Risk-Based Security Gets in the Game
4 Minute Read
Publish dateJun 26, 2018
If you’re coaching a soccer team in the World Cup this summer, you’re going to want to adapt your defensive strategies for each opponent. To stop an aggressive, high-scoring offense, you’ll keep your defenders back and play cautiously. To beat a cagey, clever foe, you’ll apply some pressure to try to force turnovers.
Successful strategists in the security arena face the same kind of tactical issues. The stakes are much higher, of course, but security pros need to deal with their own group of “attackers” who are skillful, resourceful, and motivated to succeed. Soccer coaches can’t deploy a “one-size-fits-all” strategy, and neither can today’s security strategists.
In security, this strategy has a name. It’s called “Risk-Based Security,” RBS for short. If this sounds like a simple, common-sense approach to a serious, complicated issue, it is – sort of. At its core, RBS defines a commitment to flexibility and adaptability to deal with ever-changing threats. It also values the use of “tailored” systems that are designed to mitigate risk, evoke a sense of safety for users, and not present an undue burden on the user population.
The traditional, one-size-fits-all approach to security is cumbersome. It usually involves having security officers physically inspect every person entering a facility, relying heavily on the limited capability of metal detection. This approach provides a service, deflecting obvious traditional threats. But it is costly and slow, and often ineffective without additional capabilities to screen more aggressively.
Security systems that implement a risk-based approach to screening, for example, tend to be more accepted by the public than those that don’t provide any differentiation. A good example of this practice is the TSA PreCheck program. TSA PreCheck leverages a preliminary vetting process that separates “low-risk” passengers from those who are unknown or may require additional screening. By extending the process beyond the airport, TSA has significantly increased the throughput of its PreCheck screening lanes for passengers while mitigating risks and reducing staffing and equipment costs.
A risk-based approach recognizes that while there are no perfect security solutions, those that strategically balance security, access, usability, and cost can ultimately provide the best long- term protection against an evolving adversary.
An effective RBS strategy considers changes in the environment over time, and changes in the risk profile of different groups of people – employees, visitors, and dignitaries – over time. It also puts equal emphasis on technology solutions and more people-focused factors like organizational, managerial, and operational capabilities.
It relies primarily on a short list of components: gauging threats; understanding vulnerabilities; vetting users; identifying users and attaching risk assessments to them and their belongings; routing high-, low- and unknown-risk users through the appropriate security channels; and using equipment to screen personnel and belongings.
A successful risk-based security strategy is reliant on an enterprise approach that not only provides excellent technology to perform physical screening but also ensures that the personnel performing the screening are using the technology appropriately, that people presenting themselves for screening have already been assessed, and those vetted to a higher standard are provided a screening process that is not unduly burdensome.
There is no “silver bullet” or “cookie cutter” enterprise approach. What might work particularly well in office buildings and places of worship, where it is possible to learn more about the regular user, will be different than in public venues where most people presenting themselves may be unknown, and this may present a different threat.
As attackers have expanded their focus, major sporting and public events have become more of a target. The challenge commercial entities have in implementing a risk-based program is two-fold. First, a “known patron” program must be established along with a quick way to validate membership in that program at the entry to the screening system of a facility. Second, a program must tailor the screening process to account for the different risk levels of those entering the venue.
The potential benefits to implementing a risk-based screening program are significant. This approach can create a better experience for known, repeat customers. A risk-based screening program can also improve overall brand perception of a venue by implementing “smart” security solutions. These risk-based solutions help make entering a venue easier while maintaining a level of safety, allowing faster throughput, and thereby mitigating the risk of long queues. Overall security costs can potentially be decreased since people can be screened at a faster rate, requiring less security staff.
Further, while people want the safety that screening systems provide, they do not want to lose the culture, openness, and sense of welcome that make their venue, stadium, or house of worship special. Implementing a risk-based security program provides the best option and allows an organization to tailor a program that fits their culture, so they do not have to sacrifice what they represent for safety.
“One-size-fits-all” security can work in specific, limited situations. But it’s no match for today’s attackers. Successful security strategists, like World Cup contending soccer coaches, make sure they’re prepared. They have their tools, their plans, and their training intact, and they’re ready to defend.