Post-COVID-19: Plan Ahead

New York Icons in Times Square at duskDon’t get comfortable at home. We need to start planning ahead. Maybe not today, but as soon as possible.  Life as we know it today will end.  (It has been a long time since anyone said that as a positive sentiment, right?!) But, we need to be ready for it.  The chaos we have been through dealing with shut downs, lock ins and social distancing will be nothing compared to the challenges we are soon to face in ramping back up.  Pre COVID-19 life was busy enough. Think what it will be like for the weeks and months following the “All Clear”.  It will come.

Here are just a few of the things we will have to deal with:

  • Employee Repatriating
  • Facilities and Systems Re-commissioning
  • Policies and Procedure Implementation
  • Compliance Review
  • Resource & Contractor Engagement
  • Production Ramp-up
  • Client Inrush
  • Employee Throughput

I’m sure this is the short list, but you get the idea.  This sounds like the start-up of a new operation and in a way, it is.  Post COVID-19 won’t just be turning the lights back on.

Through all of it, we will need to keep an emphasis on security.  I believe that as much as criminals and terrorists may have tried to exploit the events of COVID-19, it will be an even greater challenge as businesses, government, the economy, etc., begins to restore.  In some situations, you might have to hit the reset on “Zero Trust”.  At a minimum, you will have to take measures to regain and ensure compliance with your corporate and external requirements.  On the systems front, hardware and infrastructure will be challenged with the inrush of heightened activity where it has been dormant for a while.  How will you prevent or deal with potential failures during restoration?

Whether from legitimate threats, or just the events of restoration, there will be plenty to deal with Post-COVID-19.  There are security professionals who can help you prepare and thrive through the restoration. We can come out of this even greater than we began.  We can help you start planning for success. You are not alone.

The Consultant’s Value Proposition

B2B concept, Trusted Business Partnership.

Three security professionals went fishing, a manufacturer, an integrator, and a consultant. To be continued…

Sounds like a funny joke in the making, right? When it comes to security management of a corporation or organization, though, there really aren’t any good jokes. The organization is faced with the reality of managing budgets and resources to appropriately mitigate the constant risks that push to undermine the goals, obligations and mere existence of that organization. While the importance of the security team and their operations is obvious to anyone who thinks very long about it, there is an on-going challenge to validate costs and show that security is a business enabler. The security manager spends part of his time overseeing the security operations, and possibly the majority of his time lobbying management for the resources they need to carryout their responsibilities. Right about now you are asking, “what does that have to do with consultants?” The relevance is: the consultant to security operations is what security operations is to the organization. The consultant is a security enabler.

The best way to think about a consultant, is that of Owner’s Representative. A true consultant does not pursue the agenda of any specific product or solution, but assists the organization to identify its true condition and evaluate the best way forward in the interest of the organization’s goals and objectives. The consultant is a “truth teller”, in that they will help the organization see itself for what is its’ actual condition, and not be influenced by what the organization believes itself to be, or by what an outside party has convinced them of. The consultant receives no benefit from presenting anything other than what is in the best interest of the client. Now, as with any professional, there can be those who seek to promote their own cause through “busy work”, but the respected, seasoned consultant understands that approach is short lived.

So, you may ask, what about the manufacturers and integrators? Why can’t an organization simply rely on their input, along with internal security staff to accomplish the desired results? I do not in any way want to disparage relationships with manufacturers and integrators. The consultant cannot do that work or provide the products. The manufacturers and integrators, however, can only offer the products and services they provide, in order to promote their own business model. They may be able to provide some level of evaluation and recommendations to the end-user, but those will always be in step with their own products, as they should. Where there are existing, effective relationships between owner, integrator and manufacturer, there is still value provided from a non-biased third party as consultant, whose primary objective is to ensure the organization’s best interests are incorporated in all security efforts. Whether for internal interests or for regulatory audits and assessments, a consultant will provide effective, realistic evaluations and reports on the overall health and fit of an organization’s security practices, systems and technologies. When considering new opportunities for technologies and solutions, the consultant is going to help the organization define their objectives, identify the best solution, justify that direction and support the client through the implementation process.

