Skip to main content

Protective Security Requirements: Taking a risk-based approach to your security

hero banner for desktop hero banner for mobile

In this series of posts, FIRST Security’s Chief Operating Officer Steve Sullivan looks at the New Zealand Government’s Protective Security Requirements (PSR). Although originally designed for government, the PSR is just as relevant for the private sector.

 

In my previous PSR post, we looked at the mandatory requirements for the Physical Security (PHYSEC) domain of the Protective Security Requirements. In this post we conclude our six-part PSR series by exploring the idea of physical security by design.

The reason why I’ve decided to end the series with this particular topic is because it is – in my opinion – the single most important takeaway from the PSR guidance. If you retain any information from the series, retain this!

Design physical security early in your processes

One of the four requirements in the PSR’s physical security domain is ‘Design your physical security’ (PHYSEC 2), which requires organisations to consider physical security early in the process of planning, selecting, designing, and modifying facilities, and to design security measures that (i) address the risks the organisation faces; (ii) are consistent with the organisation’s risk appetite; and (iii) are in line with relevant health and safety obligations.

In terms of risk, I suggest (as I’ve written in another article) that your security design process be guided by the following principles:

  1. It’s not possible to protect everything; prioritise the highest risk areas
  2. Security measures should be proportionate to the level and type of threat
  3. It’s more effective – and cost-effective – to plan security when it is being designed rather than when it’s already in place.

The first two of these principles are grounded in the risk-based approach to security that is central to the Protective Security Requirements. The third principle refers to a concept that is becoming increasingly popular in the security world – and for good reason.

‘Security by design’ has gained momentum in recent years in the software engineering and cyber security world, and refers to designing systems to be secure from the ground up and ‘built-in’ so as to minimise flaws that might compromise security later on. The idea is that preventing breaches by good design avoid the costs associated with making alterations after gaps are discovered – especially following a breach.

The same logic applies in the physical security world. Ideally, physical security measures should be considered prior to the construction and fit-out of premises (i.e. during the concept and design stages) because they can be more expensive and less effective if they’re introduced later.

So, consider your physical security requirements at the earliest stages — preferably during the concept and design stages – and any time you’re:

  • planning new sites or buildings
  • selecting new sites
  • planning alterations to existing buildings.

Before you bake them in, make sure that your site selection and proposed physical security measures are the result of a physical security risk analysis and evaluation (and ensure – to the extent possible – that your analysis is evidence-based). This includes evaluating such factors as:

  • the neighbourhood (crime statistics, presence of organised crime, existence of any ‘hot spots’, avenues of approach, public transport hubs, and any places or activities in the area that may attract criminal activity)
  • the size of the stand-off perimeter (the distance between an asset and a threat), natural or constructed barriers
  • site access (and egress), parking, and evacuation routes
  • building access points (noting blind spots and choke points)
  • security zones (assuming any have been defined)

Use risk information to develop site security plans

Use site-specific risk assessments to help you prepare site-specific physical security plans, and ensure that your risk assessments feed into related documents, such as your Business Continuity Plan and/or Disaster Recovery Plan.

As per the PSR guidance, you should have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with your organisation’s overall protective security plans/policies, and any security standards your organisation has agreed (or is required to meet) for specific types of facility.

Getting advice

Whether your venue is old, new, due for an update or yet to be built, experienced licensed security providers can provide specialist advice in relation to incorporating a risk-based approach to your security planning, following security by design principles, and implementing official guidance such as the Protective Security Requirements.

If you wish to review your organisation’s physical security risks, get in touch with us to talk about how we can provide you with specialist advice.

Coming up...

I hope you’ve enjoyed the PSR blog series. If you missed the start, you can read the first post here. If you’d like to have a discussion about how we might be able to assist you in your protective security planning, feel free to contact me at steven.sullivan@firstsecurity.co.nz

ABOUT THE AUTHOR: Steve Sullivan is a highly experienced security and business operations leader with 30 years’ experience in the security industry. Prior to joining FIRST Security as its Chief Operations Officer, Steve was General Manager – Regional Operations for Wilson Security, based in Melbourne. His career has focussed on leading highly-respected security organisations to improved services, unparalleled customer service and success.