Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsManagementPhysicalSecurity Enterprise ServicesSecurity Leadership and ManagementSecurity & Business ResilienceSecurity Education & TrainingFire & Life Safety

Education & Training

Risk assessment strategies: Be careful what you eat

Conducting risk assessments are a valuable piece of any security program. But, in order to achieve maximum return, there’s a right and a wrong way to follow through.

By Ben Zeifman
education and training

olm26250 / iStock / Getty Images Plus via Getty Images

ben zeifman

Ben Zeifman

education and training
ben zeifman
July 8, 2022

Have you ever walked into a Vegas buffet and said to yourself, “I really want the steak, but that sushi looks delicious, and so does that chicken parmesan”? The spread and variety of dining options all look appetizing, but the choices can be overwhelming. Though your eyes grow big before any giant buffet, there’s only so much room in your stomach. Thus, you need a strategy for your feast.  

Like a Vegas buffet, risk assessments require a strategy. If security leaders don’t prioritize which information to bite into, they run the risk of gorging themselves on frivolous data without any time remaining for the meat and potatoes.

Deciding to conduct a risk assessment is prudent to being a proactive security leader. Taking action is a far greater step in the right direction than doing nothing, but it’s just as important to understand that every organization is different. Threat and risk postures vastly differ between organizations and clients, and risk assessments are never a one-size-fits-all approach.

When assessing risk as a protector, investigator or security leader, there are several strategies to get right to that meat on the bone. The initial considerations for any security risk and threat vulnerability assessment should be:

  1. Determine priorities.
  2. Recognize what to avoid.
  3. Ask preliminary questions.
  4. Consider who will conduct the assessment.

 

Defining Risk Assessment Types

Of course, not all risk assessments are created equal. Various types of assessments can collectively work together. Be open-minded, as it’s not always an “either-or” scenario. Different reports can be leveraged together toward the single collective goal of reducing risk to the organization.

Let’s break down and define the types of risk assessments:

  1. Risk Assessment is often an examination of what could cause harm and is vital in the managing safety. Identify, analyze and evaluate risks first in order to determine mitigation needed. Oftentimes, a risk assessment occurs due to a known deficiency or concern.
  2. Vulnerability Assessment is an examination to better understand the organization’s exposures, which is just as crucial as risk. Vulnerabilities will ultimately lead to risk.  
  3. Gap Analysis is the process used to benchmark and compare against others in the industry by taking an in-depth look into a program to better understand what the program actually entails. Often, for example, organizations want to evaluate their executive protection program and find out where it stands compared to others. Does the program have structured policies, licensing, training, etc.? In many cases, gap analyses reveal a false sense of security and understanding of an organization’s security program.

When deciding which assessment might work best for an organization, security leaders should ask themselves the following questions:

  1. What is the organizational appetite for risk?
  2. What factors are driving the assessment?
  3. Who/what is at risk?
  4. What is the severity of the risk?
  5. Where is the organization vulnerable?
  6. What are the mitigation measures?
  7. Is there an existing program in place that is being evaluated?
  8. Should this be handled internally or externally — why?

Each type of assessment can provide security teams with varying tangible data to allow security leaders to strategize the best path forward.

Each assessment is used as a level set for security leaders to better understand the challenges they face within their organization. However, these assessments are also just a starting point.


Conducting Risk Assessments

After the organization recognizes the need for a risk assessment, the next decision to make is whether to handle the matter internally or hire an outside firm to perform the assessment.

Step one is to deep dive into the organization’s internal capabilities. Be empathetic to other internal departments (HR, Legal, Facilities, etc.), as they are your partners in accomplishing this mission. If security is required to tackle the assessments and mitigation strategies internally, it’s wise to focus on the basics and what is handled within the team’s depth of knowledge. Security can also partner with professional organizations such as ASIS, ATAP or SHERM to garner support and assistance. It might be wise to benchmark the program with other similarly situated companies.   