Aside from the security systems discussion, the consultant also provides value to the organization through evaluation and support of operational developments. In a typical security risk management program, there is never an opportunity to pause. Today, security risks are more prevalent and continue becoming more advanced. So must the mitigation efforts of the organization. A consultant will provide value to the organization through evaluation and recommendation of best practices to continually develop and advance the position of the security program. The biggest challenge to any security team is finding the time to step outside of its daily activities for self-evaluation and development. If they do, they are so immersed in their existing condition, it is impossible to see some of the simplest opportunities. Possibly most important, the consultant will assist the security team in building credibility and value throughout the organization and with upper management. The truly effective security program is one that has support and engagement across the entire organization and from top to bottom, a benefit that is nearly impossible for a security team to accomplish on its own.  Most of all, protecting the integrity of the organization by helping to establishing a first-rate security program, priceless.

And more than likely, another benefit of the consultant is that, everyone will sleep better.

The security manufacture, integrator and consultant who went fishing, took their clients, caught lots of fish and had a great time! No joke!

Convergence vs “vs”

Skydivers team work photo effectThe term convergence is not a new one and the definition is still basically the same regardless of the application. It simply means coming together. Back when I was repairing TVs, before I got into the security industry, we had to correct the “convergence” on color TVs from time to time. This was especially true for the projection TVs. We would adjust the settings for the Red, Green, and Blue color beams in the CRT so that they aligned to create a crisp, color-correct image on the TV screen. Basically, we were getting the color beams to “come together” effectively for the best performance. Sure, you could still watch TV if that was not set correctly, but it was not near as enjoyable. In the security application, the idea is the same with physical and IT security operations. Where there are two different departments responsible for the Physical and IT activities in an organization, there is frequently friction between the two groups which is not productive for the organization. The term is commonly used to describe the inter-operability in technologies between security systems and IT systems, but there also needs to be convergence as it relates to the operational integrity between the Security and IT departments.

If your organization is still struggling with operational convergence, you are already behind in the game. I am still seeing a lot of conversation and posts regarding organizational convergence, which is a concern to me. There are very few situations where this can exist without consequences to the organization.  I know.  I’ve lived it. Failure to have a solid enterprise security engagement impacts not only the security of your organization, but others as well. Organizations that are not already operating in this mindset are adding overhead to their security operations on both sides of the switch, which creates additional risk, complicates security operations and frustrates those who depend on these services. The result is a “vs” mentality and nobody wins.

This may come across very harsh, but that is how critical this situation has become. I base my position on three primary observations, though there are others.

  1. All modern security platforms are converged, which creates dependencies. If the Security and IT relationship is not also converged, it is likely a “vs” struggle.
  2. Physical vs IT power struggles diminish the effectiveness of both. Without a converged approach, managers spend more time protecting their turf than protecting the organization.
  3. Physical vs IT management leaves gaps that can be exploited or cause friction. Either proper system management practices are not development, creating risk, or they are over developed reducing system effectiveness. Either way, enterprise security is diminished.

If you find yourself in this position, there is hope, but you can’t waste any more time. The longer you wait, the riskier your position becomes. Even thought there might be inherent technology convergence in your systems, that can’t be fully realized until the two departments also achieve convergence. The hardest part is developing a trust relationship that understands the mutual dependence and the common goals between Security and IT to support the organization. From there, develop a Memorandum of Understanding (MOA), or Mutual Service Level Agreement (MSLA) between the Security and IT departments. The purpose of this document is to establish agreed upon Division of Powers, Responsibilities, Service Level Expectations, Systems Ownership and Organizational Accountabilities. Establishing a Governance Team with representative from corporate leadership, Security, IT and stakeholders will help ensure continued stability and cooperation moving forward. This effort requires time and hard work, but the end result will benefit the organization immensely from that point forward and create a state of security that can’t be realized any other way. Push for organizational convergence, and keep the “vs” on the sports fields.

