Security Threats vs Security Measures
Risk of Security Breach
Think about how many times over the last six months that security threats have been in the local, national, or international news. It seems as if they are everywhere these days; real or perceived!
It is almost daily that a news story breaks in which at some point a news commentator or a law enforcement official mentions that they are looking at the incident as a possible terror attack. Does this mean that terror attacks happen that often? No, what it means is that a terror attack is often the first thing that comes to mind until proven otherwise. However, no one knows for certain how many of these incidents actually have a terrorist element that goes unnoticed.
Real or Perceived Security Threats
It is very common in the security consultant world that when threat, real or perceived, is on the minds of people the security experts will often get a call. Although that can be good for staff morale and will often lead to improved security measures, you really need to consider that any changes that are made are long term, not just to calm down the staff. All too often security experts will make recommendations to an organization only to find out later that the recommendations were not implemented. This happens for a number of reasons.
Those reasons can be budgetary, philosophy, or a number of other factors. The important thing to remember is that when your organization asks a security expert for assistance, and they provide it to your management, that you just do not ignore their findings.
Refusal to Accept Security Recommendations
Years ago I met with an organization’s administrative team who had retained another security consultant 3 years prior for a full security review of their organization. While sitting down with the Senior VP I was handed the previous consultant’s report, which was about 200 pages. The VP stated “We have not accepted this report.” Really? As I sat there and looked at the report I asked the VP what she meant by the statement that they have not accepted the report? She went on to say again, “We have never accepted this report.” At that point I was confused so I asked, did you pay for the security report? The VP said, “Yes.” So I asked; is this the report that they generated and you have in your possession? The VP responded, yes. Needless to say I followed with a comment along the lines of, you requested that they conduct a security assessment and write a report, they did so, and you paid them for their services and have their report, I am sorry but how is it that you have not accepted the report?
The point being made here is that they for all practicable purposes requested, received and paid for the document. It was however agreed that they did not like the findings upon review of the report, but acting as if it does not exist is not a well thought out business strategy.
Security Assessment Report Next Step
If your organization requests a security consultant to conduct a review and your management team does not agree with or accept any part of the findings, at least document your rationale. You may have a very legitimate reason for not following a recommendation, and there may be no issue with not following through with it. However, document why and be as detailed as possible. Your legal counsel will likely appreciate your due diligence.
Security Assessment Second Opinion
In the example above it is not hard to imagine where the administrators felt as if they did not agree with the findings, and in response they just pushed it aside and acted as if it did not exist. So after a long discussion we agreed to a new security assessment prior to our security expert’s review of the existing document. This was to ensure that there were no preconceived biases on our part. Upon completion of a new security assessment, and a review of the document it was our opinion that many of the findings and recommendations were spot on. The organization did accept and act on over 90% of our findings; many of which were considerably close to the original security assessment findings.
The point to be taken away from this is that the original assessment process, intent, scope, and expected outcomes were not explained clearly upfront. Thus there was disbelief and a major misunderstanding when the report was delivered and reviewed. If your organization finds itself in a similar situation give us a call, we can assist you in ascertaining the validity of the findings and recommendations.