It is time to change the way we approach security

Issue 6 2021 Security Services & Risk Management

A security risk assessment is much more complex and intricate than people assume. People are so used to doing what they have always done and they forget to approach things from a different perspective, especially when it comes to security.

Andre Mundell.

Whilst most of us are set in our ways, criminals have adapted and evolved to such an extent that we are mostly on the losing end. Keep in mind that criminals are not just those who want to get in, but also those who are already inside your business. We refer to ‘inner’ and ‘outer’ crime.

A criminal looks for the opportunity, a gap in your security that could be used to their advantage.

People seem to stick to the old way of measuring security which is on a scale of one to 10 or from high to low. It does not work like that.

• A risk is a risk, whether it is perceived as a ‘small’ or a ‘big’ risk, it still remains a risk.

• A criminal does not distinguish between various opportunities, why do we?

◦ This approach was borrowed from the Health and Safety approach. Security and risk are nothing like Health and Safety.

• Health and Safety is measured against probability, whereas risk is measured against opportunity.

• A security risk is what provides the criminal with the opportunity to commit a crime. Whether the risk is big or small, high or low, they will take the opportunity with both hands. Maybe not today, perhaps not tomorrow either, but somewhere along the line, it is bound to happen.

An independent security risk assessment is an in-depth study of the security risks on the identified property. It is an investigation to establish the security risks that provide the opportunity for crime. Explaining the concept of risk would take me an immense amount of time as it is such a vast concept and there is an array of variations when it comes to risk.

An example of this is communication risk in security.

• Communication is so much more than just talking or having a monthly meeting, or even sending a few emails about new developments. It is necessary for clear communications between systems and operators of data, cameras, access control, perimeter security, alarm systems and a lot more, to successfully function.

• Where does the communicated information go to? Who attends to it and who acts on instructions or alerts? How fast does this happen?

Further to this, we also look at the body language of the property. Like every human, buildings, offices, properties, estates, shopping centres, homes and so on, all have a body language. This body language tells the criminals how seriously the owners or managers of the property take security measures. This gives them an indication of the ease of getting in and out, whether the risk is worth taking.

Keep in mind that we must see the body language of the business/property from the criminal’s perspective and not the owner or manager’s perspective. The criminal sees the opportunities, whilst the manager or owner might see it from an aesthetic perspective.

When an assessment is conducted, nothing and nobody is above or below being a potential risk. In an assessment, we look at everyone, from the cleaners to the CEO; we look at the different departments, protocols, processes, service providers, hardware installers, the security company, access control and several other aspects.

Access control

• Access control for an estate will be different to access control for a business. The same applies to homes and warehouses.

• The concept of access control remains the same, although the findings and recommendations will be different.

Old information

We do not use old information, we do not work on previous reports that were conducted 10 or even five years ago, simply because that information is outdated and not relevant anymore. You cannot build security based on old and irrelevant information. Everything has changed over the years, technology, the lack of job availability, especially over the last two years taking Covid-19 into account and the negative effect that it has on a lot of people.

It’s good to remember that all the information that is available to us in our fight against crime is also available to the criminals. It is about how the information is used.

This brings us to the reading of documents.

• We look at the way people read documents, as silly as it sounds, the fact that people do not thoroughly read documents has a severe impact on security as understanding comes from reading information pertaining to a specific subject and in this case, it is security.

• People do not read the information, which means that they will not understand it.

• Understanding crime, security and risk is a crucial element when it comes to fighting crime successfully.

• When people do not read the information and just scan through it and they think they know what is written, they start making assumptions. This is so dangerous, especially in the security world.

Security risk assessment vs. selling security

• The term ‘Security Risk Assessment’ is often thrown into every document and description to ‘sell’ or ‘promote’ a service without fully understanding the entire concept.

• Very few people can conduct an actual security risk assessment, especially in South Africa.

• The moment that a product or a service accompanies the security risk assessment, you need to think twice because this means that the assessor is not impartial and is not focused on finding the risks, but rather focused on promoting and selling whatever services or hardware he offers.

