This article delves into security, or what the writer describes as a resilience function. The aims of this article are to establish a mindset and potentially an awakening around brand/image challenges and risks to the resiliency/security function within an organization. Functional risks are rarely discussed in a security/resiliency perspective but are those that could create employment issues or an inability to support our respective goals from more direct threats, such as workplace violence, intellectual property theft and similar.
Survival of the Fittest
Survival of the fittest, Darwinism and its evolutionary theory does not only apply to nature, but it also applies to the physical security personnel, and more broadly, the security function within an organization/company. In my travels over the last two decades, I have had the pleasure to work with security leaders, those that are uniquely alert to their environment, and those that are distracted and regrettably a few that are naïve. In some instances, I have witnessed those that are distracted/naïve reacting too slowly to a functional risk, change in environment, culture, company/organizational mission only to have it quickly escalate outside their control with similar negative outcomes described in the theory of Darwinism.
Adaptation is a key component to Darwinism and it is a leadership trait that I have witnessed in proactive security leaders who are intrinsically connected to their environment/business/culture. These individuals more readily recognize and are more likely to adapt to functional risks/threats to their security function. The following represents broad thinking around the need for security personnel to constantly have a mindset around adaptation to functional risks.
The security function within an organization is one of the most misunderstood parts of an organization and I tip my hat those that recognize the benefits of a finely tuned security function. For those in a security function, the following is not something new, but rather an affirmation that a competent, proactive security leader(s) can wear many hats in an organization in support of their objective of preventing threats to organizational assets, and moreover responding to events with the goal of minimizing the recovery time and impacts to the organizations brand and image. Beyond the multi-disciplinary responsibilities that a security leader has, they will be the person that everyone in the organization will seek guidance and direction from during a crisis.
It can be difficult to fully convey the value of a physical security function within an organization because many consider a security function as a cost-center. This is reactive knowing that somewhere in the world security program is effectively deterring an incident before it escalates. It is impossible for the writer to capture the value of this statement regarding deterrence, because it is unfounded. This is one of the root problems with what many refer to as the physical security program. Security does not receive the visibility within the organization because the outcome of the event is not continually realized. Comparably, how do we know the effectiveness of a security program without an actual occurrence? IT and cybersecurity professionals have been more effective in capitalizing on the continual fear of IT security risks portrayed in the media, and the output of an organization’s IT network intrusion detection system to the C-suite. Point in fact, likely someone reading this is passing the time waiting for their password to be reset because they can’t remember or have incorrectly entered their 13-character alphanumeric password with symbols to gain access to their computer. It’s amazing to the writer that an executive or employee can feel so inconvenienced by security staff or door access control, but will openly tolerate a 10-minute duration to log on to their computer because of a password reset.
The IT/cyber group has done a much better job in positioning their value and implementing a culture that is so acceptant of obtrusive security protocols.
Understand the Business Environment
A good security leader is knowledgeable about the business environment. He or she follows the same periodicals, news stories that C-suite is following, and anticipates business challenges and changes. This allows better adaptation and response to those various challenges. Take the business case of one of my clients - a security director who had built a rapport with their senior leadership and gleaned that the organization would be investing much more heavily in international real-estate and business transactions. While there was a steady flow of international security due-diligence requests, he theorized that the needs and demands could likely increase in the future. Output from third-party consultancy firms was too slow and costly. Using this opportunity to better support the organization, he built a job description for an internal analyst, and leveraged the organization’s goals of hiring veterans to fill the position. He further reached out to his network, and assembled candidates that could deliver on the assigned position. Fortuitously, informational security due diligence requests began to pour in. The vendors stumbled and there were delays. Before the problem statement – “why is it taking so long?” could be asked, the security director delivered a business plan, solution and candidates to proactively solve the issue. The moral being that good networking, relationships and recognition of business needs, comingled with a program that leveraged business interests to support our veterans, ultimately yields in rapid consensus and value.
Amat Victoria Curam
Those that are prepared are victorious, and those that are prepared are more likely to address one of the biggest functional risks that a security director can have - face-time with the C-suite. The writer has observed security directors who have been siloed from their C-suite - a dangerous position to be in, especially when the business landscape changes. Ideally, security leaders should endeavor to engage their team and themselves by taking active roles in corporate sponsored programs, charities, events, and similar initiatives. These are quite easy to identify within the organization and a great way to get indirect exposure with the C-suite.
