Analyzing Security Essentials

Developing a comprehensive security plan requires methodical and deliberate analysis. Starting with a macro understanding of an organization and progressing to micro security tasks, it takes structure to compile and analyze a security plan. The resulting series of recommendations are orchestrated to complement and support each other.

It is a formidable undertaking, because few industry models exist. Few security programs are products of a comprehensive analysis; most are developed on an ad-hoc basis in response to a security incident. In fact, many security operations are designed for investigations after an event occurs, not for prevention.

The object of a security analysis is to identify security exposures in a methodical and thorough manner so that a security program is based on broad analysis and not simply on the last security incident. Analysis ensures that expenditures for security are directed appropriately based on local needs, thus protecting critical resources while accepting the risks stemming from lesser concerns.

The goal, however, is not to develop a foolproof security plan. An underlying concept is that an asset cannot be protected completely, without absorbing extravagant costs and without inhibiting business operations. The goal instead is to make it difficult — but not impossible — for an adversary to breach security. The level of difficulty depends upon the value of the asset and the organization's tolerance for risk.

The analysis process is divided into five phases: asset definition; threat assessment; vulnerability analysis; selection of countermeasures; and implementation. The process is arranged for a deliberate analysis and requires completion of each phase before proceeding to the next.

Asset Definition

Asset definition begins with a broad understanding of the organization's operation, its tasks and functions, and its operating environment. At the beginning of an analysis, interviews are conducted with the organization's management and operating personnel to identify the resources essential for operations. This includes production equipment, operating systems, raw materials, finished product, inventory control and management systems, and the infrastructure of power, water, natural gas and telecommunications. Often, intangible assets are the most significant and are only discernible by examining the organization's operation beyond surface appearances. In effect, this step defines targets for attack.

Each asset may be further subdivided into micro components. An analysis may indicate that a particular asset must be defined in detail because of its criticality. Information technology is an example of the generally defined asset that may be further subdivided into an extensive list of system components, including equipment hardware, operating systems, applications software, database management systems, telecommunications and system documentation.

Both tangible and intangible assets should be categorized as vital (the loss would prove catastrophic); important (the loss would prove seriously disruptive but survivable); or secondary (the loss would be relatively insignificant).

Threat Assessment

A comprehensive security plan requires a broad definition of threats so that a range of exposures is considered. Through the analysis, the focus should narrow to target those threats that are deemed the most applicable.

Assessment begins by compiling data on past security incidents, including incidents at the site, within the company and within the industry. Determine if patterns of criminal behavior exist and define their nature. Review loss records, safety records and legal judgments involving the organization. Consult the company's legal counsel and examine court settlements to identify exposures with an implication for security.

Conduct interviews with management, insurance underwriters and local emergency management authorities to identify applicable threats. Review criminal data and compare crime rates for the nation, state, metropolitan statistical area, and the municipality.

Identify threats unique to the area and to the organization; locations where concentrations of hazardous materials are stored; and transportation avenues commonly used for transport of materials. Consider threats that may not have occurred yet, but are applicable because of the nature of the business and because of political and social issues.

A threat assessment is a qualitative analysis, although some quantitative techniques are used. It is important to emphasize that an assessment is a snapshot in time. As circumstances change, so does the threat environment. Consequently, the assessment must be updated to ensure that the security program is consistent with the needs of the time.

Each threat should be categorized as probable (expect the event to occur); possible (circumstances are conducive for an event); or unlikely (do not anticipate the event to occur). The severity of each issue should also be categorized as catastrophic (a disastrous event); moderate (a survivable event); or insignificant (relatively inconsequential).

Vulnerability Analysis

Security countermeasures represent obstacles in the path of a threat event. The objective is to make the event less likely to occur by making it more difficult for a perpetrator to accomplish the deed. Before introducing obstacles, however, the process for an event must be defined. Vulnerability analysis provides a mechanism for construction of security event scenarios defined in step-by-step detail.

Representatives of the organization with extensive knowledge of its inner workings should construct the scenarios. The team assumes the role of a criminal attacking the organization, which allows key points of vulnerability to be identified. Security plans designed to thwart the informed insider will be equally, if not more, effective when applied to the external criminal. This exercise highlights points of vulnerability and provides a framework for the subsequent phase, the selection of security countermeasures. The vulnerability analysis creates protection sets; meaning that it clearly establishes a focused problem to be resolved through application of security countermeasures. These protection sets are best illustrated by creating a spreadsheet correlating assets and threats and noting which assets are exposed to which specific threats.

Each scenario should have spreadsheet entries focused on plausibility (Is the scenario too far-fetched?); consequences of the event; and the amount of risk the organization is willing to accept.

Selection of Security Countermeasures

Just as a patient may be harmed by improper medication, an organization's security posture may be weakened, if not compromised, by improper application of security countermeasures. The exercise is more art than science, requiring a collaborative effort of management and security staff to arrive at a program consistent with an organization's needs.

Security countermeasures can include electronic security systems, physical barriers, security personnel and policies and procedures.

Electronic security systems encompass access control, detection, surveillance and evidence gathering. Subsystems may include intrusion detection, access control, duress alarms, CCTV, intercoms, radios, public address systems, life safety and telephone systems.

