SlideShare ist ein Scribd-Unternehmen logo
1 von 16
Downloaden Sie, um offline zu lesen
Delivering Stronger Business
Security and Resilience in a Weak
Financial Climate
Chris Tomlinson
Arup Resilience, Security & Risk
My Agenda
The threat spectrum
The Risk-led Approach and the realities of Security
Risk Appetite
The boardroom view
Client Needs Detected
2
Client Needs Detected
Design-based Solutions
Operational-based Solutions
Standards in Commercial Preparedness
Key Takeaways.
The Spectrum of Threat
Terrorism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• CBR attack
Terrorism/Extremism
• Person-borne explosive attack
• Vehicle-borne explosive attack
• Static
• Encroachment
• Penetrative
Crime & Antisocial Activity
• Violence Against the Person
• Acquisitive (theft /burglary etc)
• Personal
• Business – Insider Threat
• Penetrative
• Simplistic
• Mechanistic
• Criminal Damage
• Anti-social behaviour
• Vagrancy & Trespass
• Violent protest – not necessarily
unlawful
• Weapon attack
• Hand-carried
• Vehicle-borne
Threat Likelihood Impact Risk
Threat – adversary capability (history), intent and access to their
The Risk Calculus
Threat – adversary capability (history), intent and access to their
targets, do not forget the insider adversary
Likelihood – the tough calculation and absolutes are difficult to
come by – so relative likelihoods may be all that can be managed
Impact – this is the straightforward part – all about asset and
process vulnerability; and costs of denial/loss.
Serious Impact
Nuisance Terrorism
Theft/Insider Threat/Burglary
Workplace Intimidation/Violence
ArsonCriminal damage
Minor Impact
Civil Disorder
The Resulting Conundrum
More Likely Less Likely
Costs
Risk appetite, at the organisational level, is the amount of risk
exposure, or potential adverse impact from an event, that the
Threat Likelihood Impact Risk
There will be Risk Appetite
exposure, or potential adverse impact from an event, that the
organisation is willing to accept/retain. (Mark Carey - Deloitte
& Touche LLP)
An economically-conditioned balance between maintaining
profitability, while not facing reputational exposure through
culpable risk-mitigation failure. (Me)
Life Safety
Risk Appetite Illustrated in Counter Terrorism
Levels of Resilience to the Effects of Blast
Life Safety + Evacuation
Economic Reinstatement
Operational Continuity
All of which is a little
counterintuitive, given that
organisations normally say
that they are want to be
operationally viable after a
catastrophic event
Questions that might guide Risk Appetite
Identify headline risk impacts on life safety, economic
reinstatement or reputation
What adjacencies might increase or decrease risks?
What are the acceptable norms for protecting the
business – are there standards we can use as a
benchmark?
8
What risks can be treated, transferred, terminated and
what is left to tolerate – the latter lies at the core of risk
appetite?
Is there an Enterprise Risk Management process that
includes protective security?
Who reviews risk and how often?
Struggles to show real benefit, beyond the simplistic
e.g. effects on stock shrinkage – ROI badly
researched
Often ugly and oppressive, with a default setting of
heavy-duty, rather than subtle technologies
Adds operational friction – it slows people and stuff
down
Boardroom Views on Security
Adds operational friction – it slows people and stuff
down
Laced full of confusing standards and often do not
offer advice on sub-optimal ‘fixes’ – always the
Rolls Royce never the Honda Civic
Never linked to sustainability targets – e.g. ‘Carbon
Cost of Crime’.
Preparedness in the Private Sector
A survey of 263 senior executives from various companies
examined how they approach resilience and security
Five key areas were examined: physical security, IT security,
business continuity, crisis management, and pandemic planning
Approximately 50% said IT security, business continuity, and
crisis management at their company were "completely" or "very
coordinated" with enterprise risk management, while only 43 %
10
coordinated" with enterprise risk management, while only 43 %
said the same about physical security
21% of companies surveyed had a co-ordinator that oversees all
five preparedness areas.
The key concerns were: risk versus opportunity, due diligence
and duty of care (compliance and reputation protection)
Our Clients Want
Easy-to-understand risk analysis and deductions
Just enough – with an audit trail for what was agreed on and why
Scalability – things change and systems need to adapt
Early intervention – security as an afterthought is ugly and
expensive
A balance between security technology and operations – Capex
11
A balance between security technology and operations – Capex
versus Opex
Value-added in security solutions
To be convinced of a return on investment – not just financial
Functional and management convergence – traditional
stovepipes are challenged.
Design-Based Solutions
The trend is towards Internet Protocol solutions, but
buyer beware!
Convergence onto unified ICT networks, but….
Convergence of building management systems –
intelligent buildings
Smarter devices deployed – on-board processing
12
Smarter devices deployed – on-board processing
Adaptable plug and play (e.g. POE)
Biometrics and reliable recognition
Stand-off detection and automated tracking
Physical Security Information Management (PSIM).
Operations-based Solutions
Unified command and control – moving security to business
areas that are the ERM focus
Human Capital Risk – managing the insider threat
Boardroom education to value adds
‘Red-teaming’ – thinking adversary
Professionally develop your capable guardians
13
Professionally develop your capable guardians
Test and validate plans
Sharing best-practice – co-ordinate resilience planning with
other stakeholders (e.g. telecoms and lifeline utilities, local blue
light responders etc).
Professional organisation memberships – e.g. CSARN.
Standards, Best-practice and References
BS 25999-1:2006 & BS 25999-2:2007 - business
continuity management code of practice
ASIS International SPC.1-2009 – Organizational
Resilience: Security, Preparedness, and Continuity
Management Systems – Requirements with Guidance
for Use and other references
14
US National Fire Protection Association 1600 -
Standard on Disaster/Emergency Management and
Business Continuity Programs
The Conference Board report - ‘Preparedness in the
Private Sector – 2011’
Organisation specific e.g. BCO.
Key Takeaways
You cannot mitigate everything, so figure out what you can
handle as risk appetite – easier said than done
Doing nothing is not an option, but mitigation sufficiency is
linked to risk appetite
Get a risk assessment done and one that offers deductions for
best protective fit against form, function and budget
15
Scalability – things change (think about review programmes)
Have an audit trail for what was agreed on and why
Do it early because security as an afterthought is ugly and
expensive (and think sustainability)
Think about balances between security technology and
operations – ROI is important.
Questions
chris.tomlinson@arup.com
www.arup.com

