Protective Security Framework

Protective security is not a one-size-fits-all solution; rather, it requires a comprehensive and adaptive approach that takes into account the unique needs and challenges of each situation.

To find out about it, read on.

One of the fundamental principles of protective security is the concept of security risk management. By understanding the specific security threats facing a particular environment, organisation, asset or people, security professionals can identify potential risks and vulnerabilities and develop tailored strategies to reduce the residual risk exposure. In the words of Benjamin Franklin, “failing to prepare is preparing to fail”.

Good protective security is seen as a business enabler, supporting new opportunities and continued growth. By investing in protective security measures and adopting a proactive approach to risk management, businesses can safeguard their assets, reduce the security risk to their staff and customers and protect their reputation.

Unfortunately, no matter how well planned and prepared for, security threats do occur. Protective security also encompasses crisis management and emergency response. In the event of a security incident or threat, organisations must have plans and protocols in place to effectively respond and mitigate the impact including coordinating with law enforcement, and emergency services.

Post-event, security professionals will be working with and supporting their organisations to recover; learning from the incident and feeding it into the risk management cycle so that lessons are learned to reduce the likelihood of repeat events.

What is Protective Security Risk Management?

Protective security risk management (PSRM) is a structured approach used by security professionals to identify, manage and monitor security risks. It provides a systematic framework for understanding the threats, identifying risks and organisational vulnerabilities (or residual risks) and implementing appropriate security controls (policies, processes, procedures) to deter, detect, respond, delay (or deny) and recover from any security incident effectively.

Key Components

Protective security risk management programmes consist of three core principles that allow organisations to minimise risk:

Identifying and categorising assets. Security professionals recognise that an organisations’ assets (physical, cyber, information/data, people including staff, third party suppliers and stakeholders) will be of interest to a range of threat actors. Identifying the organisations key assets (crown jewels) allows security professionals to prioritise protection around these key assets
Understanding the threat landscape. Assessing which threat actor groups such as commercial competitors, criminals, terrorists, state actors might be interested in the organisation due to the assets held
Identifying security risks. Understanding threat actor intent and capability will help security professionals assess the likelihood of a particular security incident, assessing that against the organisation’s critical assets and current mitigations (their vulnerability) can provide evidence of potential impact should a particular security incident (risk) occur.
Prioritising vulnerability (residual risks). This final step helps security professionals prioritise resources to reduce risk to a level acceptable to the organisation (based on business needs, resources etc)
Manage: This principle is focused on the practical activities needed to reduce the risk to an agreed level and includes:
Developing mitigation strategies. With the above information security professionals can establish clear security governance, policies and procedures to support business operations, and identify new security operational requirements (physical, cyber, personnel and technical) and define security roles, responsibilities and expectations for all.
Implementing countermeasures. Once strategies and resources have been agreed, these documents can be used to support tendering processes for technical speciation’s, key performance indicators, fpr the “build phase” which could be the design of a new CCTV layout, the protection of a new IT system or a behaviour change programme for staff to improve security culture.
Monitor: The final principle of a good protective security risk management programme is assessing the effectiveness of any counter measures put in place to reduce the identified risks.
Reviewing effectiveness and residual risks. Any countermeasures put in place need to be assessed against the risk they are trying to reduce. Is it effective, has it impacted/changed any other risks or created new risks? Audit, assurance and continuous monitoring are key.
Lessons learned. In the event of a security incident, it is important that investigations are carried out into what happened and why, and the learning from this fed back into the risk register.

Protective Security Framework

Connect with us

Enquire now

The first step in our joining process is to submit your CV. This will be read to determine the appropriate joining route and you will then be sent an email with a link to the relevant application form.