Proactive vs. Reactive Security

February 17, 2010

How well does your business manage its security risks? Many businesses will, at some point, consider security processes to protect assets, people, property (tangible and intangible), and information. Will you be proactive and prepared before something happens, or will you simply react to the situation after something occurs?

Prevention vs. Reaction
There’s a difference between crime prevention and crime reaction, though many take the reactive approach and don’t consider purchasing an alarm system, for example, until after they’ve been burglarized or property has been stolen.

We need to change the way we think. To be effective, crime prevention and security (both policy and procedure) must be a part of the business operation and accepted by everyone in the company. Security policies are objectives, and they list the responsibilities and expectations for personnel. Security procedures are detailed instructions outlining how personnel will carry out the objectives. To meet the changing needs of an organization, security procedures change more often than security policies. For instance, the security policy may state that a particular area is restricted; only authorized personnel are allowed. A security officer is placed at the entrance, visually identifies those who can enter, and allows them access. At some point, this system may become automated; each employee wanting access must place his/her hand or finger on a biometric reader, and physiological characteristics determine admittance. Video surveillance may also monitor the area for an attempted unauthorized entry. In this situation, the policy remains the same, but the procedure changed.

Changing procedure to meet new needs is an excellent way to be proactive, but the security process shouldn’t be so cumbersome that it impedes business operations – instead, it should operate in conjunction with workflow.

Three-Part Security
There are three parts to achieving the desired level of security (the goal of this three-step approach is to reduce the likelihood that a loss will occur and, if a loss does occur, to minimize it):

    1. A vulnerability assessment, which is completed by a security professional to identify the deficiencies and excesses in the security process. In essence, the security professional will consider the probability that an incident will occur and make recommendations to address vulnerabilities and "harden the target."

    2. A cost/benefit analysis, which will determine if the recommendations are affordable, feasible, and practical. At this point, countermeasures are put into place to reduce or eliminate the deficiencies identified in the vulnerability assessment. These countermeasures may consist of hardware (fencing and locks), software (electronic access control), and people (security officers or employees) who will take on the role of guardian of the company’s assets.

    3. A test of the system, which ensures that everything is working properly, to determine if changes need to be made to achieve the desired level of security.

The key to an effective security process is having the appropriate mix of physical security, electronic security, and personnel to meet security goals. It’s important that there are "layers" in your security process so the weaknesses are outweighed by the strengths of another component. You may have security policies and procedures in place, a fence around your property, security officers on patrol, exterior lighting, steel doors, high-quality mechanical locks, an intrusion detection system, and video surveillance – but at what point in the process will an intruder be detected?

A professional security risk assessment determines the best way to "harden your targets" and integrate all components of the security process so you have the appropriate level of security.

Marianna Perry is director for the National Crime Prevention Institute (NCPI) at the University of Louisville in Louisville, KY. She can be reached at