Weitere ähnliche Inhalte

Was ist angesagt?

ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right postureParag Deodhar
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...Hassan Zaitoun
 
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENT
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENTRISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENT
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENTDr. Emmanuel ABOLO, fica,fnimn,ficn,sirm
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAndre Knipe
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...prosenzw69
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Risk management
Risk managementRisk management
Risk managementMAParry1
 

Was ist angesagt? (20)

Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management Frameworks
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Managing Risks in Turbulent Times by Dr. Emmanuel Moore ABOLO
Managing Risks in Turbulent Times by Dr. Emmanuel Moore ABOLOManaging Risks in Turbulent Times by Dr. Emmanuel Moore ABOLO
Managing Risks in Turbulent Times by Dr. Emmanuel Moore ABOLO
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
FINTECH,REGTECH AND SUPTECH: WHAT THEY MEAN FOR FINANCIAL SUPERVISION
FINTECH,REGTECH AND SUPTECH: WHAT THEY MEAN FOR FINANCIAL SUPERVISIONFINTECH,REGTECH AND SUPTECH: WHAT THEY MEAN FOR FINANCIAL SUPERVISION
FINTECH,REGTECH AND SUPTECH: WHAT THEY MEAN FOR FINANCIAL SUPERVISION
 
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENT
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENTRISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENT
RISK-INFORMED DECISION-MAKING PROCESS FOR CORPORATE SUSTAINABLE DEVELOPMENT
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
 
Risk and Business Continuity Management
Risk and Business Continuity ManagementRisk and Business Continuity Management
Risk and Business Continuity Management
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 
CISSPills #3.04
CISSPills #3.04CISSPills #3.04
CISSPills #3.04
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 
Risk management
Risk managementRisk management
Risk management
 

Andere mochten auch

ARC 2015 Business Continuity
ARC 2015 Business Continuity ARC 2015 Business Continuity
ARC 2015 Business Continuity SWIFT
 
Slide share 2012 13
Slide share 2012 13Slide share 2012 13
Slide share 2012 13Kruti87
 
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFT
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFTGearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFT
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFTSWIFT
 