Beyond organizational involvement, consider proactively building plans and budget around high-impact threats that are likely to occur. These proactive plans will describe a strategy or program on how to solve a security challenge. I personally witnessed one security director’s proactive planning in a meeting with a C-suite team regarding an incident that occurred while the writer was concurrently conducting an assessment. This security executive indicated the challenges, showcased the reasoning for the issue, noted that he had identified the problem before the incident and had a plan. A member of the board asked – “Can you articulate this plan?” He then passed out a small binder, which identified the problem, the solution and costs associated with fixing vulnerabilities that allowed the threat to occur. He had indicated that the costs might need to be updated, but the program was solid. I have never seen a budget approval so fast in my life. Since that time, I call this strategy a playbook, because the prepared are victorious.
Security leaders will also have to understand sales and know how to make an “elevator pitch” for their function. Another client described to the writer how he obtained funding for a business impact analysis and head-count for a business continuity function. While in an elevator with an executive, the security director used the impact of events during Hurricane Katrina to showcase the need for a business impact analysis and business continuity position, citing information from the Wall Street Journal on the losses because of the lapses in recovery. Within a short elevator ride, he obtained interest and subsequent buy-in for the proposed solution and head-count.
Maintaining C-suite visibility of the security function is sometimes as easy as embracing periodic communication through updates to senior leadership on noteworthy internal/external incidences, geopolitical issues, vulnerabilities, initiatives and other relevant intelligence or security events. These briefings should be very direct and short to facilitate easy comprehension and are excellent for instilling confidence in the program/leadership, but can prevent a potentially mundane event from escalating and negatively affecting security operations and reputation.
Understand Functional Risks
Security practitioners, can be singularly focused on the core responsibility of their organization and lose visibility for internal, political, or other functional andorganizational risks that could limit a security practitioner’s ability to fulfill the organization’s or security function’s core mission. These types of risks are typically more damaging, and are relatively unseen and can create a bigger impact to the image of the security function. For instance, the writer has seen executive leadership lose confidence in the entire security program because of poor performance of a single element that was under the security department. Take the case of an executive driver (chauffeur) who was consistently late and rarely picked up executives on time. Unbeknownst to the security director, a function that was arguably not security related, had indirectly created functional brand, image and confidence issues for the security group. Luckily, the security director was tipped off by another executive, which allowed him to address the issue and correct it. The security director was able to turn the negative stigma into a positive message and face time with executive leadership. The learning lesson here is that the C-suite may not directly describe their dissatisfaction until it’s too late and visibility across the security function must continually be maintained.
The recruitment and retention of millennials and their approach to work environments is another functional risk that many do not fully comprehend. According to the Harvard Business Review, (Brandon Rigoni, 2016) understanding what motivates millennials is key in recruiting and moreover retaining them. While recruitment is clearly not difficult, retention is the aspect, which can create significant productivity, retraining costs that can erode budget, and moreover create leadership concerns within the organization because of staff attrition. Philosophies around work, disruptive technologies, and human resources processes are challenges for security professionals with a low tolerance for change and adaptation. This mentality could create broader functional risks, especially with newer employees that are more apt to vent their frustrations via a variety of digital/verbal mediums. For security leaders that are introspective and adaptive, they will seek other direction through other resources such as MIT Sloane Publications and similar. This publication provides thought leadership on hiring, workforce management, and team-building, leadership strategies that will boost workforce engagement, which is a phrase that many organizations are building into their core mission and should not be overlooked by someone charged with the management of a security function.
Model Program
Brand and credibility for the security function require a consistent message that is delivered across the organization, and the requirements include a structured team of professionals, chain-of command, leadership and alignment across the organization's mission. The organization of a security program should look something like the graphical presentation below. It begins with the organization's mission and moreover the protection of assets, which can be tangible or intangible and is the top of the structure. Ideally, there will be a head of resilience/security or surety – more on that later.
