Defense is Your Best Offense: Understanding the Fundamentals of Risk-Based Security
In football, the room for error is slim to none. The hours of film study, drills and situational awareness all play a major role in what separates the good from the great. For defense coordinators, this means ensuring the off-season is focused on building an aggressive defensive line that can work cautiously and is flexible enough to make real-time adjustments. To beat a cagey, clever foe during a game, the defensive line needs a strong backbone strategy to keep them prepared for any situation.
Successful strategists in the security arena face the same kind of tactical issues. Attackers are skillful, resourceful and motivated to succeed. Football coaches can’t deploy a “one-size-fits-all” strategy, and neither can security strategists. On a macro level this is called “Risk-Based Security” or RBS, which at its core defines a commitment to flexibility and adaptability to deal with ever-changing threats. RBS uses a “tailored” approach to security that adjusts over time based on changes in the environment and in the risk profile of different groups, such as employees, visitors and dignitaries. RBS is designed to mitigate risk, evoke a sense of safety and not present an undue burden on the users. Most commonly this strategy is used at airports in the form of “TSA Precheck.”
Risk-Based Security Gets in the Game
The traditional, one-size-fits-all approach to physical security is cumbersome. It typically involves security officers physically inspecting every person entering a facility, relying heavily on the limited capabilities of metal detectors. This approach is costly and slow, and often ineffective without additional capabilities to screen more aggressively. A risk-based approach recognizes that while there is no perfect security solution, those solutions that strategically balance security, access, usability and cost can provide the best long-term protection.
An effective RBS strategy puts equal emphasis on technology solutions and more people-focused factors like organizational, managerial and operational capabilities. It relies primarily on a short list of components, including gauging threats; understanding vulnerabilities; vetting users; identifying users; and attaching risk assessments. It also includes routing high-, low-and unknown-risk users through the appropriate security channels.
An RBS strategy is also reliant on an enterprise approach that not only uses excellent technology to perform physical screening but also ensures the personnel performing the screening are using the technology appropriately. When implementing a risk-based security strategy, security professionals need to focus on two priorities: First, they must establish a “known patron” program that includes a quick way to validate membership at the entry to the screening system of a facility. Second, they must tailor the screening process to account for the different risk levels of those entering the venue.
How RBS Can Combat Modern Threats
Attackers have shifted their focus from hard targets such as airplanes and government facilities to soft targets such as sporting venues and music arenas. This shift has created need for a new approach to venue security. It is no longer enough to just to screen visitors and guests as they enter the stadium. We need to expand the security perimeter beyond the walls of the building and focus on new strategies, such as RBS, for long-term protection against an evolving risk landscape.
The potential benefits of implementing a risk-based screening program are significant. It can make entering a venue easier while maintaining a level of safety, allowing faster throughput, and thereby mitigating the risk of long lines. This can create a better experience for known, repeat customers as well as improve overall brand perception of a venue. Overall security costs can potentially be decreased as the security staff is optimized. Further, while organizations want the safety that screening systems provide, they do not want to lose the culture, openness and sense of welcome that make their venues special. Implementing a risk-based security program allows an organization to tailor a program that fits their culture, so they do not have to sacrifice what they represent for safety.
There is no “silver bullet” or “cookie cutter” approach to security. What might work particularly well in office buildings – where it is possible to learn more about the regular user – will be different than in public venues. Like football coaches, successful security strategists make sure they’re prepared, and with risk-based security, they have the tools, plans and training intact to ensure they’re ready to defend.