ARC 2014 SWIFTref
ARC 2014 SWIFTrefARC 2014 SWIFTref
ARC 2014 SWIFTrefSWIFT
 
كيفية التوازن - الجزء الثاني
كيفية التوازن - الجزء الثانيكيفية التوازن - الجزء الثاني
كيفية التوازن - الجزء الثانيSeena Zarie
 

Andere mochten auch (18)

ARC 2015 Business Continuity
ARC 2015 Business Continuity ARC 2015 Business Continuity
ARC 2015 Business Continuity
 
Podcast hpr
Podcast hprPodcast hpr
Podcast hpr
 
Form ift-2w7
Form ift-2w7Form ift-2w7
Form ift-2w7
 
Slide share 2012 13
Slide share 2012 13Slide share 2012 13
Slide share 2012 13
 
Form cit-9 rw5
Form cit-9 rw5Form cit-9 rw5
Form cit-9 rw5
 
Form cit-8 bw9
Form cit-8 bw9Form cit-8 bw9
Form cit-8 bw9
 
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFT
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFTGearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFT
Gearing up resiliency for your critical systems, Anand Bindumadhavan, SWIFT
 
Dioses: Zeus, Hera, Atena
Dioses: Zeus, Hera, AtenaDioses: Zeus, Hera, Atena
Dioses: Zeus, Hera, Atena
 
ARC 2014 SWIFTref
ARC 2014 SWIFTrefARC 2014 SWIFTref
ARC 2014 SWIFTref
 
كيفية التوازن - الجزء الثاني
كيفية التوازن - الجزء الثانيكيفية التوازن - الجزء الثاني
كيفية التوازن - الجزء الثاني
 
Cannot Place Gossip Quiz 2013
Cannot Place Gossip Quiz 2013Cannot Place Gossip Quiz 2013
Cannot Place Gossip Quiz 2013
 
Form sse-ra-2015
Form sse-ra-2015Form sse-ra-2015
Form sse-ra-2015
 
Form sse-a-2015
Form sse-a-2015Form sse-a-2015
Form sse-a-2015
 
Form cit-11 rw3
Form cit-11 rw3Form cit-11 rw3
Form cit-11 rw3
 
Form cit-cfc-2-2016
Form cit-cfc-2-2016Form cit-cfc-2-2016
Form cit-cfc-2-2016
 
Form cit-7w10
Form cit-7w10Form cit-7w10
Form cit-7w10
 
Form cit-6 a-rw3
Form cit-6 a-rw3Form cit-6 a-rw3
Form cit-6 a-rw3
 
Form cit-5w10
Form cit-5w10Form cit-5w10
Form cit-5w10
 

Ähnlich wie Delivering stronger business security and resilience

Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykEryk Budi Pratama
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachPECB
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewTatianaMajor22
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfRobert Serena, FSA, CFA, CPCU
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of securityciso_insights
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metricsnooralmousa
 
Risk management ii
Risk management iiRisk management ii
Risk management iiDhani Ahmad
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Countering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design IssueCountering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design Issuezadok001
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 

Ähnlich wie Delivering stronger business security and resilience (20)

Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
Cyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - ErykCyber Resilience - Welcoming New Normal - Eryk
Cyber Resilience - Welcoming New Normal - Eryk
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330Overview
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdf
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of security
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
 
Importance of Risk Assessment
Importance of Risk AssessmentImportance of Risk Assessment
Importance of Risk Assessment
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Countering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design IssueCountering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design Issue
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_Intindolo
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 

Kürzlich hochgeladen

Khushi sharma undergraduate portfolio...
Khushi sharma undergraduate portfolio...Khushi sharma undergraduate portfolio...
Khushi sharma undergraduate portfolio...khushisharma298853
 
How to use Ai for UX UI Design | ChatGPT
How to use Ai for UX UI Design | ChatGPTHow to use Ai for UX UI Design | ChatGPT
How to use Ai for UX UI Design | ChatGPTThink 360 Studio
 
Cold War Tensions Increase - 1945-1952.pptx
Cold War Tensions Increase - 1945-1952.pptxCold War Tensions Increase - 1945-1952.pptx
Cold War Tensions Increase - 1945-1952.pptxSamKuruvilla5
 
LRFD Bridge Design Specifications-AASHTO (2014).pdf
LRFD Bridge Design Specifications-AASHTO (2014).pdfLRFD Bridge Design Specifications-AASHTO (2014).pdf
LRFD Bridge Design Specifications-AASHTO (2014).pdfHctorFranciscoSnchez1
 
