When the PSPF was launched in 2010, it was a significant reform that sought to adopt a more risk-based approach to protective security than did its predecessor (the Protective Security Manual). It achieved its immediate aims and Government practitioners, and those who supported them, started talking (and doing) more about security risk management.

Notwithstanding this, the 2010 PSPF contained 2,200 ‘shall’, ‘must’, ‘are to’, ‘need to’ etc. statements that were thus very prescriptive in nature. That meant that, while entities were encouraged to practice risk management, they were front-loaded with the details of many of the security treatments that were expected to be implemented.

It’s not hard to see the conflict here, and the one-size-fits-all approach to the largest Department versus the smallest Agency did not make the task any easier for Agency Security Advisers (ASAs) and IT Security Advisers (ITSAs). Numerous controls were only semi-justifiable for some, and left others somewhat ambivalent about the notion of then needing to perform security risk management on top of a very heavily control-focused environment.

A bigger impediment is that many employees (across government and the private sector) do not perform credible security risk assessments as they lack the proper security risk training and on-the-job experience. This is manageable for those who had/have budget to contract in risk and threat specialists, but the remainder remain somewhat hamstrung in terms of effective security risk-based practices.

Those entities that are doing security risk management in the way that the PSPF requires are carrying out enterprise assessments every two years, and sooner if the environment warrants it. Further assessments are carried out at the operational level to examine functional and process-level issues.

The aggregation of assessments over time is something that can also be problematic, especially if they are MS Word/Excel documents that are rarely/not easily revisited. The fact that every consultant does things differently usually also means restarting the process periodically, rather than the implementation of a genuine and ongoing program of risk ‘management’. Once created, assessments should simply be reviewed and updated rather than being recreated, potentially saving substantial amounts of budget in the process.

Further, security managers are not equipped with the best tools to be able to create and manage effective security risk assessments. Enterprise Risk Management platforms, where they have been procured by an entity, do not account for the nuances of security risk management, and it seems that no amount of retrofitting/customising them changes the fact. Where they are being used, they can be complex and require routine use to maintain the necessary degree of knowledge to get the most out of them.

This is where the concept of SECTARA (Security Threat and Risk Assessor) arose from. SECTARA was specifically designed as a platform for commonsense security risk assessments, development of treatment plans, and ongoing monitoring and review, while ensuring that the entire process is logical and rigorous in methodological sense. Much of the data is automatically populated based on the types of assets and threats that are entered, and the interactive visual charts give ASAs and ITSAs a great advantage when pitching for resources or simply justifying existing spend.

If this piques your interest, we encourage you to take a look at the completely free plan today.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk

Industry Risk is Australia’s shining light in solutions for Protective Security and Business Resilience. We welcome opportunities to assist entities in getting to a security baseline, then helping guide them in more advanced endeavours.