Pamela Perini, certified PSP and president of Pamela Perini Consulting, talks to Security about her journey through security and the process of risk assessment. She also touches on the importance of certification in the security industry and factors to consider when designing a security program.
Security magazine: Tell me about the process of risk assessment.
Pamela Perini: Risk is the potential for an unwanted outcome resulting from an event, incident, or occurrence. Risk typically has negative impact, but does sometimes also have positive impact. When we look at risk, we have to first identify assets. Those can be people, which is typically the most important. Asset can be data — somebody breaches a system or some sort of a database critical to operation of a business. We look at threats and hazards, what may cause risk to any business. After, we must look at the probability of occurrence and then what that hazard impact would be on the business.
Each individual type of business [has] different risks. An example of that is corrections. If you go into a prison, [it’s] probably going to have more internal risks and threats than external risks — we’re not expecting somebody to come from the outside in and cause a hazard or be a risk, we would worry more about internal risks. When we look at a K-12 school, there are typically more external risks — the threat of the hazard is somebody coming in from the outside and potentially causing a bad outcome in a school that would have high impact, potentially lethal, to a school.
Depending upon the business, we look at the potential impact and then whether or not it is worth mitigating that risk. Budgets also play into effect — how do we do what we want to do with the money that we have? Many companies and organizations do not have the funding to support the security programs that they want to implement, so they need to actually take those risks and mitigate them in other ways. Do they accept the risk? Do they mitigate a risk? Or can they transfer risk to something else? Can you get insurance to cover the risk? There's various ways that a company or an entity can mitigate a risk.
Security magazine: Is there a cookie-cutter approach or blanket-approach to risk assessment?
Perini: People cannot do a blanket risk assessment; there really is no such thing because their ability to work with a potential impact or outcome is going to differ by business or by the entity or organization — one [might be] far more able to absorb an outcome and other might not. You can’t take a risk assessment for a prison and apply it to a risk assessment for a school. It just doesn’t work out that way. Then if you think about it, you don’t expect to see tons of security in K-12. Schools. You can’t institutionalize a school with devices — it doesn't provide a learning environment for the children. We go back to the prisons, and they are expecting cameras everywhere, and they are okay with institutionalizing a prison because it is an institution.
There [are] three fairly distinct things to think about within [security] program design. We need to think about the technical considerations, which are the electronics — the access control, the CCTV, the intrusion detection. We need to look at the physical components — the doors, gates, entrances, and any sort of landscaping on the outside of a building. Then we need to look at the operational components — we have people, policies, procedures, and the like that we need to put in place in order for the people part and the operational part to actually work effectively and efficiently. It is important for enforcement to be recognized as well because without enforcement, there is no policy or procedure. Without one of those three key components — the technical components, the physical components, and the operational components — your security program is not at the strength level that it needs to be. You need to reevaluate and make changes where need be.
Security magazine: What is the importance of certification [for a security consultant or integrator] and how does it make someone stand out in the security industry?
Perini: Certification is something that is terrifically important in my eyes and in many people's eyes in the security world. The challenge with security is that it is [constantly] changing. We started years ago from hard-wired items and now we're into wireless devices and various other means of transmission of data that is associated with security. There are a number of things that are important that you will get from a certification versus something you will just learn as an electrical engineer or the like. A certification is going to give you different types of information and different approaches for security in general.
You need to look at things like CEPTED — Crime Prevention Through Environmental Design. The electrical engineer would just look at positioning of cameras and location of cameras, whereas with CEPTED, you're going to look at things like placement of trees, walkways and paths, signage for direction of flow of people. There are many other items that need to be considered that you learn through certification that you would not learn through being just a simple electrical engineer. I work with electrical engineers all the time and we have complementary strengths.
The above transcript has been edited for clarity.
To hear much more from this conversation, listen to The Security Podcast with Pamela Perini here.