Security Inspections have ‘Involvement’ Benefits

Security inspections (“risk assessments” is a fancier term) can demonstrate the value in developing and maintaining security awareness, George Campbell writes in Security Technology Executive. Here’s how they’re done:

“The Chief Security Officer,” Campbell explains, “selected security team leaders on all shifts, and at a planning session they reviewed the existing data to target-specific concerns. The teams concluded unanimously that the most potentially impactful security gaps were associated with the protection of proprietary information. Teams then conducted a test run on each shift at each location to further refine the focus of the inspection routines. Security did not advise the business leaders that these inspections were to take place. Anticipating that business leaders may claim that the results were invalid because security has special access, the teams agreed to limit discoveries to those that could be made by any individual having authorized or unauthorized access to the spaces. After defining these parameters, Security conducted 25 inspections at each of the four business units.”

Findings included unsecured confidential documents, absence of physical security controls, unsecured laptops and computer access credentials, poor physical access credentials and the ability to obtain confidential data from key business partners.

As an unexpected benefit from the exercises, Campbell adds, “The security officers who were assigned the inspection and follow-up tasks collectively expressed a desire to continue the practice in all facilities on a larger scale of potential risks, and they noted that these activities made them feel like this was truly meaningful work and they were delivering tangible value to the company’s risk management program.”

In short, give security officers meaningful things to do and everybody gains.