Sometimes You Just Have to Make a Change

Impossible Concept With Businessman and  Wooden Blocks

I have put it off as long as I could. I have been hoping for a replacement to my trusty tool, but alas, it doesn’t appear to be coming in time. I went through this once before, about 5 years ago and was happily relieved by a resurgence of support, but that has again fallen off and a repeat revival is not evident. Yes, I am talking about the Windows Phone. If you never owned one, you wouldn’t understand. I tired to change to an Android phone about 2 years ago, and switched back after heavy withdrawal symptoms. The promise of endless apps was not sufficient to overcome the security blanket and comfort of my Windows Phone. There are convenience and functional capabilities that iOS and Android have not yet attained, and likely never will. There is new hope of a Surface Phone being debuted the end of this year, but support of the old Windows Phone platform is rapidly diminishing.

This experience has given me new appreciation for security managers who are reluctant to pursue upgrades to their security systems. It is a distraction from the work at hand. It is costly. There are many unknowns. It will require a lot of training. I’ll have to change how I do things. What if it puts me in a worse position that I am in now?  Believe me, I get it!

That is where security consulting services come in. While the rep at the phone store may not be able to resolve all my concerns about the phone platform swap, a seasoned security consultant will be able to help the security manager through these questions and concerns. My first approach is to work with the client to evaluate and optimize existing systems and operations to achieve greater effectiveness. If a replacement is the best path forward, then I work with the client to ensure a successful outcome with as minimal disruption as possible. The bottom line is sometimes it takes strong leadership and determination to do what is best for the organization and pursue change, but you don’t have to go it alone.

iPhone, here I come.

What You Don’t Know Can Hurt You.

What you Dont know Headder

I was recently talking to a good friend of mine who was listening to my explanation of our new Risk Sentry security risk assessment service. In helping me to develop my sales message, I helped him realize that every company needs this service. He is a high level director, in charge of acquisitions for a global corporation that everyone would recognize. He played the role of C-Suite executive and came at me with the typical mindset. “We are a large company who has been around for over 100 years and we know what our risks are.” I asked if he felt their IT systems were secure. “Our IT department has hundreds, no thousands of employees watching our infrastructure with the best security systems and we stop millions of intrusion attempts a day.” I reminded him of well known, global retailer with a likely equal physical and IT security presence which had a network breach that compromised millions of credit card users’ data. He was shocked to learn that the vulnerability came through the HVAC system’s corporate network connection and that such vulnerabilities were known by many of us prior to that breach. “That’s the story you need to be telling”, he said.

Ignorance is Bliss, Until it Isn’t

Security Management

Ok, I’m going to apologize right up front for the clichés, but if history didn’t repeat itself, all we would have is 20/20 hind-site. Some say they would rather be lucky than good, but that is what you are left with when you don’t know what you don’t know. Sorry, I think I’m done for now.

When it comes to security, clichés are the last thing you want to rely on, especially when… uh, never mind. Unfortunately, even if unintentionally, that can be the case when a security department is stuck in the status quo. There are a variety of reasons for that, but busy-ness tends to be the most common, along with limited budgets or staffing. However, when the rubber hits the road, ignorance is no excuse.

Seriously, as security professionals, it is our responsibility to know the condition and needs of our organization. Even if we are not able to act on everything, we need to have a plan, and the first place to start is with an assessment. While this effort isn’t necessarily a risk assessment, issues will likely be identified that are risks and can be addressed in the process. Also, any gap in operational capacity can be a risk, but the focus of this assessment is on establishing a baseline of the current security operations from which a developmental path forward can be developed. Personally, I believe this is the most important service I can offer, as it gives the security director knowledge and the ability to start prioritizing next steps. I’m afraid that sometimes people think that an assessment just means recommendations for spending a lot of money to replace stuff or a major organizational revamping. In reality, at least in my approach, the result of the assessment is to find the issues that can be resolved with minimal effort. It may be by using features or capabilities in a system that haven’t been developed or changing roles and responsibilities of staff to drive greater efficiencies. Yes, we also want to look at the big picture and provide valuable information that can help drive long-term goals, but as the smaller, achievable initiatives are met, the larger tasks don’t seem so far out of reach. Investing in a thorough assessment from an experienced professional can be the best money a security department spends.

