David Nicastro | May 1, 2004
Businesses need to embrace the notion that it's worth investing time and money into the processes, procedures, and materials to protect employees, proprietary assets, and the communities they serve. Today, we still have too many critical infrastructure businesses that are waiting for Homeland Security or their insurers to tell them what sort of security precautions they need to take. Instead, firms should take a proactive approach to security by developing and maintaining a comprehensive security program.
At the turn of 19th century, the medical profession consisted of a small number of highly educated, poorly paid doctors who were typically "on cal" when a person suffered from a serious illness or injury. Once summoned, doc would hitch up the buckboard and make a house call. Often too late to help, all the physician could do was ease the patient's pain and suffering.
Of course, the medical profession took off when people realized periodic checkups could detect illnesses before they became fatal. Doctors stopped making house calls and opened offices where they could treat patients better and handle more cases. Eventually, insurers arrived to offset the costs of medical treatment and the medical profession was transformed into what it is today.
The current approach to security looks like the state of medicine in the late 1800s—antiquated and urgently needing transformation.
As a nation, we pay a lot of lip service to the need for Homeland Security. Indeed, many tax dollars have been spent on security fixes since September 2001. After the creation of the Transportation Security Administration (TSA), airports were forced to replace existing screeners with better-trained and paid federal employees. The airlines have been forced to strengthen the cockpit, while flight attendants have become more security conscious than in the past. Of course, knives and box cutters are no longer allowed on flights.
Nevertheless, wasn't it stupid that passengers were allowed to carry knives in the first place? Shouldn't the cockpits have been more secure to begin with? At the moment, a popular remark in our industry is that the TSA stands for "Thousands Standing Around." The truth is the new security measures are not very effective. For evidence, just look to the Government Accountability Office (GAO). In April, GAO informed the House aviation subcommittee that testing had uncovered serious gaps in airport passenger and baggage screening. "We have a system that isn't working," Representative John Mica, the subcommittee's chairman, said during a hearing in which debate focused on allowing airports to resume using private security personnel.
The airlines are not the only ailing industry. In a survey of security professionals and the general public conducted by the respected marketing research firm of Penn, Schoen & Berland, 58 percent of security professionals and 66 percent of the public believe workplace security is too lax. The survey's main conclusion: Both groups believed they are safer at home than at work. And the threats don't come from terrorists alone. Terrorism is just one of many security threats facing corporate America today. Much more likely events include workplace violence by disgruntled employees, and increasingly, computer viruses that are wreaking destruction on a whole new frontier.
So how do we bridge the gap between achieving effective security and preserving corporate cultures that value and respect the dignity of all employees? Taking a lesson from the medical profession, it is time to transform security from a reactive process that relies on "house calls" to a fully integrated element of the organization that provides diagnostics and preventative services that are well understood and supported by all employees. This change is going to require the right government incentives mixed with a lot of security awareness training and communications on all fronts.
Here, too, the insurance industry plays a key role. Just as patients accepted the need to undergo annual exams covered by their health insurance, businesses would do more to improve security if the insurance industry helped cover the costs of routine security assessments by independent third-party professionals. In return, enterprises that tighten security and employ effective preventative measures could be rewarded with lower premiums.
According to industry sources, terrorism risk insurance is selling at a very low rate because the insurance industry has not been effective in selling this coverage to its customers. Needless to say, participation is nowhere near what the federal government envisioned after the Terrorism Risk Insurance Act (TRIA) was signed into law in 2002. We can only surmise that the insurance industry still does not see the value in educating their risk engineers, underwriters, and brokers to the market's needs and, in turn, they don't effectively communicate security risk to their customers.
On the corporate front, good security starts at the top. Senior management needs to embrace the notion that it's worth investing time and money into the processes, procedures, and materials needed to protect employees, proprietary assets, and the communities they serve. Today, we still have too many critical infrastructure businesses in industries such as petrochemicals, transportation, communications, entertainment, and banking that are waiting for Homeland Security to tell them what to do. Why spend money now, these businesses ask, when the government will only come around later and make them reinvest to meet some new regulation?
The question is not without merit. Since September 11, our federal law enforcement agencies have been sliced, diced, expanded, and contracted to the point where many agents don't know which way is up or who they should report to. Many of these agencies are in disarray. Indeed, the consultant who performed the GAO security audits at airports reported that private security was hampered by restrictive or ambiguous government policies and procedures.