• The same applies to an ‘in-house’ assessor. They cannot be unbiased as they are bound by the rules and culture of the business.

Real assessment

• The only true assessment will be done by an independent security risk assessment consultancy. ‘Independent’ is the keyword.

• Being independent means that they are not affiliated with any security service provider of any sort. This means that they are unbiased, truthful and will focus on finding your security risk and will not chase sales.


Confidentiality is part of our core beliefs as we know that we are dealing with sensitive information and we strongly believe in not disclosing any such information. We understand the massive ramifications it can have when sensitive information such as a security risk is shared, which is why we firmly stand by our non-disclosure agreement.

The sad thing is that even though we clearly state that we will never disclose any of our clients’ information, which includes company or individuals’ names, enquiring companies and clients still ask us for references. Clients ask us to sign a non-disclosure agreement, but on the very same page they ask us to break a current non-disclosure agreement with our established clients and give them a list of our clients. How does this make sense?

A true security risk assessor will not boast about the assessments that he has done, the lack of security at a site, the shocking discoveries, or for which prominent companies he has done an assessment. No matter how many new doors it might open for him.

Security risk template

Some blatantly ask us for a ‘template’ on how to conduct a security risk assessment. It baffles me. There is no template for a security risk assessment, you just need to follow the risk. Each property is unique with unique risks, which is why each report is unique.

In short, a security risk assessment is an in-depth investigation into the status of your security. It is not based on what someone said 10 years ago and it is not based on what professors and other experts say. A security risk assessment is based on the risks present that provide the opportunity for crime; it is looking at your property from a criminal’s perspective and not from a CEO, business owner, property owner, or manager’s perspective.

Remember, it is the criminals that you want to keep out and also to get the criminals inside the property out.

The risks will tell the story and will lead to the solutions. When the risks are identified, the solutions can be researched and implemented to eliminate the risks. Only once these security risks are eliminated can crime be averted.

We have been doing security the same way for the last 50-odd years and just look where that has gotten us. Is it not time to change the way we approach security?


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Top fraud trends to watch in 2023
News Security Services & Risk Management
Even though financial concerns remain a significant obstacle for companies in implementing new anti-fraud technologies, 60% of businesses expect an increase in their anti-fraud technology budgets in the next two years.

Be cautious when receiving deliveries at home
News Perimeter Security, Alarms & Intruder Detection Security Services & Risk Management
Community reports of residents being held up at their gate when collecting fast food deliveries at home are once again surfacing.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Protecting yourself from DDoS attacks
Cyber Security Security Services & Risk Management
A DDoS attack, when an attacker floods a server or network with Internet traffic to prevent users from accessing connected online services, can be costly in both earnings and reputation.

Crossing the chasm
Editor's Choice News Security Services & Risk Management Training & Education
Industry reports suggest that in the next ten years, millions of jobs could go unfilled because there simply are not enough people to fill them.

Records in place now, not later
Editor's Choice Security Services & Risk Management
It is important, after an incident, to have records in place as soon as possible. Too often the matter is left for the day when the company is going to court, or a disciplinary hearing is scheduled.

Considering cloud downtime insurance?
Arcserve Southern Africa Cyber Security IT infrastructure Security Services & Risk Management
Byron Horn-Botha, business unit head, Arcserve Southern Africa, reveals three vital steps that you must consider to ensure business continuity before you buy insurance.

Real-world sustainability and innovation
Axis Communications SA Security Services & Risk Management
Technology such as smart city surveillance systems, in combination with video analytics that use artificial intelligence to analyse, prioritise and make decisions, enables cities to use resources as efficiently and sustainably as possible.

The $600 000 question
Cyber Security Security Services & Risk Management Financial (Industry)
Usman Choudhary, chief product officer of VIPRE Security Group, advises companies to do the basics to protect themselves before looking for cyber insurance.

Axora launches Metals and Mining Innovation Forecast 2022/23
IT infrastructure Security Services & Risk Management
Miners making super-slow progress towards digital transformation despite universally designating it ‘critical to survival’, with cybersecurity one of the concerns hindering progress.