By Tony Haddad
Physical security assets are often high-value assets of significance to an organisation, and are costly to procure and maintain. When seeking to secure budget approval of a new security system, the typical business case will focus on the cost of installation. The client will traditionally document the requirements, at times with the assistance of a specialised security consultant, and these requirements will then form the basis of a request for tender or approach to market.
In some cases, an organisation will consider a well-prepared business case for capital expenditure, and approve such a request. These can range in cost from a few hundred thousand dollars to several million dollars. The risk is that the business case is based upon a business need which is valid, and a cost estimate that is for the supply and installation of the solution; but is it fit for purpose and will it be up to the task?
In many cases, a client will explain the design to the security consultant, provide floor plans that have been marked up with locations of card readers, CCTV cameras and, in some cases, even detail bollard locations. But is this the right approach?
The consultant might now be locked into a conversation about how to technically deliver a security solution that the client has designed. However, the conversation should not be around how many card readers or cameras are required. This is simply asking for trouble and should start to sound alarms in the mind of the consultant.
This article discusses a strategic approach to physical security; this involves an understanding of the security risk posture of the client, often attained by way of a security risk assessment or site survey, understanding the design objective (which is another way of saying ‘what does the client really want to get out of the overall performance of the system’) and the technology mix required to achieve it. Subconsciously, the client already knows the answers to these questions, even if the design objective has not been documented.
This is the ‘understanding and educating your customer phase’; strategic security consultants have an obligation to ask the difficult questions and challenge the typical status quo. This is not easy to do in some cases, as the client typically wants the consultant to finish the specification quickly to allow the tender process to commence.
Having a considered and comprehensive physical security strategy in place will guide the security consultant to ensure that the security solution is fit for purpose and tailored to meet the client’s needs, as opposed to copying and pasting from a specification from a previous job.
There are other considerations that need to be articulated at this stage that are critical to the client’s ability to satisfactorily operate and maintain a security solution that was initially expensive to install. End-users need to understand the limitations of the selected security solution, such as median times between failures and the life expectancy of each of the individual components that, together, make up the security solution.
A newly installed security system will almost always come with a 12-month defects liability period (DLP); this is not always aligned to the warranty periods of individual products. Many products offer longer warranty periods these days, even as much as three years on some elements.
In some cases, the maintenance strategy has not been particularly well thought out. Typically, the approach adopted tends to be a reactive maintenance approach. This can occur for a number of reasons, although almost certainly it is due to the lack of a well-considered and defined strategy.
What will be the approach to maintaining the system/s and will it be based upon a pre-determined strategy? There are a number of maintenance approaches that might be appropriate, including:
- reactive maintenance (breakdown or run-to-failure maintenance)
- preventive maintenance (time-based maintenance)
- predictive maintenance (condition-based maintenance)
- reliability centred maintenance (pro-active or prevention maintenance)
Critical to the type of maintenance program an end-user elects to adopt, it needs to be based upon the:
- security risk exposure
- risk appetite
- the level of assurance expected from the system
The maintenance strategy has to be considered and should form part of the business case. The costs to achieve the desired state need to be understood up front and budgeted for to avoid expensive reactive maintenance in as little as a few years’ time.
Another critical aspect of the strategy is what emerging security-related technology is on the radar, and whether the security solution will be replaced at a point in time.
It is recommended that the strategy be well defined and documented from the onset; planning for a replacement system should ideally be part of the initial procurement strategy and vision. In essence, when planning for a security system, organisations should also be beginning to think about the replacement system.
Essentially, it is critical to understand what the long-term plan is for the system to ensure an organisation is not over-capitalising on the maintenance of the system and is maximising its return on investment (ROI).
Security System Refresh Program
It is essential to understand what depreciation schedule will be applied to the assets from the finance team and to align the depreciation schedule with the recommendations from the product manufacturer.
As mentioned earlier, it is important to understand the life expectancy of each item and factor these costs into the security program. This should be included in the business case and the costs articulated to the approving entity.
The convergence of physical and cyber has been an exciting space to watch, and for many it has been a sigh of relief as more and more security systems leverage existing network infrastructure in place in many organisations and, thankfully, the technology is no longer foreign to colleagues operating in the cyber space.
This does introduce some risk, with the IT security manager typically having reservations about the on-boarding of a security system onto the network. However, these are easily overcome by penetration testing of the devices, which most manufacturers are happy to provide assistance with, and the logical separation of networks to accommodate virtually separated networks.
Do all these advancements mean that the security system can be handed over to the IT department to manage? In some cases, yes, and in many others, not quite. The relationship and accountability will continue to be a shared one. In saying that, the business case should clearly articulate each device’s end of life as stated by the equipment’s manufacturer, and a replacement schedule developed to ensure the system is refreshed accordingly. A key consideration as to when certain aspects of the security system are refreshed will be the depreciation schedule that is applied.
There are some clear and obvious differences between an IT system and a security system; however, these differences are slowly becoming less and less.
Before any organisation considers a security system, it is strongly recommended that the following questions are satisfied:
- What is the security strategy?
- What is expected from the system?
- Will it address the strategy?
- How will the system operate?
- Who will be operating the system?
- How much assurance is expected from the system?
Finally, each organisation should have a physical security strategy that forecasts the security technology strategy over a 10-year period.