Drew Neckar (DN), CPP CHPA, President & Principal Consultant of the Security Advisors Consulting Group has kindly spared some time to speak with Human Risks (HR) just before his live conference at the 2021 Global Security Exchange (GSX), Florida, US. Drew has spent nearly 30 years in the Security Risk industry and has a background in Criminal Justice and History, and has an Executive MBA with an emphasis in international business. Drew is a speaker at GSX. Attend his insightful sessions here.
Background Bias in Risk Assessments
HR: When it comes to hiring staff who will be responsible for Risk Assessments, what background influences or character traits can positively or negatively influence someone’s work capabilities in this area?
DN: I think that the most important character trait for a risk assessor has to be their ability to put aside their preconceptions so that they can work to understand disparate data from multiple sources. It is vital that they make decisions based on conclusions from the data, rather than their individual biases and previous experience. That is closely followed by the ability to talk to people. In our digital age, there are so many people who have grown up without learning how to have a basic casual conversation with someone. I would say that in my assessments at least 50% of the information I gather comes from random conversations with organization employees and other users of the space that I am assessing. If I wasn’t able to approach these people and get them to open up and have a conversation, this would all be data that would be missed and not taken into account.
HR: How do you feel technology has supported risk assessment in the security industry?
DN: The most important use of technology, that I have seen in conducting risk assessments comes from the ability of the assessor to have significantly more information at their fingertips to base their assessment on. Rather than going through hundreds of pages of paper incident reports and going to a police station to look at crime records. An assessor now should have access to the organization’s computerized incident management database, social media and threat monitoring software, and centralized or area crime records from a vendor or local police force. This, along with video conference interviews together with initial data has cut the amount of time I need to spend on-site by close to 30%.
HR: What role do you think AI can play in improving risk assessment processes? Is there anything, in your opinion that we need to consider before using AI to assess security risk?
DN: I think the best use of AI is identifying and collecting data, I haven’t yet seen (which doesn’t mean it’s not out there yet) any AI that can effectively replace qualified security professionals in determining the best ways to implement controls to mitigate the risks identified.
HR: How can professional certifications help to overcome background bias in staff responsible for risk assessment? Are there any particular qualifications that stand out from the crowd?
DN: Any use of standards, or best practices helps the assessor maintain impartiality in their risk assessment. Certification, especially those that require recertification every several years, ensures that the assessor has the knowledge of potential controls that can be applied. Which certifications are important tends to depend on the environment being assessed and can indicate an assessor’s familiarity with the individual threats, assets, and risks of that particular environment. A good gold standard for general security risk assessment is the ASIS CPP.
HR: When working with organisations to advise them on the implementation of risk mitigation measures, do you find any common organisational barriers to this process? If so, how do you advise Security Managers to best overcome the aforementioned barriers?
DN: The greatest organizational barrier to effective risk assessment is organizational inertia. The tendency to say “we have always done it this way” hampers a realistic assessment of risk and the effectiveness of current mitigation measures.
HR: What are the top three factors to consider in a successful risk management assessment?
DN: The most important factor is basing the assessment on accurate data. As with any process, if the data leading to the decision is flawed the end product could well be worse than worthless.
HR: When it comes to Security Risk assessment, are there any specific tools that you consider essential in order for you to do your job well?
DN: I don’t know if can name one specific tool, my assessments tend to be fairly free-flowing and each one is a little different in what I need to do to collect the necessary information.
HR: During your career what are the main industry changes and challenges you have witnessed?
DN: I think that we are witnessing the slow professionalization of the security industry. Some companies are beginning to see that “security” can be more than just “gates, guards, and guns”. When assessments are approached from a risk management standpoint using security to mitigate risks, reduce losses and enable business in areas that would otherwise have been not feasible – that can truly contribute to the business’s bottom line. There are of course still forces very active in the industry working to push the old mantra of providing “security” by throwing a bunch of low skill / low wage employees out there in cheap polyester uniforms, or getting the customer to pay for unnecessary service and maintenance contracts. However, this simply generates recurring revenue rather than urging their customer to use a study approach and implement controls that are solely and directly focused on mitigating a proven threat to the organization’s assets.
HR: From an overall Security Risk Management industry perspective, what more can we be doing to support each other?
DN: I think that we all have a duty as security professionals to help organizations understand the benefits of a well-designed security program for their organization. This is one of the reasons why I try to remain active with ASIS international. ASIS is constantly working to increase the reach and image of security as a business enable.
Thank you Drew for taking the time to share your experience and views with us. We wish you all the best of luck with the GSX conference. To book a place at this year’s GSX conference click here.
For more information about Drew’s work click here.