FOCUS TODAY - October 2002

Improving Club Security:
The Security Risk Assessment

 Jeremy Appel
Axiom Security

Private clubs present a challenging security environment for club managers.  Many are turning to security consultants for guidance.  This article provides practical information that club managers can use throughout a security consulting engagement to maximize its value and improve club security.

Even the most capable and diligent managers are continuously challenged to provide security in their private clubs.  Protecting the physical, information and human assets of most clubs and their members and preventing business disruptions in a dynamic environment is a monumental task.  Though accountable for managing and mitigating security risks, club managers have a wide variety of other responsibilities, which compete for limited time and resources. 

To successfully overcome the security challenge, club managers often turn to outside security consultants for guidance and expertise.  By becoming familiar with proven common-sense approaches, club managers can maximize the value of their security risk assessment consulting engagements.  The following process overview will help club managers understand what to expect from security consultants and how to ensure that their engagement deliverables provide the greatest value possible for the club. 

Align security objectives

Critical initial steps in a security risk assessment are identifying the club�s security objectives and ensuring that they are aligned with its own strategic business objectives.  Managers at one club recently articulated the following security objectives:

1.      Ensure the personal safety and privacy of members, guests and staff,

2.      Protect club assets,

3.      Improve financial results through cost reduction, and

4.      Maintain a favorable perception among members.

Well-defined and well-aligned objectives must be specific, actionable and broadly agreed upon. The first and third objectives meet these criteria, however the second and fourth objectives require more work. 

For instance, the second objective is not adequately specific, unless it is supported by a list of the assets, prioritized by their strategic value to the club.  With such a list, it becomes much more actionable.  Replacement costs, brand identity, business continuity and member/public relations are among the criteria that may be considered to provide strategic value.  In prioritizing the strategic value of club assets, information assets, such as personal member information and confidential accounting data, as well as the information systems on which they reside should not be overlooked.

The fourth objective is not adequately specific since different people may have a different idea of what constitutes a �favorable perception�.  In this instance, some key personnel stated that unobtrusive security measures would be �favorable�, because they would not seem invasive.  Others argued that security measures should be visible in order to deter illicit activity and elevate member confidence in the club�s security program. 

It is important to clearly and accurately define the security objectives, because they will become an essential yardstick against which existing and potential security controls will be measured. 

Know thy enemy

Once the objectives are established, threats must be identified and characterized.  By profiling threats, club managers can better understand what they are up against and how to concentrate their efforts.  Fundamental to the many models that consultants use for threat analysis is threat prioritization.  The aim is to focus security resources where they will be effective in combating mission-critical threats and efficient from both a cost and operational perspective.  Such focus is particularly important in private club management, because security resources in this environment are typically quite constrained.

A very simple method for prioritizing activities and allocating resources is to map the likelihood of occurrence of various threats that are of concern, as well as their potential impact to club operations, as illustrated in Figure 1.  Managers should concentrate on threats that are most probable and potentially disruptive or costly (i.e., in the upper-right quadrant). 

The greater the number and diversity of sources of information collected for this exercise, the more realistic and valuable it will be.  Consultants collect this information in many ways, including:

�        Reviewing previous security analyses,

�        Trending security and maintenance logs,

�        Interviewing management, staff and members, and

�        Obtaining local police crime statistics.

When conducting threat analyses, it is important to recognize the point of diminishing returns.  For example, for some clubs mapping �terrorism� may be worthwhile, however mapping the many possible means of terrorism (e.g., car bomb, mail bomb, etc.) may be splitting hairs unnecessarily.  On the other hand, if �employee theft� is a concern, it may be worth drilling into further detail (e.g., theft of liquor and inventory, fraudulent use of the payroll time clock, etc.).  Determining the point of diminishing returns requires an understanding of the club�s unique profile and history.

Baselining the �current state�

Having established clear objectives and prioritized threats, consultants evaluate existing security controls.  Qualitative and quantitative methods are useful in determining how effective, efficient and appropriate these controls are against the threats.  These methods can be used for controls in both the physical and information security disciplines.  Figure 2, however, only illustrates an evaluation of a variety of physical security controls, because these are so common in the club environment.

In evaluating existing security controls, consultants should consider each system holistically.  Club managers should support inquiries on how people, processes and technology combine to provide security results.

Bridging the gap

There is much that club personnel can do to make sure that their consultants deliver the most accurate and meaningful results possible and elevate the club�s security from its current state to a more desirable state.   Of critical importance is providing the consultants full support throughout the engagement, especially during the current-state definition.  This typically includes compiling complete sets of data and documentation, as well as offering full access to club facilities and club employees who are either directly or indirectly involved in security operations.  The better club managers help consultants define the current state, the better consultants can help managers close the gap to the desired state.

To ensure that consultants recognize the club�s realistic budgetary and operational constraints, it is managers may require recommendations in the form of a phased roadmap.  Because managing security requires continuous improvement, security controls can be improved in appropriate incremental steps, each leveraging people, process and/or technology to achieve a better balance of effectiveness and efficiency of the club�s overall security program.  By working with consultants to create a security master plan club managers can realistically progress towards the desired state at an appropriate pace. 

Closing caveats

Club managers should be leery of consultants who represent a particular product.  A common tactic that some product vendors who market themselves as �consultants� use is to offer free security risk assessments, at the end of which they recommend their own product.  Many legitimate consultants offer a broad product line.  While their recommendations are generally more customer-beneficial, they may only range across the product categories that they carry.  More sophisticated security consultants are product/service neutral.  By maintaining product neutrality, club managers can be assured that these consultants are recommending appropriate solutions.

Failure to consider the relative mission-criticality of and linkages between physical and information security may undermine overall security effectiveness.  Club operations increasingly rely on information systems (e.g., member information, point of sale, facility management, accounting, employee time and attendance, access control, digital video, etc.).  These systems offer many manifestations of the convergence of physical security and information security.  To illustrate, consider the security vulnerability, operational inefficiency and customer relations impact that would result if the database of member and employee access privileges was corrupted or lost.  While the access control system is most often considered a physical security control, information security practices, such as business continuity and disaster recovery procedures, must be operationalized.  If systems don�t fully leverage people, process and technology in supporting both physical security and information security disciplines, then the effectiveness and efficiency of overall club security may be jeopardized.

For additional information, please contact:

Jeremy Appel
Partner
Axiom Security LLC
Toll Free:  (866) 297-9997
Direct:  (773) 739-9003
[email protected]
www.axiomsecurity.com