Physical and psychological barriers are applied to prevent access to a target. Physical barriers include vaults, safes, vehicle barriers, fences and gates, bullet-resistant materials, barbed wire, mantraps, vehicle traps, armored cars, mechanical locking systems, vehicle speed bumps and curbing, bomb-resistant structures, lighting, shielding, penetration-resistant panels, and landscaping.

Security personnel perform a variety of duties including the operation of electronic systems, manual control of fixed post duties, and roving patrols. Most guard operations are designed to observe events and report incidents to law enforcement authorities. In some cases, officers are armed and trained to intervene in events.

Policies state management's position and philosophy on business issues and practices. Procedures define the means for implementing the policy. This is a critical part of a security program. It defines programs and processes that are essential for security mechanisms to be effective.

Implementation

In this phase recommendations are transformed into specifications for people, systems and policies. The objective is to translate the security plan into bidding and purchasing documents and procedures, and organizational programs and processes. Learn more at Millennium Group Access Control.

Avoid wasting your limited marketing dollars

Avoid wasting your limited marketing dollars on an expensive image-advertising campaign that won't affect short-term results. Instead, let the quality of your response materials and Web site do the job of enhancing your company's image.

Rather than doing less-effective "shotgun" mailings to rented lists, consider repeat mailings targeted at known prospects (such as past inquirers).

If you don't have your own e-mail lists to market to, consider renting e-mail lists from publishers or placing ads in other targeted e-newsletters or e-zines. These can be very economical ways to reach your market and generate a quick response.

Edit your releases with the magazine's editorial focus, style and readers in mind and you'll increase the chance the publication or Web site will publish your information.

Web sites

A few cost-effective changes can dramatically improve your corporate Web site's marketing return on investment. To increase inquiries from your Web site's visitors, Make offers or calls-to-action on every page. Work with other organizations to link your site to their sites, increasing the number of visitors to yours. Register your web site with search engines, selecting keywords carefully so your site will appear in the search results for your intended audience. Post articles and case studies on your site, then register those individual web pages with the search engines.

Strategy

7. Determine the "pain" your products and services address
8. Determine the "pain relief" your company can provide
9. Determine your company's competitive advantages and how best to articulate them
10. Determine the best companies and contacts to target with your lead generation efforts

Testimonial ads are king

Talk first person with the reader

Use words in your copy like "you" and "your" to focus on the readers' needs rather than boasting about how good "we" and "our" products or services are. For example, the statement "You will get the work done 25% quicker" is much stronger than "Our product is 25% faster than the competition."

The best way to boost direct mail response is to have a strong offer—that is, a targeted offer that will entice prospects to respond.

Successful direct mail marketers understand that campaign success relies on the list and the offer. Determine why you're mailing to people, and then ensure that your list and offer support your objective. Your response rate will be much higher in terms of "qualified" inquiries.

, it is much better to have in the database 10 individuals at each of 1,000 companies than to have one individual at 10,000 firms.

If you need additional demographic information about the contacts' or companies' industry, size, etc. for your direct marketing solutions, check with some of the business database companies like Dunn & Bradstreet (www.dnb.com) or InfoUSA.com (www.infousa.com). Or contact the publishers of the trade magazines you advertise in. They usually offer database services to their advertisers.

All leads and business cards go into your CRM system ASAP

Think about offers you can make that will entice visitors to identify and qualify themselves. Can you create a free guide for selecting your kinds of products or services? Can you offer a white paper that explains how their kind of operation is successfully using your product or service to solve problems? If so, use it as bait for having your visitors share their names, titles, company names and contact information.

Email

If you have email addresses for your prospects and customers, but they haven't expressed interest in hearing from your company by email, be sure to politely ask their permission before starting a campaign. I recommend that you ask them how they prefer to be contacted. By email? Fax? Snail mail? Telephone?

Directories

Print directories are handy, and online directories are always up to date. Most directory publishers are publishing both, frequently offering you exposure in both mediums for the same price. Keep in mind that directories are often where buyers look when they are seeking new suppliers and have immediate needs.

Web site

• The size of organizations your company serves? large? medium? small?
• The geographies you serve? local areas? states? countries? regions of the world?
• Explain why your company is a better choice than the competition?
• Address your prospective customers' needs from their point of view?
• Did you include the more popular keywords and phrases in your
• URLs?
• Page titles?
• Headlines?
• Body copy?
• Text links?
• Are you loading your text before your graphics and Flash animations in the source code of your various web pages?
• Are you giving your graphics file names that include relevant keywords?

         Are you including keywords and phrases in <alt> tags for each of your graphics?

• Have you included a site map on your home page, pointing to all of your site's individual pages?
• Does your site map include lots of keywords and phrases in the page links and descriptive copy for each page of your Web site?

Add privacy

• Have you included a link to your Web site in every appropriate online directory you can find?
• Adding new pages to your site that include in-depth content related to the most popular relevant keywords and phrases?
• Consider using pay-per-click ads as a temporary solution while you work to optimize your Web site for organic searching.

First, I believe you should focus on optimizing your website for visitors, helping them move from awareness to consideration to inquiry to purchase, before you worry about search engine optimization (SEO). Learn more at Millennium Group Access Control