The importance of having a plan of attack to address and mitigate risks and threats that your firm may experience from time to time cannot be underestimated. As we note to our clients, it is critically important to have a plan in place which has been tested prior to a realized threat against the firm. Rolling the dice, handling threats on an ad hoc basis, and not having a comprehensive plan certainly increases a firm’s exposure risk and the likelihood that a risk or threat may un-necessarily have a detrimental impact on operations.
Simply stated, we opine that a risk is a threat not yet realized. Our concept of security design and mitigation is to ensure processes are in place to first identify the risks to the industry, firm, site, and/or key assets, or what we call “emerald assets,” and second to have procedures, protocols, and resources in place to appropriately mitigate each one, ensuring the impact to operations is limited or mitigated as much as possible.
To assist in accomplishing this stated outcome, RANE’s Safety and Security Practice has developed what we refer to as the “Top 10 Keys for Security, Planning, and Execution.” Following this program enables firms to lower their overall exposure risk on safety and security matters. These keys, if adhered to, provides firms the capabilities to identify, assess, respond to, and resolve both risks and identified threats.
1). Understanding the Security Baseline
Simply put, this is the process by which current state security infrastructure is identified and mapped with the firm. This is accomplished through the review and assessment of current plans, on both a strategic and tactical level, to include site security, threat management, the internal threat assessment team construct, threat workplace safety, and technical operations and support. Interviews of key executives and appropriate members of the organization, i.e., legal, compliance, human resources, and the security department are conducted. During this process, the security department’s mission and stated outcomes are identified, recognized, and confirmed.
2). Company Culture Defines the Planning
During the course of conducting the interviews noted in key #1, a sense of the company’s culture is uncovered. This is a crucial aspect of the process because it will help identify the manner in which the desired outcome is to be achieved within the company, across the global enterprise. Specifically, the organization’s culture will define the delivery method as well as the type and structure of the security and crisis management programs, procedures, and protocols needed to achieve its stated goals. It is important to define the roles and responsibilities of security, human resources, legal, and compliance in furtherance of the stated outcomes, ensuring each stakeholder is represented commensurate with their respective roles as part of the overall team in achieving the outcomes desired.
3). Getting a Fix on the Threat Landscape
One of the keys to delivering a world class global security program is for the firm to understand its threat landscape, usually defined by its industry and operations, location, the type of product or service delivered to its customer base, and, to some extent, its client base. Identifying its critical business nodes, supply chain vulnerabilities, its environmental, social, and governance impact, is part of this process. Once the threat landscape is identified, through the development of an intelligence program, to include, social media and dark web monitoring, liaison with appropriate law enforcement and intelligence agencies, geo/political reporting, etc., the results will influence the type of security game planning is needed to achieve the stated outcomes.
4). Knowing the Online Risk and Threat Picture
Another key action to understanding the overall threat picture for the firm is to conduct an online risk and threat assessment, not only on the firm’s name but also on its key executives. The process of going through this discipline will reveal for your executives the risk associated with their existing online footprint, that is, what someone, with the desire, can find out about them from information contained online, in cyber space. Secondly, this action will also bring to light any threats online that have gone heretofore unidentified and/or not focused on. The identified threats will be folded into the threat management program. Any information which can be removed from the online space thereby limiting the risk exposure of key executives may be removed.
5). Conduct Threat Monitoring on Key (Emerald) Assets
This step represents the third component of uncovering and bringing to light the “known knowns,” related to the risks and threats directed at the organization and its key assets. As will be discussed in key #6 below, the firm’s thoughtful and thorough review of its key assets is critical to this step. Once identified, ongoing tactical threat intelligence monitoring, to include social media and the dark web, should be considered on a 24/7 basis to ensure that the security game plan currently in place is reflective of the current threat posture for both the company and its key assets.
6). Design or Inspect/Review the Crisis Management Plan
As noted above, a thorough and thoughtful review of company assets, on a global basis, should be conducted to identify the key assets for the firm, defined as people, places, data, intellectual property, etc., which if lost or compromised may impact the ability of the firm to conduct its operations. From this analysis, the firm will next define its crisis event(s) which, if it/they occur(s), may have a detrimental impact on its operations. The organization should then develop and design a crisis management plan, the purpose of which will be to successfully manage and resolve crisis events, limiting operational impact. The plan should be implemented across the enterprise and routinely practiced.
7). Conduct Physical Site Assessment
Related to its physical security infrastructure, a company should consider conducting a site security assessment at each of its physical locations. The goal of the assessment will be to define the current physical security infrastructure in place and to use the results to assess its propriety in relation to the current threat and risk landscape. An inventory of security hardware shall be taken and aged, assessing efficiency and effectiveness to the stated outcome.
8). Identify Risk Gaps and Threats
From the results of keys #1-7 above, the next step, key #8, is to conduct a comparative analysis between the identified threat landscape and the current security infrastructure, leading to the identification of gaps, threats, and risks for documentation, discussion, ranking, acceptance, and resolution. A gap, risk, and threat inventory shall be prepared and color coded for ranking purposes.
9). Conduct a Full Debrief
Once the results of key #8 are known, a full debrief of appropriate level executives is next to be done, with a plan of action to address and mitigate the highest ranked gaps, threats, and risks, to ensure the stated outcomes are accomplished. Understand the budget ramifications of your plan and, if needed, construct the proposal for outlays in support of the plan over several budget cycles, using a phased-in approach for completion.
10). Prepare and Execute on the Security Game Plan
Once approval is obtained of your security game plan as noted in key #9, execute on the plan in the budget cycle identified. It may seem like you are changing a tire while going 40 mph, given your current responsibilities within the safety and security space for the organization. During this process, it will be very important to focus on training for your security team and to build that into your project timeline. Conduct your due diligence during the RFP process and select a vendor who displays more of a commitment to you and your goals than just the delivery of a product. As you know, ours is a relationship business.
About the Author:
Brian W. Lynch is the Executive Director for Safety & Security at RANE. Lynch brings nearly four decades of senior management and executive level experience in the fields of law enforcement, safety, and security. Previously, Lynch served as Head of Global Security at Vanguard. He designed and executed the firm’s enterprise-wide Eight Phase Global Security Program which included the design and execution of the firm’s secure mail operations processes and training, as well as a 24x7 global operational model responsible for the identification, analysis, response, and resolution of security incidents. Lynch was also a Special Agent with the FBI, serving in investigative and senior executive level positions, over a 22+ year career.