It is possible that a security department could find the time to do some of their own assessments, but seldom do they have the time necessary to do a thorough review, along with their regular responsibilities. Additionally, they may not have the experience necessary to see all the gaps. The best approach is to bring in an outside perspective, in the form of a security consultant, (I might know of one or two), and have them provide a two-part service. Part 1 is the assessment to establish existing conditions and identify gaps in operational requirements. Many times, the assessment will identify hidden risks from policies or procedures that are not being met which can be resolved with some corrective measures. Part 2 is to provide a road map or Security Master Plan that describes the opportunities that can be achieved. The plan prioritizes short-term tasks that provide benefits which can be achieved with limited time and cost, and creates a phased long-range plan for improvement over a 5 to 10-year period. I recently provided these services for a regional airport and documented information that they could tackle on their own and provided options where I could help them work through more involved activities. The bottom line is that they are better informed to take action on the items I addressed.

While security consultants offer many services to support an organization, they should always begin with some level of assessment. After all, no one wants to get caught barking up the wrong tree. With a good understanding of your security environment and a road map in hand, you can have a great deal of confidence in charting a course for the future.

Knowledge is power.

Door Hardware Headaches: Some Things Never Change

 

Security Concept

With all the new technology we have at our fingertips today, it is still the field hardware that seems to cause the most challenges in project development and installation. Even though it is not my most valuable skill nor is it my favorite activity, I’m pretty sure I could retire quite wealthy if project managers would just hire me to review and correct door hardware schedules for their card access control applications. Part of the challenge is that there are usually at least 5 trades involved in construction of the access control doors; architect, security, door hardware, construction, electrical, and sometimes even a low-voltage contractor. Additionally, the door hardware seldom is available from a single manufacturer or supplied through a single vendor. An experienced security contractor typically has the best handle on coordination, but many times they are not engaged until most of the hardware is already purchased. Unfortunately, unless someone who really understands how everything fits together gets involved early on, most issues end up getting resolved through change order, after change order, or at the end of the project.

While some manufacturers have good tools to help piece applications together, they are limited to their own products. The biggest asset to effective door configuration always starts with a Sequence of Operation that addresses how the door is expected to work to meet the operational and security needs. Even that takes a certain skill to understand and document all the functional aspects of more complex door assemblies. From the SOO, the proper hardware and installation can be specified and detailed. Of course, aesthetics, finishes and construction techniques always play a part and will limit the hardware and vice versa. There is always a trade-off between looks and operation that should be determined early on in project design.

There are many aspects of door configuration that have to be considered, such as codes, swing, handing, latching mechanism, egress requirements, wire routing, power supplies, frame and door type, sensor placement, etc., etc. Just about the time you think you have everything all figured out, a new building code pops up and your back to the drawing board. Those details affect the plans and materials provided by each of the contractors involved in a project. Doors and frames are prepped from the factory for the hardware to be installed.  Conduit is run to the rough-in location of devices.  Locking hardware is ordered to meet the design and security equipment is configured to control the hardware.  If you don’t get the details right to start with, project costs can quickly get out of hand resolving them during construction. All this discussion to show one example where engagement of a security consultant such as Advanced Security Consulting will likely save money and time on the overall project, and will definitely reduce headaches.

Mental Radar

radar screen digital interface with world map  Concept future in computer network technology time data communication on green dark background. vector illustrationI am deviating from my typical technical topics to think about our approach to responsibilities in life.  I’m not sure what caused me to develop this, but I felt it was worth sharing.