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptx
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptxWCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptx
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptxHasan S
 
Mike Tyson Sign The Contract Big Boy Shirt
Mike Tyson Sign The Contract Big Boy ShirtMike Tyson Sign The Contract Big Boy Shirt
Mike Tyson Sign The Contract Big Boy ShirtTeeFusion
 
High-Quality Faux Embroidery Services | Cre8iveSkill
High-Quality Faux Embroidery Services | Cre8iveSkillHigh-Quality Faux Embroidery Services | Cre8iveSkill
High-Quality Faux Embroidery Services | Cre8iveSkillCre8iveskill
 
The future of UX design support tools - talk Paris March 2024
The future of UX design support tools - talk Paris March 2024The future of UX design support tools - talk Paris March 2024
The future of UX design support tools - talk Paris March 2024Alan Dix
 
UX Conference on UX Research Trends in 2024
UX Conference on UX Research Trends in 2024UX Conference on UX Research Trends in 2024
UX Conference on UX Research Trends in 2024mikailaoh
 
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024Ted Drake
 
Designing for privacy: 3 essential UX habits for product teams
Designing for privacy: 3 essential UX habits for product teamsDesigning for privacy: 3 essential UX habits for product teams
Designing for privacy: 3 essential UX habits for product teamsBlock Party
 
Embroidery design from embroidery magazine
Embroidery design from embroidery magazineEmbroidery design from embroidery magazine
Embroidery design from embroidery magazineRivanEleraki
 
Production of Erythromycin microbiology.pptx
Production of Erythromycin microbiology.pptxProduction of Erythromycin microbiology.pptx
Production of Erythromycin microbiology.pptxb2kshani34
 
Design mental models for managing large-scale dbt projects. March 21, 2024 in...
Design mental models for managing large-scale dbt projects. March 21, 2024 in...Design mental models for managing large-scale dbt projects. March 21, 2024 in...
Design mental models for managing large-scale dbt projects. March 21, 2024 in...Ed Orozco
 
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdf
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdfBuilding+your+Data+Project+on+AWS+-+Luke+Anderson.pdf
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdfsaidbilgen
 
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...Amil baba
 
Construction Documents Checklist before Construction
Construction Documents Checklist before ConstructionConstruction Documents Checklist before Construction
Construction Documents Checklist before ConstructionResDraft
 
Create Funeral Invites Online @ feedvu.com
Create Funeral Invites Online @ feedvu.comCreate Funeral Invites Online @ feedvu.com
Create Funeral Invites Online @ feedvu.comjakyjhon00
 
Math Group 3 Presentation OLOLOLOLILOOLLOLOL
Math Group 3 Presentation OLOLOLOLILOOLLOLOLMath Group 3 Presentation OLOLOLOLILOOLLOLOL
Math Group 3 Presentation OLOLOLOLILOOLLOLOLkenzukiri
 

Kürzlich hochgeladen (19)

Khushi sharma undergraduate portfolio...
Khushi sharma undergraduate portfolio...Khushi sharma undergraduate portfolio...
Khushi sharma undergraduate portfolio...
 
How to use Ai for UX UI Design | ChatGPT
How to use Ai for UX UI Design | ChatGPTHow to use Ai for UX UI Design | ChatGPT
How to use Ai for UX UI Design | ChatGPT
 
Cold War Tensions Increase - 1945-1952.pptx
Cold War Tensions Increase - 1945-1952.pptxCold War Tensions Increase - 1945-1952.pptx
Cold War Tensions Increase - 1945-1952.pptx
 
LRFD Bridge Design Specifications-AASHTO (2014).pdf
LRFD Bridge Design Specifications-AASHTO (2014).pdfLRFD Bridge Design Specifications-AASHTO (2014).pdf
LRFD Bridge Design Specifications-AASHTO (2014).pdf
 
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptx
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptxWCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptx
WCM Branding Agency | 210519 - Portfolio Review (F&B) -s.pptx
 
Mike Tyson Sign The Contract Big Boy Shirt
Mike Tyson Sign The Contract Big Boy ShirtMike Tyson Sign The Contract Big Boy Shirt
Mike Tyson Sign The Contract Big Boy Shirt
 
