When Was the Last Time Your Organization Had a Security Checkup?
May 2004
Businesses need to embrace the notion that
it’s worth investing time and money into the processes, procedures, and materials
to protect employees, proprietary assets, and the communities they serve. Today,
we still have too many critical infrastructure businesses that are waiting for
Homeland Security or their insurers to tell them what sort of security precautions
they need to take. Instead, firms should take a proactive approach to security
by developing and maintaining a comprehensive security program.
by David
Nicastro
Secure Source,
Inc.
At the turn of 19th century, the medical profession consisted of a small
number of highly educated, poorly paid doctors who were typically "on cal" when
a person suffered from a serious illness or injury. Once summoned, doc would
hitch up the buckboard and make a house call. Often too late to help, all the
physician could do was ease the patient’s pain and suffering.
Of course, the medical profession took off when people realized periodic
checkups could detect illnesses before they became fatal. Doctors stopped making
house calls and opened offices where they could treat patients better and handle
more cases. Eventually, insurers arrived to offset the costs of medical treatment
and the medical profession was transformed into what it is today.
The current approach to security looks like the state of medicine in the
late 1800s—antiquated and urgently needing transformation.
As a nation, we pay a lot of lip service to the need for Homeland Security.
Indeed, many tax dollars have been spent on security fixes since September 2001.
After the creation of the Transportation Security Administration (TSA), airports
were forced to replace existing screeners with better-trained and paid federal
employees. The airlines have been forced to strengthen the cockpit, while flight
attendants have become more security conscious than in the past. Of course,
knives and box cutters are no longer allowed on flights.
Nevertheless, wasn’t it stupid that passengers were allowed to carry knives
in the first place? Shouldn’t the cockpits have been more secure to begin with?
At the moment, a popular remark in our industry is that the TSA stands for "Thousands
Standing Around.” The truth is the new security measures are not very effective.
For evidence, just look to the Government Accountability Office (GAO). In April,
GAO informed the House aviation subcommittee that testing had uncovered serious
gaps in airport passenger and baggage screening. "We have a system that isn’t
working,” Representative John Mica, the subcommittee’s chairman, said during
a hearing in which debate focused on allowing airports to resume using private
security personnel.
The airlines are not the only ailing industry. In a survey of security professionals
and the general public conducted by the respected marketing research firm of
Penn, Schoen & Berland, 58 percent of security professionals and 66 percent
of the public believe workplace security is too lax. The survey’s main conclusion:
Both groups believed they are safer at home than at work. And the threats don’t
come from terrorists alone. Terrorism is just one of many security threats facing
corporate America today. Much more likely events include workplace violence
by disgruntled employees, and increasingly, computer viruses that are wreaking
destruction on a whole new frontier.
Bridging the Gap
So how do we bridge the gap between achieving effective security and preserving
corporate cultures that value and respect the dignity of all employees? Taking
a lesson from the medical profession, it is time to transform security from
a reactive process that relies on "house calls” to a fully integrated element
of the organization that provides diagnostics and preventative services that
are well understood and supported by all employees. This change is going to
require the right government incentives mixed with a lot of security awareness
training and communications on all fronts.
Here, too, the insurance industry plays a key role. Just as patients accepted
the need to undergo annual exams covered by their health insurance, businesses
would do more to improve security if the insurance industry helped cover the
costs of routine security assessments by independent third-party professionals.
In return, enterprises that tighten security and employ effective preventative
measures could be rewarded with lower premiums.
According to industry sources, terrorism risk insurance is selling at a very
low rate because the insurance industry has not been effective in selling this
coverage to its customers. Needless to say, participation is nowhere near what
the federal government envisioned after the Terrorism Risk Insurance Act (TRIA)
was signed into law in 2002. We can only surmise that the insurance industry
still does not see the value in educating their risk engineers, underwriters,
and brokers to the market’s needs and, in turn, they don’t effectively communicate
security risk to their customers.
On the corporate front, good security starts at the top. Senior management
needs to embrace the notion that it’s worth investing time and money into the
processes, procedures, and materials needed to protect employees, proprietary
assets, and the communities they serve. Today, we still have too many critical
infrastructure businesses in industries such as petrochemicals, transportation,
communications, entertainment, and banking that are waiting for Homeland Security
to tell them what to do. Why spend money now, these businesses ask, when the
government will only come around later and make them reinvest to meet some new
regulation?
The question is not without merit. Since September 11, our federal law enforcement
agencies have been sliced, diced, expanded, and contracted to the point where
many agents don’t know which way is up or who they should report to. Many of
these agencies are in disarray. Indeed, the consultant who performed the GAO
security audits at airports reported that private security was hampered by restrictive
or ambiguous government policies and procedures.
Admittedly, many of these conflicts may be impossible to avoid, but by and
large, business leaders should preempt federal legislation and bureaucratic
interdiction. After all, nobody knows your business like you do. And besides,
security threats aren’t limited to suicide bombers and airline hijackers. In
fact, malicious insiders pose a much greater threat to most organizations. Therefore,
senior managers need to establish a charter that clearly defines security and
crisis management responsibilities and specifies a framework for protecting
their enterprises from a wide variety of threats.
