This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Privacy Policy. By clicking “I agree” you agree to our use of cookies and similar technologies.
How to Make Smart Security Investments in Large-Scale Design Projects
When planning a major design development project, whether it’s a corporate campus, data center, or mixed-use facility, deciding how much to invest in security can be a complex question. A practical, risk-based approach to security planning is fundamental, helping to align protective measures with real-world threats and operational needs. Organizations can avoid over- or under-investing in security by focusing on actual risk factors, not just best practices or one-size-fits-all solutions.
Understanding Assets + Risk: Essentially, the presence and extent of security measures should be in response to the risks likely to be faced by the organization and campus or site. Risk can take many forms from human-induced or intentional acts to natural hazards to hybrid hazards (e.g., transportation accidents, significant power outages, hazardous material releases, etc.). All organizations have tangible and intangible assets—people, property, and information—they rely on to achieve their objectives. For a major design project, key goals can include providing a safe and secure location for employees and customers, securing intellectual property and sensitive data, and protecting physical assets from threats and hazards among many others including ensuring the organization’s reputation.
Informed Decision-Making: The security risk assessment process establishes a foundation from which to make informed decisions to safeguard the organization against threats and hazards that can impede their goals. At its root, the process seeks to identify an organization’s assets and take measures to protect them. While security liability concerns often revolve around consistency of security measures, they also focus on foreseeability, addressing what is likely to impact an organization. In order to determine this, a risk assessment is needed; this is particularly true for large developments which will draw members of the public to the venue.
Why should organizations invest the time and resources in conducting a security risk assessment?
The answer lies in the ability of a well-executed risk assessment to bring clarity and confidence to the planning process. Rather than relying on assumptions or generalized security practices, organizations can make tailored, evidence-based decisions that align with their specific assets, threats, and goals. The benefits of investing in this process are both practical and strategic:
- Finite Resources: Organizations have limited resources and must conduct cost-benefit analysis to prioritize key goals. A security risk assessment is a cost-effective process to determine the best combination of security measures and ensure that risks are identified and addressed appropriately. The goal is to identify the most critical assets, determine the threats and hazards likely to impact them, consider high-impact / low-probability events, and implement corresponding security measures to prevent or mitigate the risks.
- Protecting Investments: A new development represents a major investment for organizations and one that the organization is counting on serving them long into the future. A security risk assessment seeks to protect that investment by taking time early in the design process to ensure threats and hazards are considered while the security measures can be implemented with the least impact to cost and project timelines.
- Providing Liability Protection: A major development can face numerous liability challenges if people are harmed on its premises due to a foreseeable situation. Performing a security risk assessment, in accordance with security best practices and documenting assumptions and justifications for decisions made with available information, can provide liability protection to the organization and address duty of care. An important aspect of this is the methodology used for the risk assessment must be repeatable, in alignment with best practices, and performed by an experienced security risk assessor. The ASIS International Security Risk Assessment Standard (ASIS SRA 2024) provides a consistent and trusted methodology and holds the Department of Homeland Security’s SAFETY Act Certification, which reduces the liability for an organization should a terrorist attack occur.
- Avoiding a Cookie-Cutter Approach to Security: Without a security risk assessment, the approach to security measures is often off-the-shelf and does not consider the risks the specific organization and venue are likely to face. This can lead to both an under- investment in security and an over- investment. Security measures should have a level of consistency, but implementing the same measures across multiple sites may not be appropriate and can in fact result in too much or too little security at a particular site.
- Avoiding Knee-Jerk Reactions for Security Spending: Today, organizations can jump into security measures that seem critical at the time but turn out to be unworkable or unnecessary. A key example of this is the use of fever detection cameras during the pandemic. Many of these systems did not work properly but provided merely the impression of safety. Due to the frenzy of the times, many organizations made significant investments without fully understanding the limitations of the systems. Making security decisions outside of emergency situations helps to create more informed and cost-effective long-term solutions.
- Securing an Organization’s Reputation: Preparing for potential risks and considering their impact provides the organization with the ability to inform not only their physical security design measures, but also their security policies and procedures and response plans to emergencies. This includes preparing crisis communications, planning for heighted security measure based on the environment, and training employees on security awareness, incident reporting, and response to emergencies. This seeks to protect an organization’s assets but also to safeguard its reputation. Risk events cannot always be avoided, but organizations are judged on their security planning, ability to mitigate risk events, and adeptness at responding in a comprehensive manner.
While organizations will depend on stakeholder insights, past assessments, existing security measures, and security documentation to develop a security risk assessment; having an experienced third-party expert, like Guidepost, perform the security risk assessment provides critical protection for the organization’s people, assets, information, and reputation. A third-party can also provide objectivity to the assessment, integrate lessons learned from similar organizations, and keep the organization up-to-date on current and evolving regulations and compliance measures. These regulations could impact security for the premises before an organization invests in a technology or approach that will not be supported by the legal jurisdiction for the venue.
Angela Osborne CPP, PSP, PCI
Vice President, Risk + Emergency Management Solutions
Angela J. Osborne, PCI, PSP, CPP specializes in emergency management planning, security risk assessments, and physical security assessments. She has worked with clients in diverse sectors, including education, government, healthcare, legal, energy, manufacturing, and commercial real estate.
SBC hotlineOakland County AARMAGELLAN Monitorship