoni explains. In actuality, it’s no longer necessary for security personnel in the command center to constantly pay attention to the cameras; it’s enough for him to respond to system alarms that are triggered as a result of certain event”.   There are numerous examples demonstrating how these intelligent security management systems work.  Every table in a casino is outfitted with a panic button; if the dealer presses that button, cameras are programmed to automatically focus in on that specific location, and the video image appears on the security guard’s monitor. Or in the case of a fire, as soon as the system receives input relating fire, doors are automatically unlocked and cameras begin to record the relevant locations.   

How do companies perceive and understand the concept of a Security Site Survey?

It’s difficult to explain the need for security to the private, civilian market. While banks might be well aware of their security requirements, most companies and organizations may not understand the importance of the issue.   Today, especially in the United States, it is the end-user who dictates its security needs to the supplier. The client asks that the facilities in which their information is stored be secured so that information not be exposed in the case of theft.   The commercial outcomes of this dynamic are significant, as a company’s security is now perceived as a value added resource. That organization markets itself to the client through its reputation of discretion and non-disclosure. In some companies, offices are exposed and entry/exit is disorganized. In other companies, the level of control and vigilance is high, there is an access-control system in place, entry and exit of persons is monitored, visitors are escorted, etc. This is what marks the difference.   It is a fact that security influences a company’s success, and sometimes even marks the difference. As a case in point take the case of a hotel in Kenya whose reputable security level contributed to its outstanding occupancy rates, even in difficult times, as opposed to other hotels whose investment in security was not as strong.

What is the cost of Risk assessment via a Security Site Survey?

The cost is a function of the project scope, the country in which it takes place, and whether a full or partial survey is completed. The estimated cost varies between one thousand Euros to tens of thousands of Euros. In exceptional cases, the cost could reach one hundred thousand Euros, or even more. Security is a compromise between a company’s economic means, its needs, and its capabilities. Nevertheless, it should be noted that an expert consultant can save a company tens of thousands of Euros, as he or she is capable of assessing the company’s needs, and maximize negotiation of resources.   In the field of security the human tendency is towards curing, not preventing. Only a small percentage of CEOs understand the significance of prevention and the undertaking of a security plan that covers the scenarios and risks to which a company is “theoretically” exposed. For this reason, most companies only initiate Security Site Surveys after experiencing a theoretical scenario manifest as a reality. Unfortunately, in many cases we are asked to consult after yet another event, and not after the first. Security directors must stay alert and navigate the company towards the maintenance of a security plan designed to prevent incidents, rather than dealing with the aftermath.

PURCHASE THE ONLINE SECURITY MANAGEMENT COURSE