In the security industry, we all understand the concept of situational awareness, at least when it comes to securing people and property.  But situational awareness should be a priority in all areas of life.  In other words, the opposite of clueless!  In sports the great athletes are the ones who “see” the whole field or court and are able to make great adjustments in real-time.  They know where the issues and the opportunities are going to be, and they are able to stay ahead of the game.

When I was teaching my kids to drive, I tried to get them to visualize their environment and create a “radar screen” in their mind from their entire vision including mirrors.  Even though they may not be looking at all the cars or obstacles around them, they mentally realize where they are and then update that image from each new glance.  Of course, car companies are building the cars to do that for us now, but the human ability is no less important.

Situational awareness as a human trait is stronger in some than others.  To a point it can be learned, but it always requires focus.  Some people can appear to focus on multiple tasks, but one will always distract from another.  One person may be able to aptly manage 5 activities simultaneously better than others can manage one, but to do the best at anything requires focus on that one thing.  I was reminded of this recently when rereading Peter Drucker’s timeless book, The Effective Executive, which is probably what started me on this blog topic.

There are so many applications here that it is hard to pick a single direction, but my point in this blog is simply to bring awareness to the concept of awareness in all areas of life.  Develop that same ability you used to excel in sports, business or whatever, to also build your family life, spiritual well-being, health and yes, your driving.

I believe one of my gifts is the ability to create a mental radar of activities I am involved with.  Whether developing and managing security systems, finding my way around a new town or engaging in a group collaboration.  Being able to visualize the big picture helps me to understand the objectives and challenges to achieve the best outcome.  I admit, I can do better at this in some areas of my life.

The bottom line is, it is a choice.  We can go through life oblivious or make the effort to fully engage in each of our environments and bring out the best in all of them.

Ecclesiastes 9:10 Whatever your hand finds to do, do it with your might…

Chasing Tech: Physical Security Distractions

Global business“We have our physical security program well under control with all risks in check,” said no security manager, ever. 

Aside from the demand of security responsibilities it is human nature not to be satisfied with the status quo, and especially in our current society.  If that were not so, there would be no commercials on TV, radio or (insert your favorite social media).  Physical security is no different.  Sure, the motivations are different and likely appropriate, but the push for the next great thing is still there.  If I just had that AI embedded, video facial recognition, biometric access, false immune, self-monitored, automated enrollment… uh, what was I talking about?  Oh yes, distractions.  Ok, that may be a very sarcastic view of new technology, but I think you get the point.  Before I alienate my manufacturing friends, let me say that progress and technology advancements are a good thing, and you definitely don’t want to be herding dinosaur bones, but where is the balance?  Let’s take a look at the big picture of physical security management through the lenses of three common pitfalls, and then we’ll look at the well-focused approach.

Lens 1. Wide-angle

This approach is many times called the whack-a-mole approach where you try to engage everything that pops up with the same priority.  This is also the mile-wide inch thick mentality.  These managers cover a lot of territory, but not very effectively.  What ever you call this approach to new technology engagement, the results tend to be a lot of money spent with very little value to show for it.  There is not enough effort put into implementation, training and process development, and even if the new solutions somehow managed to remain in operation, they don’t meet their full potential. This risk is that everything has holes and vulnerabilities because it never matured in operations.

Lens 2. Telephoto

The other end of the spectrum is the approach where security managers spend their time chasing “bleeding-edge” technology, but never pull the trigger because something else comes along before the last one matures.  Squirrel!  If a new solution does somehow get implemented, again, it has not been developed and established well enough to become a valuable part of the operation, and usually presents more risks that it resolved. 

Lens 3. Hey, the cap is still on!

This security manager is oblivious and just keeps plugging along with what they have.  They may have everything operating at top performance, but the world has passed them by.  The risk in this scenario is that anyone can buy a hack for the old technology and process can’t plug the holes anymore.  Lack of time or budget are usually the excuses given, but sooner or later an event will occur that will cost even more time and money.