Admittedly, many of these conflicts may be impossible to avoid, but by and large, business leaders should preempt federal legislation and bureaucratic interdiction. After all, nobody knows your business like you do. And besides, security threats aren't limited to suicide bombers and airline hijackers. In fact, malicious insiders pose a much greater threat to most organizations. Therefore, senior managers need to establish a charter that clearly defines security and crisis management responsibilities and specifies a framework for protecting their enterprises from a wide variety of threats.
While corporations have gotten better about realizing the need to conduct employee background checks, even this basic prevention tool is still widely underutilized. If you don't have an active program to conduct thorough background checks at all corporate levels—from the receiving dock to the executive suites—and you fail to apply the right procedures to deter and detect employee misconduct, then you are probably losing about 6 percent of your revenue to waste, fraud, and abuse and are potentially risking the reputation of you company.
This is not to say management needs to adopt a paranoid view of its employees. They, too, need to feel safe and secure at work, and they deserve a good security plan that protects their welfare. I am always amazed by corporate managers who freely admit they do nothing to protect employees who travel or live abroad. And I am not just referring to managers who have operations in hotbeds like Iraq or Afghanistan. I am thinking about managers who still believe countries such as Mexico, Columbia, and South Africa are safe.
I believe it is foolhardy and wasteful to think of security only in the context of today's current problems with Islamic extremists. While the fear of future terrorist attacks still looms over many Americans, especially after the recent train bombings in Madrid, traditional crime is and always will be the major threat to corporate America.
I reiterate the need for senior management commitment. Once committed, management should conduct a vulnerability and risk assessment to identify critical facilities. A "critical facility" could be defined as any facility, or combination of facilities identified as likely terrorist targets, which if severely damaged or destroyed, would have a significant impact on the operator's ability to serve a large number of customers for an extended period of time, would have a detrimental impact on the reliability or operability of the pipeline system, or would cause significant risk to public health and safety.
When analyzing the attractiveness of any facility from an adversary's perspective, I always view the facility in relation to the company's domestic environment. Any enterprise, particularly one that is part of or has large diversified interests, may be an attractive target for secondary reasons that do not directly relate to the company itself. This enables us to adopt a security strategy based on facility characterization, threat capabilities, risk acceptance, and cost effectiveness. Multiple layers of various security countermeasures can then be placed along the adversary's path to complicate his planning and provide additional "time and space" for response forces to react.
A strategic plan should also be developed on the expectation that security personnel, procedures, and physical protection equipment—including barriers, locks, and electronic systems—are designed to deter and detect an unarmed intruder. Companies operating in more volatile environments do not necessarily need to have equipment and processes in place that would neutralize an armed commando attack at a company-owned site. At that point, the company must work with law enforcement and, in certain foreseeable cases, national defense to defend against assaults.
However, if the company's security program can't even identify a suspicious person on surveillance—or stop a juvenile from trespassing on the property—then that company is open to a multitude of threats ranging from trespassing, sabotage, espionage, cyber intrusions, violence in the workplace, theft and, oh yeah, terrorism.
A good security program does not end with one checkup. An ongoing threat analysis and assessment is essential to the success of any sustained security effort. After all, while existing security needs are being addressed, new threats are always arising. Failure to update the threat assessment on a continuing basis may constrict a company's ability to protect itself. The components of a thorough threat analysis should include the following.
In deciding the level of protection that a particular facility requires, we need to initiate a process to determine how critical the asset is to the entire system. In addition, it is crucial to understand what level of protection we need to attain. For the company, it should not be our intention to protect against armed terrorists. This is unrealistic.
However, it is necessary for the organization to evaluate each location as it related to the target's attractiveness from a terrorist's viewpoint. This allows the organization to prioritize and allocate security measures, controls, and personnel in a cost-effective manner. Adversaries usually evaluate a number of similar targets that potentially meet their objectives.
A target's attractiveness is directly proportional to how effective the attack is in achieving the threat's goals. While a facility may be vulnerable to attack by a given threat, it may not be an attractive target. If a given target was attractive to a threat in the past, it is likely to remain attractive in the future. The threat assessment, however, must be kept current and focused on a wide range of security threats. This is because an adversary's goals can change, evolve, or become more refined.
Good security does not necessarily need to be expensive. Likewise, there are absolutely no guarantees that good or even great security practices will prevent incidents from occurring. Unfortunately, too many people think it's better to do nothing, or do something cosmetic, and pretend that today's realities will simply go away. This is a mindset that comes from managers who are still guided by the antiquated notion that everything operates in a linear and predictable fashion. They analyze the obscure probability of attack rather than focusing on closing the gaps in their security. What will these managers do when an attack happens? They will have little choice but to hitch up the old buckboard and pay the family a visit.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes