“What he doesn’t know won’t hurt him!” This statement, whether it is intended for one person or for an entire industry, could pose a serious problem. The statement represents an unknown threat—what we do not know—that can really hurt us.

Consolidation within the electronic security industry today is posing two unknown threats to security providers—commoditization and specialization of the industry. And the industry is beginning to consider the unintended consequences.

Clients want security providers with a complete understanding of the whole security mix. The more educated these companies are about the entire industry, the more likely they will succeed in the future. Yet many providers are largely still focused on their own specialty, to the exclusion of others.

Many Security Providers Create a Service Gap

Much of the electronic security market lends itself to mass-market solutions, which result in the commoditization of the industry. It is far more efficient for large manufacturers to deliver mass-market solutions than to custom-tailor an individual solution for each new client.  These areas include residential and small commercial security technology markets. And, much of the guard market yields good results in standardized practices and training.

But with large integrated systems, they do not do well with the “one size fits all” solution. This market requires custom engineering and installation practices—highly specialized skills for successful projects. This level of specialization can kill the profitability of a company that has focused on mass-marketed solutions.

End users have several security concerns that are addressed by having electronic security installed. But if a security provider installs a security system, is the system considered to be the end-all solution to what the company wants to protect?

End Users Pay Price After Threats Are Discovered

Because some providers only specialize in one area of security, other potential threats and vulnerabilities may fall through the cracks.

For example, a freight company that had an electronic security system had also been offered threat and vulnerability assessment (TVA) services to uncover further potential threats and vulnerabilities. The company turned the offer down because it considered the services as being too expensive. However, the losses suffered between the time of proposal for the services and an undercover investigation on insider theft that took place later on would have covered the TVA costs many times over.

Apparently, items coming into the freight company’s receiving department were disappearing. Daniel Sullivan, a retired deputy chief for the Los Angeles Police Department who was assigned to the case, noticed that one person had been running both shipping and receiving docks located next to each other. Sullivan spoke with the shipping/receiving manager and concluded that something didn’t feel right.

The freight company conducted a background check and determined that the shipping/receiving manager had a criminal background, as did several other of its employees. An undercover investigation followed and netted a ring of thieves, including drivers and employees.

Every asset is protected from threats by security countermeasures, but vulnerabilities allow threats to get through.

Another scenario comes from a technical security countermeasures (TSCM) consultant who was asked to find listening devices planted in an office that were used for a company’s top strategic planning meetings.

Information was getting out that could only be known by a select few, and the discussions only occurred in that room. The company had access control and cameras and had taken other measures to ensure that no unauthorized person could have access to the room. There had to have been a bug.

Upon investigating, the TSCM company discovered there was a clear acoustic path through ducting from the office where the secret meetings were being held to the company break room immediately below. In fact, because the management group often discussed employee issues, it was a quiet secret that employees could keep track of management employee policy by gathering quietly in the break room when the management meetings occurred.

Richard Hoffman, president of Microsearch Inc., the TSCM consulting company, says the client company had taken every reasonable intuitive step to solve the problem, except to analyze the threat and vulnerabilities. “It always astonishes me that organizations pay so much attention to business risks, but so little attention to security risks.”

Helping Define End Users’ Risk Management Package

In theory, business management is simple—generate revenue, collect money, deliver the product or service and spend less than you bring in. Not too complicated. But in this simple formula for success, there are many twists and turns, many dark paths. And sometimes, the occasional troll under the bridge wishing to collect unforeseen costs, or an employee or visitor just outright willing to do the organization harm for his or her own benefit.

That is what risk management is all about. It has many forms – insurance, safety and security programs – and good policies and procedures. All of these factors are designed to standardize the organization’s product and services and limit the potential for accidental or intentional harm.

Businesses, government and non-government entities spend huge sums on risk management. But risks must be quantifiable for risk management to work. And it is the unknown threat that can get organizations, for its defense cannot be planned.

Educate Yourself: Know a Company’s Weakest Links

Almost every threat can be countermeasured, if it can be foreseen; that is the trick.

Management is trained to understand how the organization is supposed to run, not how it is not supposed to run. But criminals and terrorists work on inverse logic. They look at an organization and see not a working organization, but a system with weak links. And they exploit the weak links.

Thomas L. Norman is a director of security and counterterrorism at TRC Security Consulting, a New York-based firm that specializes in problem-solving technologies and service. Norman can be reached at (212) 563-3933 or via E-mail at [email protected].

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content