WHITE PAPER / COST-WISE SECURITY MINDSET

EVOLVING THREATS, RAPID TECHNOLOGICAL ADVANCES AND

NEW WAYS TO THINK ABOUT SECURITYBY Michael Monahan, CPP

Technology enhances an organization’s operations; however, given the pace of development, introducing

these technologies can sometimes outpace the protocols needed to manage new risks and vulnerabilities.

Rushed responses don’t cut it but thinking a little differently about security can break the cycle.

WHITE PAPER / COST-WISE SECURITY MINDSET

© 2018 PAGE 2 OF 4

THE COST OF COMPLACENCY WITH REGARDS TO AN ORGANIZATION’S SECURITY POSTUREIn May 2017, WannaCry

ransomware began

attacking vulnerable

computers around the globe,

encrypting their data and

demanding ransom payments

in the form of Bitcoin

cryptocurrency. By the

time the attack was

stopped a few days later,

300,000 computers across

150 countries had been

affected, with damages

totaling in the billions

of dollars.

The WannaCry ransomware

attack was the largest of its

kind to date — and it’s far

from the last. Researchers

from SonicWall Capture Labs

recorded 5.99 billion malware

attacks in the first half of 2018 alone, more than double

the number from the same period in 2017.

Given the increase in the number, complexity and severity

of such attacks, cybersecurity has become one of the

most important considerations in business planning.

The challenge is weighing security risks and costs with

consideration to your budget and making the best

decision to protect your organization.

SECURITY PROTECTION THAT REFLECTS BUSINESS OBJECTIVESThe cost of neglect of security issues can be high,

leading to installed system obsolescence as well as

complacency in policies and procedures. In time, this

can breed vulnerabilities that an attacker can easily

exploit — or an auditor or lawyer can discover — resulting

in a potential loss of assets, including both a company’s

brand and reputation.

To prevent such losses and to protect assets, decision-

makers must cultivate a security-driven mindset, and

they must prepare to have their judgment, commitment

and resolve tested in the development and delivery of

integrated security solutions. Bracing for the challenge

may be more difficult than it seems, given the demands

made on this mindset in each of the following areas.

COMMITMENTA decision-maker’s commitment to a security project

will be tested on multiple fronts. The greatest obstacles

often are embedded in the organization’s cultural norms.

Before implementing sweeping changes, a prudent

leader first will consider the time, outreach and

patience required to develop and secure buy-in for a

strong security strategy. To manage competing priorities

and demands, it is necessary to assemble a strong

coalition prepared and capable of leading change.

PJM Control Room; Source: StateImpact Pennsylvania, Courtesy of PJM.

WHITE PAPER / COST-WISE SECURITY MINDSET

© 2018 PAGE 3 OF 4

ALIGNMENTDiscussions regarding security technology must address —

and be aligned with — the policies, procedures and people

who will be responsible for leveraging these technologies.

Without this alignment, any solutions you implement

potentially could be rendered obsolete, ineffective or

merely inconvenient over time, leading too often to

their ultimate abandonment.

JUDGMENT Good judgment in security decision-making often comes

with experience. Experience, however, is usually gained

through incidents that may involve mistakes and poor

judgment. That is why it is critical for decision-makers

to be honest in appraising their teams’ experience and

qualifications. Available resources must be developed,

mentored and empowered to plan and execute as a team

to institute and effectively turn the vision for an integrated

security solution into reality.

TEAMThe goal is to build a team that can be relied upon for

discretion and good judgment by leveraging its requisite

experience, attention to detail and professionalism at each

step in a project’s life cycle to achieve and maintain a

high-performing security system. Leaders must also build

teams that can exercise proper foresight in budgeting

and communicating the total cost of ownership of the

solutions they implement.

COST-EFFECTIVENESSBecause a successful security outcome is, by nature,

a nonevent, it can be frustratingly difficult to measure

a security system’s cost-effectiveness. Still, specific

measures can be employed to evaluate and communicate

the relative value of security system components,

including:

Congruence – Can you simply and clearly

articulate how a chosen technology fulfills an

essential component of the organization’s

overall security strategy?

Sustainability – Does the technology solution have

the capabilities, as well as the protocols, policies

and procedures, needed to achieve your objectives?

Has the system been scrutinized for its ability to

deliver future functionality and flexibility as security

and compliance requirements evolve?

Reliability – Does each security component perform

as advertised? Will it function properly the first,

10th, 100th and 1,000th time it is called upon?

Has your organization committed to maintaining

this level of performance over the long term and

do you have the team in place to select, implement

and maintain this performance level? Is it necessary

to pare down the number of vendors, tools and/or

metrics to make long-term operations and support

more feasible?

PREVENTING THE ONSET OF OBSOLESCENCEOnce an integrated security system is installed, an

organization must remain proactive and pivot to a position

that will integrate the changes into the organization’s

culture. This requires both vigilance and assertiveness to

raise awareness among staff. The organizational landscape

must also be regularly and actively scanning for security-

related challenges and opportunities emerging from within

the security team and across the organization.

One strategy to build awareness throughout the

organization is to test the strength of communication and

competing influences from the bottom up and the top

down. Actionable insights can be gained by observing

how high up the chain of command specific challenges

and opportunities are circulated before they recede and

fade from the organization’s discourse.

In one instance, a local government client had a long-

standing relationship with a guard force services provider.

Although numerous questions had been raised regarding

the manner in which these services were provided,

the recommendation of opening that contract up for

competing bids was met with unexpected resistance.

Observing how far down the chain of command you can

go before the organization’s mission, core values and

governing principles are lost among employees is another

way to test resiliency. Policies surrounding key control,

piggybacking or vegetation management are just a few

topics that seem easier to approve in a conference room

WHITE PAPER / COST-WISE SECURITY MINDSET

© 2018 PAGE 4 OF 4

than to execute in practice. It is imperative that proper

attention be given to training staff and managers in the

policies and procedures necessary for making a given

technology effective. Enforcement measures and rewards

for personnel will be structured accordingly.

One client instituted a program of positive reinforcement

in which employees were encouraged to communicate

security vulnerabilities that they observed in the

workplace. Participants received direct feedback in

person from the director of security in front of their

peers, even receiving a simple and inexpensive token

of appreciation and a signed certificate. It was not

uncommon for these certificates to be found in office

spaces throughout the facility, setting a positive tone

that encouraged an “all hands” approach to driving

security throughout the business.

Above all, trust is paramount. Controlling and managing

risk requires open and positive communication,

responsiveness and accountability.

CONCLUSIONToday’s fast-changing security environment demands

that business leaders cultivate mindsets that

simultaneously track both evolving threats and

technological and digital advances.

Securing buy-in from stakeholders who hold the cards and

control the budget is necessary if the goal is to convert

new technologies into integrated, sustainable security

solutions. The ability to align resources and cultivate a

trustworthy team that exercises proper due diligence

is vital to the successful implementation of a holistic,

sustainable security strategy in any organization.

BIOGRAPHY

MICHAEL MONAHAN, CPP, is a section manager in

the Corporate Information Technology department

at Burns & McDonnell. He has more than 10 years

of experience with industrial facility design-build

requirements and security compliance requirements.

This comprised managing projects for government

and private sector clients, including municipal and

investor-owned utilities. Mike is an ASIS Board Certified

Protection Professional and has provided security

consulting and analysis services to a wide variety

of critical infrastructure clients, including security

system design and implementation management.

06

09

6-C

SM

-07

18