High-Quality Faux Embroidery Services | Cre8iveSkill
High-Quality Faux Embroidery Services | Cre8iveSkillHigh-Quality Faux Embroidery Services | Cre8iveSkill
High-Quality Faux Embroidery Services | Cre8iveSkill
 
The future of UX design support tools - talk Paris March 2024
The future of UX design support tools - talk Paris March 2024The future of UX design support tools - talk Paris March 2024
The future of UX design support tools - talk Paris March 2024
 
UX Conference on UX Research Trends in 2024
UX Conference on UX Research Trends in 2024UX Conference on UX Research Trends in 2024
UX Conference on UX Research Trends in 2024
 
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024
Introduce Trauma-Informed Design to Your Organization - CSUN ATC 2024
 
Designing for privacy: 3 essential UX habits for product teams
Designing for privacy: 3 essential UX habits for product teamsDesigning for privacy: 3 essential UX habits for product teams
Designing for privacy: 3 essential UX habits for product teams
 
Embroidery design from embroidery magazine
Embroidery design from embroidery magazineEmbroidery design from embroidery magazine
Embroidery design from embroidery magazine
 
Production of Erythromycin microbiology.pptx
Production of Erythromycin microbiology.pptxProduction of Erythromycin microbiology.pptx
Production of Erythromycin microbiology.pptx
 
Design mental models for managing large-scale dbt projects. March 21, 2024 in...
Design mental models for managing large-scale dbt projects. March 21, 2024 in...Design mental models for managing large-scale dbt projects. March 21, 2024 in...
Design mental models for managing large-scale dbt projects. March 21, 2024 in...
 
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdf
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdfBuilding+your+Data+Project+on+AWS+-+Luke+Anderson.pdf
Building+your+Data+Project+on+AWS+-+Luke+Anderson.pdf
 
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...
Best-NO1 Pakistani Amil Baba Real Amil baba In Pakistan Najoomi Baba in Pakis...
 
Construction Documents Checklist before Construction
Construction Documents Checklist before ConstructionConstruction Documents Checklist before Construction
Construction Documents Checklist before Construction
 
Create Funeral Invites Online @ feedvu.com
Create Funeral Invites Online @ feedvu.comCreate Funeral Invites Online @ feedvu.com
Create Funeral Invites Online @ feedvu.com
 
Math Group 3 Presentation OLOLOLOLILOOLLOLOL
Math Group 3 Presentation OLOLOLOLILOOLLOLOLMath Group 3 Presentation OLOLOLOLILOOLLOLOL
Math Group 3 Presentation OLOLOLOLILOOLLOLOL
 