The head of resilience will have two lieutenants, one on the physical side, and one on the Information security side aligning with the Board/CEO’s mission. These individuals would be forward thinking looking at the operational risks to the organization and will create related security policies. These policies will be communicated to the remainder of the organization via directors, who will align with other organizational leadership, such as human resources directors, legal, safety, and similar. These directors create and enforce the policies by developing procedures, which are directed to the security officers or what the writer describes as brand ambassadors. The officers/brand ambassadors deal with tactical risks, and will be the first to be seen when visitors, public and patrons arrive at the site; and will be measured on multiple performance metrics. They are in effect, the foundation of the program.
Convergence – The Take Over
For those in a physical security function, the writer submits that the term “convergence” is not dead. It is very much a concern, and is a functional risk that should be evaluated by all security leaders, which gone unchecked, can interrupt the core mission and goals of the security group. Today, Information Technology (IT) Security has effectively undermined physical security terms and phrases, such as “security assessment”, “risk assessment”, “security controls” and “intrusion detection” have been assimilated by IT security professionals. This fact is corroborated by those in a physical security function reading this article that have been propositioned with IT security job opportunities via LinkedIn and other avenues.
More broadly, this holistic terminology has led many organizations and their respective executives to lump security into a single bucket, making decisions that can create significant impacts for the organization. Take one of my client’s recent re-organization of a physical security function that now reports to IT. Within weeks, the IT department dealt with their first workplace violence incident – you can imagine how that went.
Many security directors now find themselves having to justify or approve their technological physical security investments to IT without robust mutually agreed framework or standards. This is especially true to that of computer servers/head-end systems but more directly attributed to the Internet of Things (IoT), or edge devices that reside in the IT networks and respective domains. Security directors, now seeking to implement these systems have several obstacles they must overcome, such as service level agreements. A once simplistic addition of a surveillance camera now requires multiple layers of approvals, escorts and costs by other groups than those from physical security. The writer has observed physical security departments hire people away from IT to support the security function, limit the approvals, and cross-department charges.
With regards to budget, this is one thing that many IT leaders did that differentiated them from their physical security counterparts – they created a business process for their function/systems. Though still a cost-center, the IT function is now well embedded in organizations with a cross-functional service charge model and is invariably, just hidden in new project costs, and organizational service charges making IT more self-sustaining and resilient to organizational change.
There are security directors that may cave to the influence, fight the ever-growing influence of IT, and those that will embrace it. For those that paddle up-stream, you will find rough currents, rocks and other boaters that chose not to fight the current. Ultimately, if you choose the latter approach, you will be mentally fatigued, exhausted and more importantly, it will be immediately apparent to those around you that you are not a team-player. Without a doubt, IT functions today are quite mature and generally carry high credibility in an organization. It is only sensible for a security leader to seek alignment and partnership for addressing holistic security needs, such as:
- Establishing a Service Level Agreement (SLA) for security technology
- Standardize and partner on holistic security technology that benefits both functions – Single-Sign-On (SSO) or mass notification.
o Mobile credentialing
- Establish network approaches for security sub-net, VLAN, and realistic goals – 100’s of cameras stored on the cloud not being one.
- Develop frameworks and strategies together and jointly pitch to senior management.
- Align investigative and incident management resources.
Wait – Stop Using the Word Security
The psychological stigma extends past the fundamentals and metrics of performance, and is inherent in the organizational titles that we have adopted. Security professionals are so hung up on the use of the word “security” that many have failed to see the negative stigma associated with the word for others in a decision-making role. I have rarely been in organizations where the physical security function is accepted as equal in terms of credibility as other departments. This is a dangerous position to be in because it undermines the security program and sets a negative precedent. At the core, the term “security” does not effectively identify the value of the program to the organization.
Conversely, there can be positive psychological effects with aligning a security mission to that of the organization and adopting something that has more of a proactive meaning such as: asset protection, resilience, surety or another value-based term. This rationale is rooted in a hypothetical question that I have delivered over the past decade to clients, which is: “For a moment assume that you are now the chief financial officer for your organization, and the writer wants you to make a budget decision based the following statements alone. Which of the following statements are you most likely to support a budgetary allocation for: I need $100,000 for my security program or the alternative being I need $100,000 for my asset protection program. One statement draws upon the aspect of cost, while the other one is indicative of value and potential cost savings. This is something that the security function, which shall be henceforth, referred to as a resiliency function, should strive for - a message that communicates value and return on investment as opposed to cost.
