What, how and why of security

Issue 6 2020 Editor's Choice

We are aiming to educate those in leadership positions about the importance of commissioning regular independent security risk assessments. As a security advisor, it’s a continuous challenge to change the existing perceptions of CEOs/MDs and nowadays the procurement departments.

The two diagrams in this article both contain the exact same words, however, the only difference is the direction of the arrow which indicates the thinking pattern.

The first graph shows the thinking direction from the ‘what’ inwards to the ‘why’, whilst the second graph shows the thinking direction from the ‘why’ outwards to the ‘what’.

Most people approach security from the outside in, as displayed in the first graph. The ‘what’ in this case mostly refers to a product and this needs to be answered with ‘how’ and ‘why’.

What security products are we going to sell?

How will we accomplish this? This could either be how the salesperson will get the client to purchase the product, or how the product will be installed.

The ‘why’ refers to why do you need this specific product, why do you need to have it installed? Why will this product be effective?

The last part of this thinking direction, the ‘why’, will most probably not be answered because the action has already been taken. The product has been purchased and installed; the ‘why’ doesn’t really matter now anymore, does it?

It’s like spending money on a new pair of expensive running shoes because you get a free water bottle or a gym bag with your purchase. You purchased the shoes thinking about the freebies without really knowing why you need it. Even if you think about the ‘why’ later, it wouldn’t matter because you already purchased the shoes.

It might be the wrong running shoes for the type of running you do, or it might not be the right shoes for your feet. You will end up wasting a lot of money because you did not think about the ‘why’.



Turn it around

Now, in contrast with the first graph, the second one shows an outward thinking direction. This means that you are looking at and thinking about security from the inside towards the outside.

The first question you will ask is why do I need security? Simple: to cover your risk.

The next question will be how will we achieve the ‘why’? The ‘how’ question is answered with an independent security risk assessment. An independent security risk assessment will tell you what your risks are, and it will tell you how to fix it.

The last question, ‘what’, is also answered in the security risk assessment. What do you need? The solutions in the risk assessment will tell you exactly what you need.

Remember the running shoes? Well, when you think about it from the inside outwards, you will understand why you need running shoes. Your answer will depend on what type of running you do; for example, you might be into trail running, marathons or road races.

The different types of running will tell you what running shoes you need. How do you get those shoes? You go to a specialised running shoe store that specialises in the type of running shoes you are looking for.

Knowing why you need it and how to get it will ensure that you know exactly what to get, even if other shoes are on special or if you get heaps of freebies with walking shoes, you will know that you need trail running shoes as this is what serves your purpose best.

The same applies to security

When you understand why you need security (to eliminate your risk), how it is achieved (by implementing risk-specific solutions), you will understand exactly what you need to accomplish this (informed decision making when it comes to security hardware).

Practically, when you think from the outside inwards, you are thinking about the product first, which is the approach most security salespersons and security companies take. Thinking about the product without knowing what it needs to do in order to eliminate the risk could result in a waste of money, or worse, a false sense of security.

Believing that you are safe due to your security measures without knowing if it really covers your risks is far worse than having no security at all. When you don’t have any security and you know the dangers, people tend to be more vigilant and aware of their surroundings. On the other hand, when you think you have security and that you are safe, you become lax, complacent and oblivious to your surroundings, which is a very dangerous situation to be in.

This is the difference between a security company and a security risk assessor’s approach to security:

• A risk assessor starts from the inside, finding the risks and then moving on to find the solutions that fit the risks, not the other way around. The risks cannot be forced to fit the solutions.

• You are welcome to disagree, all I ask is that you show me the security risk assessment of your current security.

If you are thinking from the inside to the outside, you are thinking about what the client needs to eliminate the risk. However, when you think from the outside inwards, you first have a product in mind without considering the risk, which does not put the most important factor, the client, first.

Whilst the questions might be the same in both scenarios pertaining to the ‘why’, ‘how’ and ‘what’, the direction makes all the difference. In both graphs, the ‘how’ is in the middle, however, when you start from the inside, the ‘how’ will apply to the client whereas when you start from the outside, the ‘how’ will apply to the product.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
AI-driven identity verification for access control
C3 Shared Services Editor's Choice
Facial authentication solutions combine advanced AI and 3D sensing technologies with ease of use to create a frictionless, touchless experience. The deployment of this technology in an access control system keeps users and administration moving.

Read more...
Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

Read more...
The promise of mobile credentials
Technews Publishing Suprema neaMetrics HID Global Editor's Choice Access Control & Identity Management IoT & Automation
SMART Security Solutions examines the advantages and disadvantages of mobile credentials in a market dominated by cards and fobs, in which biometrics is viewed as a secure alternative.

Read more...
PQC, AI & sustainability: five cybersecurity trends for 2024
Editor's Choice
In this article, Nils Gerhardt looks at some of the most important developments that Utimaco experts see coming in 2024, both in technology and the wider world it intersects with.

Read more...
Protecting your business in the digital economy
Editor's Choice
Conducting business in the digital age has never been more challenging. In the Zero Trust cyber security model, nothing is more important than proactively safeguarding enterprise data.

Read more...
The human factor side of video management systems
Leaderware Editor's Choice Surveillance Risk Management & Resilience
A video management system (VMS) is central to, and the most vital element to any control room operation using CCTV as part of its service delivery, however, all too often, it is seen as a technical solution rather than an operational solution.

Read more...
Get the basics right to win more business
ServCraft Editor's Choice Risk Management & Resilience
The barriers to entry in security are not high. More people are adding CCTV and fencing to their repertoire every year. Cowboys will not last long in a space where customers trust you with their safety.

Read more...
All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

Read more...
Global strength, local craft
Impro Technologies Editor's Choice
Impro Technologies is a resounding success story. Started in South Africa, the company remains true to its roots and still designs and manufactures its access control systems and solutions in the country.

Read more...