If you are responsible for security, you know how difficult it is to justify funding for security measures — until a security breach happens. At that point, senior management gets involved and one question will be asked, “What do you need to prevent this from happening again?” This is your opportunity to make the most of a security event and obtain the resources you need to be proactive to help avoid future events. If you are not prepared with a solid answer, the opportunity may be lost.
It is always worthwhile to be prepared to explain what resources you need to address security risks. Even if a security breach doesn’t occur, having information ready can help you justify needed measures. If an incident does happen, you probably won’t have time to do all the homework required for an effective security plan.
Having a plan is essential, whether it’s on the football field, within the boardroom or during a crisis. The security plan is similar to a playbook, which consists of a carefully considered series of actions to be implemented.
Remember the old philosophical question, “If a tree falls in the woods and no one is there to hear it, does it make a sound?” It’s much the same with security. How would anyone know that a security program is effective without an occurrence to test it? For instance, how do you show that the camera installed over the door acted as a deterrent to the person who was contemplating a violent act if the act did not occur? The answer is simple. You can’t.
That is one reason why budget justifications are challenging for security. Compounding the problem is that security is a cost center and does not drive revenue. To top it off, security breaches are rare. It is easy for top executives to take security for granted, but complacency is a breeding ground for disaster.
Step One: Analyze Risks
When developing a security plan, there are multiple vulnerabilities and specific threats to consider. Some threats are common to many organizations, and some are specific to a particular organization. These risks should be examined and quantified by answering questions such as these:
- How attractive is the organization as a target?
- What would be the direct and indirect impacts of a given incident?
- What is the probability of a security incident occurrence?
These questions can be answered by examining the capability and the intent of an aggressor.
Once the risks are identified, your organization should be benchmarked against your competitors. Benchmarking may seem unnecessary if you are responsible for security because most likely you have already voiced the possible risks to management, without much action. However, benchmarking can be a powerful tool to validate that the risks are real, evident and should be mitigated.
Step Two: Security Measures
The second and often most important component for plan development is the set of controls or measures used to prevent a security incident. Physical security controls/measures are grouped into three broad elements: operations, architecture and technology.
If properly implemented, these controls can establish a balanced security program. Selecting and implementing proper controls can be difficult. When considering security measures, the assessment should be approached from an outsider’s perspective. One effective approach is to examine vulnerabilities from the perspective of an aggressor.
Examples of taking such an approach has been listed to identify common mistakes in security:
Physical Security: A facility typically appears more secure during the day than in the evening. Criminal activity tends to occur during evening hours. At this time all possible suspects should be observed. Lighting is one of the best deterrents and discourages any attempted burglary that bystanders might witness.
Criminals may attempt to breach a building’s perimeter through diversion and movements that may be difficult to detect. They may try to gain entry through side entrances or doors that are not used as often. However, most will attempt to break-in through the front door, which is often the easiest point of entry at most facilities.
Another way to prevent crime is to install a perimeter. These could be soft barriers using landscaping such as tall shrubs or bushes or hard barriers such as fences or steel gates. These barriers must be tall enough that makes it difficult for anyone to climb. Intruders trying to gain access through these barriers can be easily identified.
Criminals may also attempt to access a building through latch manipulation and lock picking. To deter physical access to a door, three elements are needed: industrial locking hardware with high-security keyways, pinned or concealed hinges and latch cover plates. The latch cover plate is one of the best ways to reinforce wood and metal doors to prevent forced entry. However, it is commonly overlooked and its absence allows an intruder to manipulate the door latch to gain entry.
Technical Security: The first alarm system was patented by August Pope in 1853. It consisted of magnetic contacts that could be placed on doors and windows and would transmit their position as either open or closed. Today, all technical alarms still need the same three basic components: a triggering device (commonly referred to as the sensor); a circuit (typically in the form of wires) that makes a loop and transmits the information and an annunciator or sounder that signals the alarm.
The alarm system has only one goal, reduce the need for staff. But technology can only be effective if it is used properly. For example, an infant abduction system in the security control center of a hospital sounded the alarm, indicating that an infant had been abducted. The officer in the control center did not respond. When asked why he explained the alarm had been broken for weeks. Without an operational and effective alarm system to notify the appropriate authorities, the most advanced system can fail.