A rebranding of the security function will begin with a C-suite conversation, plan and executive buy in. Once achieved, establishing a communication process, approach, and moreover, a mission statement or slogan will be important. A cornerstone in the communication is a messaging that that will need to be “sticky”, adopting principles that are resident in the book Made to Stick: “Why Some Ideas Survive and Others Die”. Other ideas will include leveraging intranet web pages, internal blogs, inter-department messaging, and alignment across the organization with other stakeholders. This will take time, but persistence and dedication will yield results.
Metrics, Metrics, Metrics
When evaluating resiliency from a business perspective, many resilience functions do not adequately track calls for service and incidents or other forms of metrics. In comparison to a business model, investments will be made on business plans that utilize metrics to inform and validate budget requests. This process is no different for a resiliency function. All aspects of metrics should be captured from incident response, resolution, investigations/recovery, number of incidents, casualty claims tracking/trending to justify technology and innovation or staffing needs. In one instance, the writer observed the head of an asset protection function partner with risk management to assess and implement environmental/architectural and technological controls to minimize workplace assaults and casualty claims within a hospital.
However, he learned that besides their ability to realize reductions in casualty claims, there was another positive outcome – a reduction in staff attrition. In this way, the asset protection leader had managed to solve two problems for two different departments, and showcased real metrics of performance with positive outcomes. In another example, the writer utilized technology to accurately predict resilience staffing for the lobby of a large office. Prominently, there were three officers within the lobby to manage peak number of visitors. However, these officers were underutilized. Having reviewed the visitor management system, we could accurately predict expected demands on resilience staff during peak visitation times. During non-peak times, resilience officers could be re-deployed to patrol core/shell areas and the exterior of the building, thus better showcasing the presence of resiliency to tenants.
There is so much “Big-Data” out there that a competent resilience function can identify, capture, monitor, and manage that data for a much more consistent and beneficial application of controls.
Changes in the Environment
Our physical work environments are changing in response to organizations’ drive for transparency, collaboration, mobility and future millennial staff. As organizational architects, designers and work strategists have mixed opinions about new workspace concepts, there is still a need for protection to be adaptable and as innovative as these environments themselves. Organizations are seeking transparent, collaborative and quasi-public environments. A fact which is represented in the architectural design philosophies for companies such as Apple, Google, and Salesforce within cities, such as Milwaukee, Boston, Minneapolis and San Francisco where a massive transit center project will blur the lines of public and secure spaces.
This architectural and philosophical movement can be daunting for any organization, however for organizations that have third party or government regulations, such as financial/insurance groups there can be significant challenges. Regrettably, design concepts for resiliency are typically misunderstood or downplayed, only to be later bolted-on with undesirable aesthetic architectural effect. Understanding the change in operations is the first step in understanding the direct risks, and the functional risks that could affect the organization or more granularly the resiliency function. Resilience programs that involve public functions require different approaches, which are best implemented early through architecture. However, something that needs to be addressed is staffing and training. A once secure, now public facility that had staff that used authoritative approaches will need to be more customer friendly, and de-escalation and conflict avoidance training will be more important. Why? Unchecked, previous cultural resilience protocols could land a negative video or live-stream squarely on the desk of an executive or worse on the nightly news. Invariably these quasi-public environments reduce the space for stand-off that once was present and may necessitate additional staffing to accurately respond to calls for service.
It is most important that any environment be adaptable, flexible to different levels of threats. Innovative solutions through staff, technology and architecture should be sought to manage public, visitors to maintain the mission of the organization, inclusive of openness and transparency that may be desired. For newer properties, integrating early on with architects/facilities will yield significant benefits than retroactively having to implement obtrusiveness because of a lack of proactive guidance.
Disruptive Technologies
The mobile phone is the ultimate technology that is the most disruptive. Mobile phones create issues around productivity, efficiency, create awareness concerns and further can create significant brand/image issues through phone applications and moreover the ability to broadcast live or record video. Resilience leaders should assume, and communicate rules around mobile phone usage and social media, and further should communicate that staff are constantly under surveillance and can directly affect the image/brand of the function or worse the organization.
