Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Facilities Security

Will the Risk of the Sequester Affect Security Budgets in 2013?

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!

 

 



What Churches Need to Know About Security Risk Assessment!

the problems that churches face has changed since the 1950s.  Churches were considered “safe”, but the Sikh temple shootings in Wisconsin, shootings in Colorado Springs Churches, and the burning of black churches, have changed the security posture of churches.

Take a look at violence in churches today.  In 2008, the FBI recorded 23,547 crimes attributed to location code for “Church/ Synagogue/Temple”.  Deaths from church attacks rose 36% in 2012 according to the January 30, 2013 edition of Christianity Today.  Guns were used in nearly 60 percent of all “deadly force incidents” at churches since 1999 according to Carl Chinn who has been tracking these incidents.

Arson incidents are so widespread that the Dept. of Justice has a National Church Arson Task Force, and “Arson at churches has been a problem for a long time,” said Patrick Moreland, an executive with the Wisconsin-based Church Mutual Insurance Co., which insures 63,000 houses of worship.

No church leader, or church member wants their place of worship to become a crime scene, as the country watches it unfold on CNN.  And there’s a pro-active way to analyze a church’s security profile

And determine:

  • How Likely the Church is to have a Violence Incident
  • What Other Churches in the area are experiencing
  • What the Threat Level is in your Geographic Area
  • Exactly What Controls You Need to Add to Stay Safe

A Security Risk Assessment is a quick, easy to use model that can take streams of data and information and use these actual events to produce a simple report that can track the threat levels, and match these to potential and existing controls to see how existing controls can be implemented, what new controls need to be added, and how to do it all in a cost-effective way.

One of the key points of a security risk assessment is that it measures solutions in terms of COST-EFFECTIVENESS.  No one wants to over-spend on something and not have enough money left for a critical security element.

Out in the field, we often find that controls are not effectively implemented, or they are not 100% implemented, and if there’s even a 10% gap, it’s just like the control never existed at all.

And you don’t need to be an expert to perform a security risk assessment on your church, school, temple or summer camp.  There are new automated software applications, like Church Facilities Risk-Pro, similar to the app on your iphone, that will do the assessment for you, showing you the data you need, and even writing and formatting the reports for you.

The Control Reports become a blueprint for improving security and can become part of a 3-year plan that will protect the physical facility, the congregation, and the entire community.



A New Threat Appears – Meteor Strikes

After the meteor showers over Siberia this week, Russia put together a

Financial analysis of the damage from the meteors:

1200 injured by flying glass

             $33,000,000 in damage

4,000 building damaged

50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have occasionally added new threats like Tsunami and ash pollution.

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me, “take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio. That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011. 

There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.

 



Data-Driven Security: The Best Way to Improve Security for Anything, Anywhere

How can you improve your security program?  Are we talking about a seaport?  A church?  A manufacturing facility?  A gas pipeline?  An office building?  Corporate Headquarters?   Zoo?  Hospital?  Bank?  Clinic?  City Hall?  Harbor?  Stadium?  Government Agency?

It doesn’t matter what you need to protect — if you decide it is a critical asset, it needs good, continually improving security, and
an on-going assessment program is the fastest, easiest way to get it.

If wonderful, dedicated you, (as the security pro), don’t know what’s working and what’s not, how can you improve the overall program, unless you wait for an “precipitating event”, like a THEFT, like an ASSAULT, like a FLOOD, or a HURRICANE, or a POWER LOSS, and then you immediately start working on that and making sure THAT particular disaster doesn’t happen again!
Meanwhile, everything else is slowly losing energy due to lack of constant attention.

And so let’s say you are the Super Bowl, and the power went out!  Terrible. Inexcusable.  And you’re busy getting a 2nd or 3rd backup generator to make sure THAT POWER LOSS never happens again.

This problem with this model – fixing what’s broken and ‘learning from experience’ is that it’s always a day late.  You’re always chasing after something that already happened.

Instead, you can  set up a program so that you use to continually evaluate the current condition, assess the risk, and then improve the security controls, based on THAT RISK ASSESSMENT.

Tony Robbins used to call it CANI

  • Constant And Never-ending Improvement.  You can accomplish this by setting up regular assessments and then adjusting or tweeking the security controls to adjust to the new, or more aggressive threats.
    “Regular” assessments can be monthly, quarterly, semi-annually, annually, bi-annually, whatever schedule suits you and the organization.   The idea is that by continually reassessing your last improvement,and changing the threats and risk level,
    you can create a dynamic, data-driven security program that improves the security profile dramatically, without having to
    suffer through another triggering event!
    The concept of CANI – Constant And Never-ending Improvement can breathe life into your security program, you can use it to improve your health, your fitness level, your guitar playing, your _______________________.
    You fill in the rest!

 

 



What do Benghazi and Newtown have in common? Flawed Security!

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?



Why the State Department Needs Better Threat-Risk Assessments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 



After Aurora – Where Do We Go From Here?

Having written several articles on gun violence and remembering exactly where I was after Columbine, I know that very few security professionals are interested in restricting access to firearms.

But clearly this is terrorism.  This is murder.  All the outcry about abortion, and protecting fetuses, and there’s not even a peep when 12 young people are gunned down, having done nothing to deserve such a vicious fate.

So what we are talking about is HOW TO PROTECT THE PUBLIC from acts of terrorism and murder.

Anyway this could have been prevented?

1.  Now we know he was under a psychiatrist’s care, he should have flunked the assault rifle purchase test.

2.  If the theatre had true locking back doors, and alerts when they were propped open, he could not have
come back inside with his arsenal.

3.  If the back door had cameras and was monitored, he could have been caught, or at least, the public address system could have warned the patrons in the theatre.

Since none of these things were done, a terrible tragedy took place.

I think we are safer with cameras everywhere and active, real-time monitoring of those cameras.  I’m all for controls like panic alarms (which should be as common as fire alarms), and for annual security assessments.

Maybe we can learn something.



A Terrible Day in Colorado – Terrorism by Twenty-Something

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.



17-year old imposter does CPR on patient in Kissimee, FL

Security measures in place are being questioned in Kissimmee, Florida at Osceola Regional Medical Center after clerk passes as a physicians assistant!

Hospital security procedures, including staff screening practices at Osceola Regional Medical Center, are getting a second look after a 17-year-old passed himself off as a physician’s assistant and took part in several exams and procedures, including doing CPR on a patient. The Orlando Sentinel reported that hospital management is reviewing its practices to ensure a similar incident doesn’t occur. The youth was able to secure a hospital ID badge from the human resources department by claiming to need a new one because the surgical practice at which he worked had changed names. In fact, the youth was employed part time as a billing clerk at a doctor’s office. When confronted by staff, the youth said he was working undercover for the sheriff’s department, so they would be unable to check his employment records



Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 




top