Security technology has come a long way, but it has its limitations. For example, a burglar came across a vehicle armed with ultrasonic, glass break and volumetric/seismic detection sensors installed. It was a very robust system, which alarmed instantaneously if the vehicle was approached. While others may park their cars in discrete locations, the owner of this vehicle put his car out in the open. He was confident, like many organizations, and trusted that the technology would prevent any attempt of theft.
The alarm system had one fault — false alarms, and a lot of them. The burglar spent two hours one late evening with many failed attempts at unlocking the car, which repeatedly sounded the alarm. The owner of the car, frustrated with the loud noise, deactivated the alarm system to get a good night’s rest. With an alarm system that’s turned off, the criminal successfully stole the vehicle.
This story has several lessons: 1. Technology needs to be proven and the latest technology may be ineffective. 2. Technical alarm systems need to be maintained to minimize false alarms. 3. All alarms, no matter how insignificant, need to be investigated. 4. Finally, an organization cannot rely solely on technology for its security program. This opens up vulnerabilities that criminals can exploit.
Operational Security: Operational security represents the most common type of security. When properly implemented it is often the most effective. Well trained and licensed security staff are often outside the budget of some organizations.
Operational security is more than just the security staff. It also includes policies, procedures and guidelines regarding the management of incidents. In many cases, staff may feel hassled by security officers, who only try to do their job. Over time, this negativity towards security staff may affect their attitude and morale. In many cases, the security staff assumes a concierge role at a building.
For example, during an after-hours assessment of a facility, a security officer was prominently located at the building’s main entrance. The officer on duty always greeted the security consultants as they entered the facility. Just before leaving, one consultant asked, “You have no idea who we are, do you?” The officer responded, “Nope.” The officer, kept in the dark by management, was an overpriced receptionist.
Operational security represents the weakest link and needs to be reviewed regularly. In one case, a hospital had a policy for the pediatric floor, designated as a high-security area, and had to be staffed with three officers at all times. In reality, there were no officers on the pediatric floor for an extended period — even though a security incident had just occurred.
Organizations need to empower employees to help ensure the security of their building. In many instances, gaining access to a facility is as simple as smiling and asking pleasantly, “Please hold the door for me.” Organizations need to have broad security awareness programs and train all employees. If it is done right, it can require a significant cost.
Step Three: The Playbook
Once the security measures have been identified using an outside approach, the next step is to combine them in a security playbook or a master plan. This should show cover budgeting for the controls and measures being proposed. The planning should adopt a holistic, all-security-risks approach. Budgeting can be shared among additional corporate functions such as information technology or human resources. The investment can be implemented over multiple phases. Rather than asking for $4 million at one time, highlight the risks and phase the implementation.
Another way to justify security measures is to show the return on investment. This typically involves a return on technology investments, highlighting the training programs, reduction in incidents and other security breaches that were avoided.
The playbook needs to be well written and should be readily available. The management of your organization may want to see it. If not prepared properly the implementation of the plan could be delayed.
Also, the plan needs to keep its audience in mind. Executives tend to be either spontaneous or cautious and detailed. To be on the safe side, both personalities should be kept in mind as the security plan is developed to ensure its support by management.
This is an official document that needs to be regularly updated and will form the basis for any presentation to management. It is also important to identify and meet with key stakeholders. The goal of this meeting is not to push an agenda, but to collaborate and share resources.
Based on statistics, all organizations will experience a security incident at some point. The bigger the organization with more staff and longer its history, the greater the risk of a security breach. Embracing the need for a well thought out security playbook can make the difference in obtaining resources when a security event occurs. Rather than sending endless emails about an organization’s risk, be prepared so if a question about security needs comes from management, your response will be, “I have a plan. This is what we need to do, this is what it will cost, this is what we will gain.”
COURTESY: Sean A. Ahrens (sean.ahrens@aon.com), CPP, BSCP, CSC, is a project manager with Aon Risk Solutions’ Global Risk Consulting practice. With more than eighteen years of experience in the security industry, Ahrens is responsible for providing organizational security consultation, threat and risk analysis, contingency planning, loss prevention and force protection design and planning.