Now let’s consider a well-focused, varifocal approach.  

The balanced security manager is not distracted by the next big thing, nor are they scrambling to address all challenges simultaneously, but they are trying to be pro-active.  Wisdom tells them to evaluate their security environment, identify and prioritize the risks and then find the most effective approach to mitigate each risk appropriate to the need.  They identify the needs then identify the solution, rather than buying a tool and then trying to find the problem to fix with it.  Sometimes new technology is the best solution, but other times it may just require refitting existing resources with new processes.  In both approaches, developing a thorough program that defines objectives, provides training, documents implementation procedures and generates accountability will win the day.  

There are times where a new product will present itself as a possible solution to a known operational challenge.  In this scenario, it is appropriate to investigate that opportunity based on the need and priority that has already been identified.  It must not distract from higher priorities. 

It can be tempting to try and do all this work internally, but that is not always the best approach.  Engaging an outside, non-biased resource can help see through the day to day routine, and will have time and experience to help develop these programs, ensuring the highest level of success.  Advanced Security Consulting can help you see the big picture and focus on what is important for your security operations.  

Risk Management: What Keeps You Up at Night? Part 5 & Series final

Sketch of predictive maintenance keywords on white

Thanks for following this series. I hope it has been informative and thought provoking. For my final entry in this series, I want to present the product life-cycle management program. This is more than a preventative maintenance program, as it looks all aspects of maintaining devices and assemblies of one or more security systems. This is another security program approach that takes your operations to the next level, ensuring the highest ROI on systems investments and reduces risks from outages, poor performance and outdated product.

To effectively manage this program, it is important to have a robust management software application to track all products. Ideally, this solution will include or be integrated with a ticketing system so that all service activities and costs are associated with all components. In the IT realm, ITIL and Service Desk programs provide the inventory and tracking of system components. There are some excellent solutions that are primarily intended for IT management, but can easily be adapted to physical security systems. In the Facility Management realm, there are also some great solutions to provide these activities.

Along with the management system, it is important to have up-to-date security systems documentation. If your organization has not maintained all as-built documents and devices schedules in a master documentation program, it would be important to start that development as well. This may take some time and money to establish, but will provide long-term benefits for your production program. If device schedules have not been maintained, you should be able to produce configuration reports from your security systems to establish your device and assembly inventories. Some components will track as individual devices such as cameras, where assemblies will refer to multiple devices that make up a security location, such as an access controlled door. Even in an assembly, specific devices like card readers and electric locking devices will be tracked for activity and cost.

For each device, the life-cycle management system tracks warranty periods, identifies preventative maintenance schedules, reports total cost of services and helps to track repeat repairs that could identify other issues that need to be addressed. The system provides notifications to appropriate staff for all tasks and events. Device profiles are developed for each type of device and assembly to define scheduling, tracking requirements and life expectancies. As a device reaches the end of its life-expectancy, the system can help determine when the optimum replacement time is pending. Reports can provide predictable costs for budgeting purposes in upcoming years.

As a final thought on product life-cycle management many organizations develop financial mechanisms to help manage long-term operational costs. This approach may be have a variety of titles, but an escrow best describes the concept. Typically, initial purchases are made with capitol funds and then those costs are divided by the number of months in the life-expectancy to identify a regular operational budget amount which is set aside for replacement costs. This program can be applied to existing products, but obviously will have a higher operational budget to compensate for the products history. Your IT department may already have a financial mechanism to accomplish.

Closing

This blog series has primarily been about physical security solutions and management processes, but hopefully it has provided some insights you can use to address issues that cause risk anxiety. My primary objective has been to drive discussions and developments around the big picture of enterprise risk management. I always appreciate comments and personal experiences related to these topics. Of course, I am available to help your organization develop any of these solutions.

If you would like to review this series in sequence from the beginning, click on the Risk Management Series link at the top of the page.