RiskUKApril2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Services: Best Practice Casebook<br />
security market begins to benefit from the<br />
platform created as it moves into the next<br />
logical phase of the industry’s future.<br />
The demand for change is being fuelled by<br />
increasing levels of expectation and a<br />
requirement for flexibility in service provision<br />
called for by today’s discerning clients. Key<br />
transformations are beginning to emerge,<br />
namely specialism and expertise.<br />
Specialism and expertise<br />
First, there are the large-scale, national and/or<br />
multinational businesses. They offer a wide<br />
range of security and facility services, and are<br />
predominantly (although not exclusively)<br />
focused on high value and potentially multiservice<br />
contracts. There’s a clear demand for<br />
this capability. Competitors simply don’t have<br />
the capability or scalability to compete, and nor<br />
should they attempt to do so.<br />
Second, there are organisations that will<br />
continue to focus on specialist services, skills,<br />
clients, contract sizes and geographies, etc.<br />
These businesses truly understand their core<br />
role and continue to be selective in how they<br />
target growth and assess their value<br />
proposition. Our own organisation falls into this<br />
category. We’re focused on the central London<br />
market. We know full well that our model<br />
doesn’t fit everyone and we fully understand<br />
our capability. We’re aware, for example, that<br />
we don’t have the infrastructure to deliver<br />
national accounts with multiple low value<br />
contracts, so we don’t try to do so.<br />
Third, the area where it’s possible to see<br />
accelerated development in 2017, and which to<br />
some degree is the most interesting, is that of<br />
collaborative business partnerships<br />
incorporating convergence and the alignment of<br />
operational and security strategies.<br />
Security suppliers with specific expertise will<br />
be working collaboratively to deliver highperforming,<br />
flexible and complimentary<br />
solutions. The convergence of physical and<br />
cyber security delivers improved information<br />
sharing on risks and can result in synergies and<br />
more effective leveraging of resources.<br />
Convergence can provide the benefit of<br />
comprehensive capability, but with no dilution<br />
in expertise. Individual solution providers will<br />
heighten their knowledge and competencies. In<br />
most cases, there’s a clear lead on provision.<br />
To position this, security is – and should only<br />
ever be – a supporting functionality that’s there<br />
to enable a client’s core business. Many<br />
business operations typically work in separate<br />
silos and use different information and tools.<br />
This can lead to overlapping processes and<br />
higher costs. To alleviate inefficiencies, there<br />
will be a move towards integrating operational<br />
and security risk management.<br />
Integrating disciplines<br />
Often, organisations manage operational risk<br />
and security risk separately. This incorporates<br />
areas such as threat and vulnerability<br />
management and continuous monitoring as<br />
well as incident management.<br />
Security risk management isn’t just about<br />
security operations, but rather a bottom-up<br />
approach that drives ‘actionability’ against<br />
threats, vulnerabilities and incidents in order to<br />
provide assurances for businesses.<br />
While separating both operational and<br />
security risk management has been a common<br />
practice, dynamic changes in the threat<br />
landscape are forcing organisations to integrate<br />
the two disciplines and therefore gain a more<br />
holistic view of risk. The unfortunate truth is<br />
that one can schedule an audit, but one cannot<br />
schedule an attack, in any of its various forms.<br />
In light of this, an integrated approach to risk<br />
that takes compliance, threats and<br />
vulnerabilities as well as business impact into<br />
account will become Best Practice. Without a<br />
clear understanding of the business criticality<br />
that an asset represents, an organisation is<br />
unable to prioritise its efforts. A risk-driven<br />
approach addresses both security and business<br />
impact to increase operational efficiencies,<br />
improve assessment accuracy, reduce attacks<br />
and enhance investment decision-making.<br />
The transition from the traditional<br />
client/contractor relationship into genuine<br />
partner and trusted advisor, and a compliancedriven<br />
approach to a risk-based model, enables<br />
businesses to evaluate the ongoing definition,<br />
remediation and analysis of their risk.<br />
Remote access is an increasing risk, and<br />
indeed for many organisations has become<br />
their key security focus. Furthermore, the<br />
insider threat remains a concern given the<br />
deluge of interconnected devices available.<br />
Looking ahead, the industry will continue to<br />
be subject to evolution rather than revolution in<br />
the short term, but the pace and appetite for<br />
change is increasing. If you look closely<br />
enough, business models are becoming more<br />
specific, technically competent and<br />
sophisticated. This is a critical factor for<br />
success when it comes to corporate stability.<br />
Paul Harvey:<br />
Commercial Director of<br />
Ultimate Security Services<br />
“There appears little appetite from the Government to push<br />
forward with the proposed agenda of compulsory business<br />
licensing. Nor does there seem to be significant<br />
progression in the SIA’s Approved Contractor Scheme”<br />
55<br />
www.risk-uk.com