Value creation and protection in security projects

Value creation and protection in physical and electronic security projects, by Maksym Szewczuk, Security and Design Lead, Bechtel Corporation.

Security projects play a crucial role in modern organisations by ensuring that risks are managed effectively while safeguarding assets, infrastructure and data.

However, beyond mere risk mitigation and treatment, security projects should also focus on value creation.

The ISO 31000 standard emphasises not only the protection of assets but also the enhancement of business value through a strategic and integrated approach.

This article explores how physical and electronic security projects can leverage the ISO 31000 Value Creation and Protection Model to generate tangible benefits. 

ISO 31000 

ISO 31000 provides principles, a framework and a process for managing risk. The model revolves around two main concepts: Value Creation – ensuring that risk management contributes positively to achieving business objectives and improving performance; Value Protection – safeguarding assets, reputation and operations from potential risks and threats.

It is likely most medium to large enterprises will be applying risk management to mitigate risks, but by integrating these aspects into security projects, they can transform risk management into a strategic enabler of business success. 

Value creation in projects 

Security initiatives often focus primarily on mitigating threats, but a well-structured approach ensures they also generate value in several key ways: 

1. Enhancing business resilience – security projects aligned with ISO 31000 principles improve resilience against cyber-threats, fraud, vandalism, theft and other vulnerabilities 
2. Increasing stakeholder confidence – clients, investors and regulatory bodies are more likely to trust an organisation that demonstrates robust risk management practices 
3. Optimising operational efficiency – implementing proactive risk management strategies reduces the need for reactive responses, which are often costlier and more disruptive 
4. Fostering innovation – a well-managed security environment allows businesses to innovate with confidence. Knowing that risks are controlled enables organisations to explore technologies, processes and markets with reduced uncertainty 
5. Compliance and competitive advantage – compliance with ISO 31000 and other security regulations demonstrates to stakeholders that the organisation follows best practices 

Implementing the ISO 31000 model 

The application of the ISO 31000 framework in security projects follows a structured approach that ensures risk management is an integral part of organisational decision-making.  

• Establish the context – define the strategic, operational and compliance requirements of the security project. Identify key stakeholders, business objectives and how security contributes to value creation. Determine risk criteria, risk appetite and organisational risk culture 
• Risk identification – conduct threat assessments to identify potential risks, including cyber-threats, physical security breaches, insider threats and compliance risks. Utilise tools like risk matrices, scenario analysis and historical data reviews to gain insights 
• Risk analysis and evaluation – assess the likelihood and impact of identified risks. Prioritise risks based on their potential to disrupt operations or create value. Develop risk treatment options based on the balance between protection and business objectives 
• Risk treatment – implement controls to mitigate threats while maximising value creation opportunities. Consider preventive, detective and corrective measures tailored to risk appetite. Utilise technology and automation to improve efficiency in security operations 
• Monitoring and review – continuously assess the effectiveness of security measures and risk management processes. Establish feedback mechanisms to refine strategies over time. Ensure alignment with business goals and tech advancements 
• Communication and integration – foster a risk-aware culture by educating employees and stakeholders on security best practices. Integrate security risk management into corporate governance and strategic planning. Encourage transparent reporting and collaboration 

Value creation and protection 

Adopting security by design principles and practices may prove beneficial to achieving value creation. Security risk treatments can deliver more than risk mitigation or control.

By applying broad security by design principles, security controls can create value beyond risk reduction.

Each security element ceases to be an isolated control measure and becomes a holistic treatment element which provides functionality beyond pure risk reduction or control. 

Security of assets, people, information and reputation may be a key driver to attract and retain new clients.

Failing to provide a safe physical environment for staff, visitors, clients and sensitive information could expose clients to harm, fraud, reputational damage and financial loss.

Adopting a security by design approach may also yield benefits with customers, regulators, tenants and the public where safety or security assurance are paramount to a healthy corporate reputation. 

In security projects, integration means that risk management is not an isolated activity but is woven into every aspect of project planning, execution and operations.

Security treatments and elements seamlessly integrate business, cybersecurity and personnel security requirements as well as aesthetics, functionality, safety and ease of use considerations. 

A systematic, structured approach also ensures that potential security risks are identified, assessed and addressed in a consistent manner.

Security risk assessment and treatment process is carefully considered and implemented at each stage of planning and design to amplify its effect and value.

Use standardised risk assessment tools to evaluate vulnerabilities. This process can help in mapping out threat vectors and ensures no risk is overlooked. 