Delivering stronger business security and resilience

  • 1. Delivering Stronger Business Security and Resilience in a Weak Financial Climate Chris Tomlinson Arup Resilience, Security & Risk
  • 2. My Agenda The threat spectrum The Risk-led Approach and the realities of Security Risk Appetite The boardroom view Client Needs Detected 2 Client Needs Detected Design-based Solutions Operational-based Solutions Standards in Commercial Preparedness Key Takeaways.
  • 3. The Spectrum of Threat Terrorism • Person-borne explosive attack • Vehicle-borne explosive attack • CBR attack Terrorism/Extremism • Person-borne explosive attack • Vehicle-borne explosive attack • Static • Encroachment • Penetrative Crime & Antisocial Activity • Violence Against the Person • Acquisitive (theft /burglary etc) • Personal • Business – Insider Threat • Penetrative • Simplistic • Mechanistic • Criminal Damage • Anti-social behaviour • Vagrancy & Trespass • Violent protest – not necessarily unlawful • Weapon attack • Hand-carried • Vehicle-borne
  • 4. Threat Likelihood Impact Risk Threat – adversary capability (history), intent and access to their The Risk Calculus Threat – adversary capability (history), intent and access to their targets, do not forget the insider adversary Likelihood – the tough calculation and absolutes are difficult to come by – so relative likelihoods may be all that can be managed Impact – this is the straightforward part – all about asset and process vulnerability; and costs of denial/loss.
  • 5. Serious Impact Nuisance Terrorism Theft/Insider Threat/Burglary Workplace Intimidation/Violence ArsonCriminal damage Minor Impact Civil Disorder The Resulting Conundrum More Likely Less Likely Costs
  • 6. Risk appetite, at the organisational level, is the amount of risk exposure, or potential adverse impact from an event, that the Threat Likelihood Impact Risk There will be Risk Appetite exposure, or potential adverse impact from an event, that the organisation is willing to accept/retain. (Mark Carey - Deloitte & Touche LLP) An economically-conditioned balance between maintaining profitability, while not facing reputational exposure through culpable risk-mitigation failure. (Me)
  • 7. Life Safety Risk Appetite Illustrated in Counter Terrorism Levels of Resilience to the Effects of Blast Life Safety + Evacuation Economic Reinstatement Operational Continuity All of which is a little counterintuitive, given that organisations normally say that they are want to be operationally viable after a catastrophic event
  • 8. Questions that might guide Risk Appetite Identify headline risk impacts on life safety, economic reinstatement or reputation What adjacencies might increase or decrease risks? What are the acceptable norms for protecting the business – are there standards we can use as a benchmark? 8 What risks can be treated, transferred, terminated and what is left to tolerate – the latter lies at the core of risk appetite? Is there an Enterprise Risk Management process that includes protective security? Who reviews risk and how often?
  • 9. Struggles to show real benefit, beyond the simplistic e.g. effects on stock shrinkage – ROI badly researched Often ugly and oppressive, with a default setting of heavy-duty, rather than subtle technologies Adds operational friction – it slows people and stuff down Boardroom Views on Security Adds operational friction – it slows people and stuff down Laced full of confusing standards and often do not offer advice on sub-optimal ‘fixes’ – always the Rolls Royce never the Honda Civic Never linked to sustainability targets – e.g. ‘Carbon Cost of Crime’.
  • 10. Preparedness in the Private Sector A survey of 263 senior executives from various companies examined how they approach resilience and security Five key areas were examined: physical security, IT security, business continuity, crisis management, and pandemic planning Approximately 50% said IT security, business continuity, and crisis management at their company were "completely" or "very coordinated" with enterprise risk management, while only 43 % 10 coordinated" with enterprise risk management, while only 43 % said the same about physical security 21% of companies surveyed had a co-ordinator that oversees all five preparedness areas. The key concerns were: risk versus opportunity, due diligence and duty of care (compliance and reputation protection)
  • 11. Our Clients Want Easy-to-understand risk analysis and deductions Just enough – with an audit trail for what was agreed on and why Scalability – things change and systems need to adapt Early intervention – security as an afterthought is ugly and expensive A balance between security technology and operations – Capex 11 A balance between security technology and operations – Capex versus Opex Value-added in security solutions To be convinced of a return on investment – not just financial Functional and management convergence – traditional stovepipes are challenged.
  • 12. Design-Based Solutions The trend is towards Internet Protocol solutions, but buyer beware! Convergence onto unified ICT networks, but…. Convergence of building management systems – intelligent buildings Smarter devices deployed – on-board processing 12 Smarter devices deployed – on-board processing Adaptable plug and play (e.g. POE) Biometrics and reliable recognition Stand-off detection and automated tracking Physical Security Information Management (PSIM).
  • 13. Operations-based Solutions Unified command and control – moving security to business areas that are the ERM focus Human Capital Risk – managing the insider threat Boardroom education to value adds ‘Red-teaming’ – thinking adversary Professionally develop your capable guardians 13 Professionally develop your capable guardians Test and validate plans Sharing best-practice – co-ordinate resilience planning with other stakeholders (e.g. telecoms and lifeline utilities, local blue light responders etc). Professional organisation memberships – e.g. CSARN.
  • 14. Standards, Best-practice and References BS 25999-1:2006 & BS 25999-2:2007 - business continuity management code of practice ASIS International SPC.1-2009 – Organizational Resilience: Security, Preparedness, and Continuity Management Systems – Requirements with Guidance for Use and other references 14 US National Fire Protection Association 1600 - Standard on Disaster/Emergency Management and Business Continuity Programs The Conference Board report - ‘Preparedness in the Private Sector – 2011’ Organisation specific e.g. BCO.
  • 15. Key Takeaways You cannot mitigate everything, so figure out what you can handle as risk appetite – easier said than done Doing nothing is not an option, but mitigation sufficiency is linked to risk appetite Get a risk assessment done and one that offers deductions for best protective fit against form, function and budget 15 Scalability – things change (think about review programmes) Have an audit trail for what was agreed on and why Do it early because security as an afterthought is ugly and expensive (and think sustainability) Think about balances between security technology and operations – ROI is important.