Security leaders should think of themselves as general practitioners. This means we are widely knowledgeable about many aspects of security — physical security, executive protection, security technology, etc. — however, we’re not specialists. And just as we don’t want a general practitioner performing open heart surgery, certain types of risk assessment operations are no different. How do you find these security surgeons? Connect with retired police investigators or intelligence analysts on LinkedIn who might not be connected with any particular company and can provide more objective advice and direction. Then call them and gather information on their experiences, cases and accomplishments. Moreover, ask them for client referrals and speak with those folks.  

 

Focus Time and Priorities

Once the security leader can determine what types of assessments would be valuable to the organization, it’s important to use findings to focus time and priorities. As the old military cliché says, “to defend everything is to defend nothing.” Start with the low-hanging fruit and list five vulnerabilities to address and quick proposed solutions.  

For example, initial priorities may include:

  1. Harden entry control procedures. Hire a security consultant to develop key card access.
  2. Focus on licensing and training internal security. Assess which licensing is required by the state and consult with a training organization to achieve the requirement for the team.
  3. Determine travel security and/or executive protection needs. Develop a risk-based security matrix that adds support and measures depending on the location and nature of a trip or event.
  4. Evaluate and harden onsite security. Partner with local law enforcement to increase patrols around facilities.

When it comes to focusing time, it can be helpful for security leaders to classify risks into two buckets:

  • Low-likelihood, high-consequence: medical incident, active shooter, natural emergencies, kidnapping, etc.
  • High-likelihood, low-consequence: poor access control, broken cameras, screening procedures, etc.

From there, security leaders can determine steps they can take to quickly reduce risk and enact change for users or employees to start feeling — and being — safer.  

 

Know What to Avoid

In the bestselling book “The Gift of Fear,” Gavin de Becker writes about the difference in lowering risk versus lowering anxiety. Sometimes, security operations are filled with perfunctory measures to ease employee or client anxieties.  

To win over decision-makers and gain buy-in from the C-suite, security leaders must be convincing with recommendations, be versed in the cost of such measures, and be able to justify the value of risk assessments.

 

When to Reassess

The question of reassessing risk in an organization is not so much about the previous report, but evaluating what the organization has accomplished since a previous assessment and redrafting an action plan based on changing needs or events.

Some industries have regulated timeframes for reassessment reports. In some cases, there are statutory requirements for reassessment reports which are industry specific. Generally speaking, reassessments can be constant and never-ending.

Like the Vegas buffet, security leaders must assess (and reassess) their options. We must prioritize what’s on our plate, avoid the bad food, ask other patrons what food is the best, and which chefs are the most qualified. You cannot digest a substantial assessment report at once, so take it one bite at a time through the aforementioned steps, and you’ll be well on your way to dining in style while ensuring all those at the table you serve are safe and secure.


For more articles on security risk and threat assessments, visit:

Top 5 physical security threats

Security risk management for the nonprofit sector

Reimagining risk assessments during global crises

KEYWORDS: risk assessment risk management security management security operations

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Zeifman

Ben Zeifman has been in the law enforcement and security industry for over 20 years. He currently serves as the Director of Client Services for Gavin de Becker & Associates, the leading public figure protection and threat assessment firm. He has worked with the U.S. Secret Service, the Diplomatic Security Service, the FBI, the CIA, and MI6 during the planning and implementation of security operations involving at-risk clients, U.S. Presidents, and foreign heads of state. Zeifman has consulted on the development of protection strategies regarding difficult terminations and reductions of force at Fortune 500 companies. He serves as the President of the Southeast Chapter of the Association of Threat Assessment Professionals (ATAP). Image courtesy of Zeifman

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • What’s worrying consumers and business the most?

    Be careful before you open your Prime Day package

    See More
  • business travel

    What Should be in a Travel Risk Policy?

    See More
  • Nurse in spotlight in dark hallway

    Reining in workplace violence in healthcare: What strategies work?

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
  • November 17, 2025

    SECURITY 500 Conference

    This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing