Features Risk

Security convergence & “The Zen of risk management”

Meet the certified protection professionals that want people to realize that safety is everyone’s responsibility.

Protecting people, property and organizations is a tough job, especially when you consider that we live in an unpredictable world where threats are constantly evolving. Furthermore, it’s hard enough to know where to begin when assessing risks let alone how to manage both physical and cyber security threats. Fortunately, global communities of security practitioners such as ASIS International (ASIS) have been working towards combining those two previously distinct fields under the banner of security convergence since 2005 and its 34,000-plus members’ experiences can help us better understand the shared responsibility of safety.

Balancing technology and simplicity

From security cameras to remote access controls, technology has always played a role in the security industry and evolved alongside it. One company continuing to contribute to this change is the Ontario-based StarRiver Inc., one of the first security consulting firms to offer unmanned systems and robotics such as drones to respond to threats. But StarRiver’s founder and longtime ASIS member James Acevedo says the convergence of physical and cyber security happens at the start of any risk management project.

“They have to work together from the beginning because you can’t have cyber security unless you have physical security and physical security needs IT in order to protect information and infrastructure.”

In addition to using unmanned systems to respond to threats, StarRiver also specializes in countering business espionage, protecting electrical grids, as well as its core risk management services. When conducting these risk assessments, the company uses state-of-the-art methodologies, but Acevedo says that within the core principles between most approaches lies a universal formula that he refers to as “the zen of risk management.”

“Risk is threat, vulnerability, and consequences,” says Acevedo, “It’s nothing more, nothing less, and if you use those three elements you will really be able to analyze things in a much different way.”

Bringing an outer world within

Acevedo says this simple approach prevents risk management programs from getting needlessly overcomplicated while letting security professionals exceed in their ability to gather and utilize data. Moreover, simplicity helps organizations develop and communicate clear and effective frameworks, policies, and procedures.

This is important because in addition to integrating physical and cyber security under security convergence, in 2005 ASIS helped create the Alliance for Enterprise Security Risk Management (AESRM) which advocates for
the convergence between companies’ human resources departments and the previously separated security operations.

For Brian Kidd, manager of risk mitigation at the international security company AFIMAC Global, the changes in security convergence mark an important transition from past attitudes toward the industry. “It really comes down to duty of care and due diligence,” Kidd says, “what’s changed is not so much risk tolerance or risk acceptance, it’s [security] being a bigger part of that business’s overall mission or how do we facilitate the business’s objectives?”

AFIMAC offers North American companies security, risk management, and business continuity programs which Kidd describes as a “fully streamlined service” to help businesses provide safe working environments for their
employees both domestically and abroad. He also believes that security professionals “are really motivated by helping people”, however, the value their expertise and perspectives add to organizations can often be a challenge to

“We want to deliver safety and sometimes it’s hard to quantify, to put a dollar amount on a prevented incident but it’s very easy to quantify the damage or loss when an incident occurs,” Kidd says. “Your employees and guests feel safer now and your operations people aren’t getting complaints anymore but how do you translate that into dollars?”

The interconnectedness of all things

Kidd says AESRM is not only “tearing down silos” between security and business operations but ASIS and other global networks also provide a platform for professionals to regularly share and learn from one another.

Chris Anquist is the regional manager of strategic initiatives at GardaWorld and the chair of ASIS’s Saskatchewan Chapter #275. His security programs, risk assessments, and incident management programs are governed by the philosophy that “real security starts with a genuine care for people.”

Anquist says security convergence is important because whether it’s a digital or physical risk professionals approach most threats in similar ways. Therefore, instead of worrying about distinction business leaders should be focused on promoting a security culture within the workplace.

“In order to effectively manage security risk, you actually need to elevate it, you need to talk about how everyone in your company is responsible for the security and safety of your organization,” Anquist says. Anquist’s personal approach to risk assessments recognizes that threats evolve over time, that assessments need a certain amount of time, need to be based on data, to be multidisciplinary, and that there’s no single solution to every problem.

“The risk assessment starts at the beginning and [asks], “what are the threats, what are we protecting, what are we protecting it from, and how likely is that to happen?’” Anquist says. “As much as everyone would like to think that we have our own special tools for how we understand risk, I would disagree, and I think the reality is, we’re just risk managers who understand a specific type of risk better than other people do.”