In addition, mobile credentialing, single-sign-on and the mobile ID are poised to revamp how we recognize people in our facilities and potentially are a threat to the removal of the corporate Identification card, a staple in the resiliency awareness program. However, there are several benefits that these devices can provide. Bluetooth beacons can communicate where people belong and where they don’t. Done effectively, unifying a credential under a convergence model could streamline IT, physical access and even visitor management. Mobile devices could allow us to communicate and respond to incidents, and provide better situational awareness to patrons and visitors alike.
Other disruptive technologies include drones, which are getting smaller and more sophisticated and we will likely see them used in a more malevolent or destructive means, beyond spray-painting a billboard in the future. Beyond drones, the “Dark Web/TOR” browser and select sites should be on the reading list of every resilience leader. Partnering with IT departments and attending DEFCON and similar conferences to obtain visibility on vulnerabilities and expected/proposed changes in the digital domain is a must. Understanding the benefits, drawbacks and vulnerabilities to these technologies is incumbent to having a voice in these discussions with stakeholders about implementing them. Some of the key benefits from understanding of disruptive technologies are:
- Adjustment of the risks and mitigation solutions/controls to demonstrate proactive thinking.
- Staying ahead of regulation and compliance challenges.
- Improving the skill-sets of in-house resilience personnel.
- Contributing to the positive image of the organization.
- Maximizing areas of efficiency.
Knowledge/Networking/Communication
DEFCON, BlackHAT, RSA, TED, TOORCon, SchmooCon, CCC Conference, and others are great opportunities for obtaining information about technological and leadership vulnerabilities. Beyond, going to conferences, resilience leaders will start creating labs, projects to identify likely threats that could be manifested by technology. The tools, knowledge and desire of an aggressor are key aspects of the probability a threat will occur. Take the threat of “lock bumping” that was showcased across the world, and many people panicked and manufacturers and vendors rejoiced. However, for one resilience leader, he had been bumping keys for two years, before the media storm. He learned that there were many variables to bumping and that it was not as easy as described by the media. This knowledge helped him articulate the vulnerability to C-suite and more over identify the likelihood of occurrence and introduce measured controls to prevent an occurrence.
Beyond knowledge, a good resilience leader should also have access to and communicate key pieces of information that are available under private/public relationships and the organization’s peers. Furthermore, attending these conferences, you will obtain insight into your IT colleague’s challenges, and better relate to them. The key to relationships is having something in common – you may need to adapt to form those relationships.
Establishing contact with the Department of Homeland Security (DHS), Homeland Security Information Network (HSIN), InfraGard, Tripwire, Overseas Advisory Council (OSAC) and other government and non-government organizations is of critical importance. A resilience leader who has established these contacts and informational resources is in a better position of communicating and filtering information to senior C-suite before contacted directly by law enforcement and DHS, which can have negative effects on the brand of the resilience function. Further this public/private network will afford solutions and contacts which will showcase involvement of the resiliency function to executive management.
Final Thoughts
So, consider this article cliff-notes on adaptation; certainly, the word limit does not afford the writer the opportunity to delve into every functional risk or related control. However, what we have done is created an awareness of an ever-changing environment. For those that take heed, they will address functional risks like any other risk and will evaluate the respective resiliency program and ascertain where there are gaps in either direct or functional risks. A method that has been successful is an introspective, committee-based meeting, which evaluates specific metrics, such as staff performance, recovery, efficiencies and response programs.
This white-board meeting is truly an excellent method to uncover opportunities, risk management and potential functional risks to your resilience function. Depending on your organization, some vulnerabilities may be easily controlled (thus producing immediate positive outcomes), while others may be more challenging. It is incumbent on a resilience leader to ascertain the degree of change an organization can tolerate. Too little change - the effects will be marginal; too much change - you could be received as a disruptor – arguably the worst thing that can happen.
The competent resilience leader will walk a fine line, leading the organizational efforts of analysis, management, implementation, and refinement through constant adaptation. For those starting a new resiliency position, the need for communication, awareness, rapport and network building will be crucial. The direction of change to the functional framework will not be easy or swift, but a necessary step that should gradually occur over time and leads to adaptation that will answer the Darwinism question – Is your function the fittest in the organization?
About the Author: Sean A. Ahrens, CPP, FSyl, CSC is the Security Market Group Leader with Affiliated Engineers, Inc. a multi-disciplinary consulting and design firm that provides security consulting, assessment and design solutions for projects worldwide. Mr. Ahrens can be reached at 312-977-2857 or [email protected].