Moreover, every organisation has a unique threat landscape, operational environment and risk appetite.

Security treatments may be adapted to suit aesthetic, cultural and environmental requirements.

Cultural motifs, recessed hardware and integrated landscaping barriers are all examples of customised security treatments which are implemented to blend within the asset aesthetic.

Tailor security protocols to match the specific operational context.  

Engaging all relevant stakeholders ensures a more comprehensive understanding of risks.

One security treatment may serve multiple stakeholder’s requirements and may be used create value through shared costs or joint procurement.

In a security project, inclusion might involve forming cross-departmental committees or advisory panels.

This inclusivity helps in gathering diverse perspectives, leading to decisions that are robust, widely accepted and easier to implement. 

Adapting and improving 

As the threat landscape continually evolves, security projects must be nimble enough to adapt. By adopting adaptive and flexible requirements within architecture of physical and electronic security systems and topologies, cost effective treatments can be implemented as threat profile changes, resulting in a more resilient approach to security risk management.

Implement adaptive security controls – for physical security, this might include upgrading access systems in response to local crime trends and, for cybersecurity, this could involve real-time threat intelligence feeds. 

Sound decisions in security projects must also be data-driven; use reliable data sources such as incident reports, surveillance analytics, threat intelligence and risk assessment studies to inform security strategies.

Whether deciding on the placement of cameras or determining network vulnerabilities, using the best available information is crucial.

This approach minimises guesswork and enhances the overall credibility and effectiveness of the security strategy. 

Security is not solely a technical challenge and is influenced by human behaviour and organisational culture.

Requirements beyond security risk mitigation are considered when implementing security design and treatments.

Usability, safety, corporate and client requirements are considered throughout security design approaches.

Increasingly, security systems are becoming integrated with safety and training compliance systems as well as revenue/marketing systems to meet objectives. 

Finally, keep in mind that security is a journey, rather than a destination. Continuous improvement ensures that security measures stay effective over time.

Regularly review and update security protocols based on performance data, incident analysis and new regulatory requirements.

Incorporate feedback loops where lessons learned from past security incidents lead to adjustments in the security plan.

Continuous improvement fosters resilience and long-term value creation by ensuring that security measures do not become outdated or ineffective. 

Embedding risk management 

A robust framework supports the principles outlined above by providing an organised structure for managing risk within security projects. 

Leadership and commitment –

Top management support is critical: Secure executive sponsorship for security projects to ensure that adequate resources, both financial and human, are allocated.

Leaders must champion security initiatives, articulate their importance to the organisation and hold teams accountable for implementation.

Strong leadership ensures that security projects are prioritised, integrated into business strategy and consistently supported at all levels of the organisation 

• Integration – aligning risk management with organisational objectives: Ensure that the risk management framework is aligned with strategic goals. For example, if a company is expanding its digital footprint, its cybersecurity measures must evolve in tandem with that growth. This alignment guarantees that security measures contribute to organisational success rather than acting as isolated or reactive solutions 
• Design – establishing policies, resources and structures: Develop comprehensive security policies that cover both physical and electronic aspects. This includes setting clear roles, responsibilities and reporting lines, as well as investing in the necessary tools and technologies. A well-designed framework provides clarity, ensures consistency and builds a foundation upon which effective security projects can be implemented 
• Implementation – applying the risk management framework effectively: Deploy the designed security measures by following a structured project plan. This involves training personnel, integrating technologies with systems and ensuring that policies are actively enforced. Effective implementation turns planning into action, reducing vulnerabilities and enhancing both the protective and value-creating aspects of security projects 
• Evaluation – reviewing and improving risk management performance: Regular audits, performance reviews and security drills should be conducted to assess the effectiveness of implemented controls. Use both internal assessments and third-party evaluations to get an unbiased view of performance. Evaluation helps identify gaps, measure success and provide data for improvements, ensuring that projects continue to deliver value 
• Improvement – continuously updating practices to align with organisational needs: Based on evaluations and risk landscapes, update security policies, procedures and technologies. Encourage a culture of innovation where feedback is welcomed and acted upon. Continuous improvement keeps security measures current and effective 

Transforming security projects 

When applied effectively, the ISO 31000 Value Creation and Protection Model transforms security projects into strategic initiatives that do more than simply guard against threats – they create real, measurable value.

By integrating risk management principles such as integration, customisation and continuous improvement, and by following a structured framework and process, organisations can develop security projects that are both proactive and adaptive.