While corporations have gotten better about realizing the need to conduct
employee background checks, even this basic prevention tool is still widely
underutilized. If you don’t have an active program to conduct thorough background
checks at all corporate levels—from the receiving dock to the executive suites—and
you fail to apply the right procedures to deter and detect employee misconduct,
then you are probably losing about 6 percent of your revenue to waste, fraud,
and abuse and are potentially risking the reputation of you company.
This is not to say management needs to adopt a paranoid view of its employees.
They, too, need to feel safe and secure at work, and they deserve a good security
plan that protects their welfare. I am always amazed by corporate managers who
freely admit they do nothing to protect employees who travel or live abroad.
And I am not just referring to managers who have operations in hotbeds like
Iraq or Afghanistan. I am thinking about managers who still believe countries
such as Mexico, Columbia, and South Africa are safe.
I believe it is foolhardy and wasteful to think of security only in the context
of today’s current problems with Islamic extremists. While the fear of future
terrorist attacks still looms over many Americans, especially after the recent
train bombings in Madrid, traditional crime is and always will be the major
threat to corporate America.
How Do You Build a Good Security Program?1
I reiterate the need for senior management commitment. Once committed, management
should conduct a vulnerability and risk assessment to identify critical facilities.
A "critical facility" could be defined as any facility, or combination of facilities
identified as likely terrorist targets, which if severely damaged or destroyed,
would have a significant impact on the operator’s ability to serve a large number
of customers for an extended period of time, would have a detrimental impact
on the reliability or operability of the pipeline system, or would cause significant
risk to public health and safety.
When analyzing the attractiveness of any facility from an adversary’s perspective,
I always view the facility in relation to the company’s domestic environment.
Any enterprise, particularly one that is part of or has large diversified interests,
may be an attractive target for secondary reasons that do not directly relate
to the company itself. This enables us to adopt a security strategy based on
facility characterization, threat capabilities, risk acceptance, and cost effectiveness.
Multiple layers of various security countermeasures can then be placed along
the adversary’s path to complicate his planning and provide additional "time
and space” for response forces to react.
A strategic plan should also be developed on the expectation that security
personnel, procedures, and physical protection equipment—including barriers,
locks, and electronic systems—are designed to deter and detect an unarmed intruder.
Companies operating in more volatile environments do not necessarily need to
have equipment and processes in place that would neutralize an armed commando
attack at a company-owned site. At that point, the company must work with law
enforcement and, in certain foreseeable cases, national defense to defend against
assaults.
However, if the company’s security program can’t even identify a suspicious
person on surveillance—or stop a juvenile from trespassing on the property—then
that company is open to a multitude of threats ranging from trespassing, sabotage,
espionage, cyber intrusions, violence in the workplace, theft and, oh yeah,
terrorism.
Facets of a Good Security Program
A good security program does not end with one checkup. An ongoing threat
analysis and assessment is essential to the success of any sustained security
effort. After all, while existing security needs are being addressed, new threats
are always arising. Failure to update the threat assessment on a continuing
basis may constrict a company’s ability to protect itself. The components of
a thorough threat analysis should include the following.
- Studying vulnerabilities to understand weaknesses in the existing security
program.
- Researching the threat to identify threatening groups.
- Gathering information that provides the answers about goals, methods
of operation, tactics, and potential targets of adversaries.
In deciding the level of protection that a particular facility requires,
we need to initiate a process to determine how critical the asset is to the
entire system. In addition, it is crucial to understand what level of protection
we need to attain. For the company, it should not be our intention to protect
against armed terrorists. This is unrealistic.
However, it is necessary for the organization to evaluate each location as
it related to the target’s attractiveness from a terrorist’s viewpoint. This
allows the organization to prioritize and allocate security measures, controls,
and personnel in a cost-effective manner. Adversaries usually evaluate a number
of similar targets that potentially meet their objectives.
A target’s attractiveness is directly proportional to how effective the attack
is in achieving the threat’s goals. While a facility may be vulnerable to attack
by a given threat, it may not be an attractive target. If a given target was
attractive to a threat in the past, it is likely to remain attractive in the
future. The threat assessment, however, must be kept current and focused on
a wide range of security threats. This is because an adversary’s goals can change,
evolve, or become more refined.
Good security does not necessarily need to be expensive. Likewise, there
are absolutely no guarantees that good or even great security practices will
prevent incidents from occurring. Unfortunately, too many people think it’s
better to do nothing, or do something cosmetic, and pretend that today’s realities
will simply go away. This is a mindset that comes from managers who are still
guided by the antiquated notion that everything operates in a linear and predictable
fashion. They analyze the obscure probability of attack rather than focusing
on closing the gaps in their security. What will these managers do when an attack
happens? They will have little choice but to hitch up the old buckboard and
pay the family a visit.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.