Category Archives: Risk

NSA Hearings on the Hill

Posted on by 0 Comments

NSA is answering questions this morning about their mega data collection of phone call destinations, before the House Intelligence Committee.

Having worked with NSA for years, I decided to watch the hearings and hear what General Keith Alexander had to say.   Of course, I have a family history with congressional hearings.

For myself, I’m in total agreement with NSA that they should be LISTENING, COLLECTING and ANALYZING intelligence so we can know what is happening all over our complex world and be in a position to prevent catastrophic attacks by those terrorists using their religion like a free pass to kill, maim and attack.

My father died over ten years ago, but one of my favorite memories of him is that is, while he was suffering from cancer, he never missed a Congressional hearing.  He sat with a TV Tray in front of him, with a stack of monogrammed notepaper, envelopes and stamps.

As the hearings progressed (I especially remember him watching Iran-Contra), he would write to each of the congressmen and senators, telling them how he judged their questions, writing to them about mistakes he thought they made.  This was true democracy in action.  From his pen right to the powers-that-be.    And he took his responsibility in this very seriously.

I hope everyone starts watching, learning and taking their role in our democracy as seriously!  An attention-seeking junior technician is having his 5 minutes of fame, and I hope that the great work of the US intelligence community is not going to be slowed down or damaged by his thoughtless disclosures. He should start writing letters to HIS elected representatives.

 

Oklahoma Tornado, Boston Bombing, Young Soldier Killed – It’s time to do a Security Risk Assessment!

Posted on by 0 Comments

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!

 

The Active Shooter – What’s the Right Response? Run Out or Lock Down?

Posted on by 0 Comments

I got to sit in on a security group discussion yesterday.  It includes both security directors and local law enforcement and It was interesting to see how both groups approached the active shooter scenario differently.   Which way is the best?  Is there a best?

For law enforcement officers at both the state, city and county level, they want all doors to be unlocked so that all the occupants of a facility, or a hospital, can get out and run for safety as quickly as possible.   They say that means more people will survive, not get shot, and it works with the natural human reaction to run away from danger.

Some of the active shooter experts in the room said that active shooter situations should be treated like fire drills, because people are used to fire drills, and they know what to do, because they practice fire drills more frequently than active shooter drills.

For the Security Directors, especially of hospitals, they wanted to be able to lock down if there was an active shooter call in their facility.  They felt that there were problems in evacuating quickly, and some were concerned about leaving bed-ridden patients behind while the clinical staff run out of the building.  So they advocated locking down all doors instantly.

While the heated discussion continued for almost three hours – at the end there was no “BEST” solution.  Each Security Director or Manager will have to decide for themselves which approach is right for their organization.  The important thing is to think it through in advance, prepare people in advance, and take advantage of the great materials that are available to help organizations prepared.


Get more information including videos, training materials, on line courses and more at
http://www.dhs.gov/active-shooter-preparedness.

Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Posted on by 0 Comments

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 

Tragedy at the Boston Marathon – What Went Wrong?

Posted on by 0 Comments

Looking at the CNN footage of the Boston Marathon finish line yesterday, I was struck by the shock of the bystanders and the chaos that followed the blasts.

Having just giving two seminars on security controls, I pulled out my list to see what could possibly have been done differently to prevent this devastating outcome, and there was the first word on the list ACCESS CONTROL.

After thirty years as a security expert and risk-threat analyst, I am about 85% sure that this was a lone wolf attacker who made his crude bombs to address some personal perceived problem, whether it was fear of gun legislation, spillover from the Israeli-Palestinian conflict, the Neo Con torture initiative, or something else.

Putting the attacker aside for a moment, the tragedy happened because SOMEONE WAS ABLE TO WALK RIGHT UP TO THE FINISH LINE AND PUT AT LEAST 3 BOMBS right near the finish line!   THiS IS NOT RIGHT.

There has to be SCREENING and ACCESS CONTROL PROCEDURES IN PLACE!  You can’t have security if you have open access to a major event like the Boston Marathon.  For year, security experts have cautioned that large crowds make a great target, and so events have paid lip service to this concept, without staying on the task, and making sure that SECURITY CONTROL NUMBER ONE –  ACCESS CONTROL  is ALWAYS in place.

But people don’t like access control, it’s too much trouble, they say.  They don’t like metal detectors, too expensive, too much trouble, too intrusive.  Well, it’s not as intrusive as having a major injury.   There are ways to secure these high profile sites, but the security community has to lead on this.

Yes, it is very sad and depressing that the world has come to this — but it has.  And it will happen again.  As long as security is perceived as too much trouble, too expensive, too tough to do, and too intrusive, there will be more tragic events like this one.

 

 

Wondering Which Security Controls Offer the Highest Protection for Less Money?

Posted on by 0 Comments

Security Controls can be incredibly cost effective or astronomically expensive.  And when you’re faced with a facility or a school campus, or a system that has to be secured, but you also have a budget to keep in mind – what do you do?

The simple answer is ROI – Return on Investment.  This simple calculation compares the Cost of the Proposed Control to the Protection is Provides and that creates the magic ROI Number.

Here’s an example:   A hospital near the New Jersey shore wants to create a new emergency ops center.  They have the space,
but it would cost about $250,000 to build it out.  Here’s what we look at – how often would they use an emergency ops center?

Threat data shows that they would need to use it about 3-6

Operations Center (OPS)
Operations Center (OPS)

times a year, including severe storms, thunderstorms and hurricanes.

(After Hurricane Sandy, the hospital was closed for two days because they were not able to resume service right away.  As a result, the hospital lost about $2,000,000 per day because it could not bill for any services, none could be provided.)  

So we take that lost $2,000,000 per day and say that if we could keep the facility open because we had a better operational center, we could easily save 2 days of revenue which is $4,000,000 for the 2 days, and if it cost us only $ 250,000, and saves us $ 4,000,000, that’s a Return on Investment of SIXTEEN to ONE, 16:1.

Say it saved us 3 days of revenue a year – that’s a ROI of TWENTY-FOUR to ONE, 24:1!

You can get more info by writing to me directly at caroline@riskandsecurityllc.com and requesting a webinar invitation,
or a copy of the video.

 

What do Benghazi and Newtown have in common? Flawed Security!

Posted on by 0 Comments

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?

Maybe we’re just tired of “Serious”.

Posted on by 0 Comments

After watching the Sunday political shows, every journalist asks, “Why is the media so focused on the Petraeus Investigation?”

I have a defense for this:  we’re all tired of the REALLY IMPORTANT STUFF.

After the election, which felt like it lasted over a year, and then the worry about the impending disaster of the fiscal cliff (please, don’t say “PHYSICAL CLIFF”), maybe everyone is exhausted by the urgent and important issues and would just like a good old fashioned sex scandal. And we got one!

An amusing, lightweight story, where the main players are stereotypes themselves, the attractive, social-climbing women, the glamorous jet-setting generals, who take time out of fighting terror to send out sexy emails, is a delight after all the serious reporting of the last four months.

I think we should be able to enjoy it a little, and as Mr. Bennett said in Pride & Prejudice, ” For what do we live, but to make sport for our neighbors, and laugh at them in our turn?”.   And it’s the General’s turn!

Why the State Department Needs Better Threat-Risk Assessments

Posted on by 0 Comments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 

A Terrible Day in Colorado – Terrorism by Twenty-Something

Posted on by 0 Comments

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.