Brian Schwab, Founder and Principal Consultant at S3 Security and Defense Consultants recently spoke to asmag.com about this and explained what goes into making a strategic plan for physical security.
Providing physical security is a complex process that begins much before even thinking
which would be the best camera to buy. This process includes several critical factors that determine the needs, feasibility of solutions, and an effective action plan. Customers and security systems integrators, especially those keen to expand their work to larger and more complex projects, would greatly benefit from having a clear understanding of this process.
Brian Schwab, Founder and Principal Consultant at
S3 Security and Defense Consultants recently spoke to asmag.com about this and explained what goes into making a strategic plan for physical security.
Preview and ROI estimation
The first step in this process is to review the overall strategic plan in order to determine exactly how this planned installation fits into the overall strategy of the enterprise. This allows the planner to develop metrics (to include return on security investment) that clearly show the value of the proposed project to key decision-makers within the organization.
(Click here to read about why presenting an ROI is crucial)
One should also prioritize all other physical security projects within the enterprise and evaluate them against one another to ensure that the proposed project provides the best value to the company from both a risk reduction and financial management perspective.
Establish a working group
The second step is to establish a security working group that includes internal and external stakeholders, the planner and members of the security team. This group discusses the risks at the site against those at all other locations within the enterprise to ensure that the site’s risk is important enough warrant the proposal and determine whether the risk should be accepted, transferred, mitigated or avoided.
The group will also review and comment on key performance indicators developed by the security team for the proposed countermeasure. This will ensure that all necessary input is aired, considered and recorded, thus ensuring buy-in from within the company and preventing tunnel vision in the planning process.
Prepare a business case report
The next step is to develop a business case report that clearly states the following (at a minimum):
- The problem that needs to be addressed and why (business need)
- The anticipated outcomes of the project
- The impact on business processes and employee roles/responsibilities if implemented
- The justification as to why the solution was selected over other alternatives
- A cost-benefit analysis (the most important part as this shows the return on security investment, potential risk reduction, cost per unit of risk buydown and other measures that impact the company’s bottom line). This section also outlines the estimated lifecycle cost of the proposed project to include future preventive and remedial maintenance costs
- The key risks involved in implementing the project
The business case report is provided to the security working group for review and approval prior to submitting to senior executives for approval to proceed. This is the critical link between security and the company’s overall strategic plan and is the key factor impacting senior executives’ decision whether or not to finance the proposed project.
After approval to proceed is given by the senior executives, a risk assessment of the facility or a review of the most recent risk assessment (with an updated security audit) is conducted. The assessment includes a Crime Prevention Through Environmental Design component, a pedestrian and vehicular traffic flow audit and a lighting assessment to assess the possible impact on vegetation, illumination, traffic, facility layout, etc. on the planned project.
This allows the planner to understand the operating environment exactly as it exists in both daytime and nighttime conditions. It also allows the planner to see if the risk for which the planned project is being considered still exists and will be reduced after implementation. The results of these studies are provided to the security working group to ensure findings are adequately distributed and input on findings is received.
Initial design stage
From there, initial designs are completed using existing CAD drawings of the location where the project will be implemented (or new ones created if none exist). Drawings completed at the 10, 30 60 and 90 percent are submitted for review and comment to the security working group and security experts within the organization.
Changes and edits are rolled into the final document. Final drawings are maintained by the Project Manager and are used in the acceptance test to ensure the security components are installed according to plan. Punch lists are developed, shortcomings rectified, and a final acceptance testing is conducted. The report that results from the acceptance testing is provided to the security working group and the financial office for records management.
Risk evaluation
Finally, the risk is re-evaluated to ensure the desired reduction is achieved and how the risk will continue to be mitigated. The risk re-assessment will also indicate how that risk reduction cascades throughout the entire enterprise and the overall risk is reapportioned. This is reported as a key strategic indicator by the security team to show the value the security program brings to the overall organization.