Category Archives: Security Model

Webinar Looks at New OSHA Workplace Violence Directive

Posted on by 0 Comments

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.

After Arizona, Does Congress Need Gun Legislation, or Just More Effective Security Risk Assessments?

Posted on by 0 Comments

The terrible shooting in Tucson this week was widely seen as a wake-up call for members of Congress who probably spent at least part of the weekend wondering if their security was enough.

 I can answer their question – it is probably NOT enough.  The morphing of politicians into celebrities (call them Pol-ebrities??) is great as long as you get lots of TV time and the cameras are flashing and the contributions are rolling in.   The downside is the same one that led to John Lennon’s death – Celebrities draw the crazies.  Now that elected officials are becoming Pol-ebrities – they are becoming targets.

With proposals rolling in from all quarters, including putting a giant Plexiglas shield around the House floor, limiting the distance a constituent can stand in relation to a congressperson or senator, and many other ideas, it is clear me that what is missing is the use of standardized Threat/Risk Assessments.

 Security is always a trade-off.  How much money to spend to protect a public servant and legislator?  Is it worth an extra $25,000 per year per person, or should it be $100,000 per person per year – or should it be a million dollars?

Ask the potential target and I guarantee they are voting for the $100,000 solution.  Ask a beleagured taxpayer and they would think maybe $5000.00.  The problem is that it is impossible for an individual to do a true cost benefit analysis and decide how much money is enough?

Enough to provide ‘adequate” and ‘reasonable’ protection. 

Enough for a ‘normal event’?  What about a high-profile event?

Can you analyze it based on the numbers of people who attend a certain event?

All these questions are about 1/15th of a security risk assessment. 

Like the Department of Homeland Security – the executive protection should move to a more quantitative, risk-based model.  Traditional executive protection checklists are no longer enough.

There are so many elements that go into a threat risk assessment of an public, or private event.  We can look at the Tucson shooting and see that if the usual checklists were used, someone might have:

Checked the crime rate around the location (which turned out not to be at all relevant.)

Checked to see if any other congressperson had ever been attacked
at a town hall meeting in the last twelve months (perhaps more relevant).

These are just a few of the many checks that would have been performed prior to the event, but whether these were done partially, completely, or not at all, they are not risk-based, instead, the classic protection model is more threat-based than risk-based, when what you need is a combination of the two.

If we can create a standardized risk-based scenario for protection of these high profile Pol-ebrities, it would include all the basic information, plus data on the number of phone threats received by that individual legislator; and also, an aggregate of threats received by all legislators.  It would include blog and web searches to see how many times a particular name was mentioned or cited in a negative way.  (And yes, finding a web site that includes a rifle target signal over your district counts).

In addition, it’s interesting to get a historical perspective to see how many government representatives have been threatened, shot, stabbed or murdered in the last five years, and to see whether that trend is increasing or decreasing.

The shooting in Tucson was a workplace violence incident by a totally deranged person who had total access to his victims.   There was no advance screening, no physical barriers, no bodyguards waiting in the wings in case something went wrong.

Many of these missing elements, along with others, can be used to create useful threat risk assessments that can be standardized,   and automatically generated for all our high profile public servants to provide much more effective security for the people who need it most.  

Instead of treating each of these violent incidents as a completely isolated event, society needs to recognize these patterns that are emerging as legislators become celebrities, and that there is an increasing acceptance of violent solutions to individual problems.  These patterns need to be watched, tracked, and applied to each individual’s protection profile to improve personal security and prevent future violent attacks.

TSA – Why pat-downs are ridiculous and after 9 years – they still can’t spell R*I*S*K management. Follow the money.

Posted on by 0 Comments

Every fifteen minutes, the media is full of images of children being patted down at the airports. The media is stirring up the porridge on this story.  But think for a moment – TSA is spending 90% of it’s budget, resources and energy on passengers who are not and will never be a threat.  And that leaves only 10% to spend on legitimate and potentially dangerous travelers.  This raises several questions.

First – why?  When the DHS espouses it’s emphasis on RISK MANAGEMENT – it’s clear that they don’t follow it.  The private company that runs the screening programs makes substantially more money by screening everyone, if they only had to screen real suspects – their income (which is over $8 Billion per year) could be cut in half!

By applying the risk management principles that are in their charter – they would be able to spare the poor traveling public and spend more time and more resources on checking and double-checking the potential terrorists. 

Most rational people can watch an airport scanner line for two hours and realize it is an enormous waste of resources for very little results and testers can routinely smuggle in knives, lighters and whatever else they want.

The inability of TSA to adopt a rational approach to airport screening – and remember – they still don’t’ screen the cargo riding on the same plane – is just lining pockets including the lobbyists who have been pushing the extra-expensive full body scanners.

The justification for this big expenditure is that is avoids the dreaded “profiling”.  We should be profiling – we should be checking people who like to visit Yemen for Easter.  We should be doing intense screening of young men between the ages of 18 and 30 who have recently traveled in or out of Pakistan.

 Here’s a partial list of who we shouldn’t waste time and resources screening:

 Children under 10
Active and Retired Military
Civilian Federal Employees
Civilian Federal Partners
Members of a ‘Preferred Traveler Program’
Individuals who opt for an intensive background check
Senior Citizens over 70

But you know what they say – Money Talks… and it’s talking to me this Thanksgiving week.

BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Posted on by 0 Comments

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.

Building a Model for Security Governance, Risk and Compliance

Posted on by 0 Comments

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business.  Think personnel, finance, shipping, sales.  All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security.  You can’t run an organization without locks on the doors.  You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate?   One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1.  Access Controls

2.  Accountability

3.  Budget/Fiscal Responsibility

4.  Compliance

5.  Information Technology

6.  Investigations

7.  Measurement/Evaluation

8.  Personnel Management

9.  Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11.  Security Planning

12.  Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model.  The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process.  For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness.  Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’.   And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come.   Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are.    This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist
Order).

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!