Optimizing protection by focusing on internal resources

You probably hear often about how organizations invest in technologies and contractors — all in hopes of bolstering protection of their critical assets. This can be costly and may not bring about desired results. I am excited to tell you that there’s a better way: starting with your internal resources. All that’s required is a slight pivot in thinking about protection, a bit of time to determine how to best optimize internal resources, and then some persistence with execution of your plan.

1. Know Microsoft Excel?

When you have a moment, open a new spreadsheet in Excel and create a table to list:

• your assets (like people, infrastructure, buildings, hardware, information, etc.);

• their importance to your organization (operational, reputational, and financial);

• what realistic risks may affect these assets;

• who are the threat actors;

• what their modus operandi is;

• what are the potential loss scenarios are (reputation, financial, operational impact).

Then, you can continue moving right on the spreadsheet to list:

• known vulnerabilities of your assets;

• desired and possible mitigation measures;

• how chosen mitigation measures help reduce or eliminate the risk and / or threat;

• what internal resources can be used to facilitate mitigation;

• implementation timeline;

• person responsible;

• completion date; and

• a field for relevant notes.

There. No degree in rocket science required. And even if you’re wrong in your assessment (any of its elements) having this table will help you engage with those who could help you re-assess and correct some of your mistakes. In any way, this table, when maintained and updated consistently, will put you ahead of the pack. It will help you focus and prioritize your attention relative to criticality levels of your individual assets. It will also help you develop relevant policies and procedures.

2. Zoning your facility

Nobody knows your facility better than those who run it day in and day out. This group of people knows your site boundaries, typical exterior pedestrian and vehicle traffic, perimeter entrances, interior secondary entrances, and further functional and physical compartmentalization. Once you complete your asset inventory (however basic), it will be relatively easy for your in-house team to organize certain zones of your facility (both exterior and interior) relative to the assets and their criticality levels. For example, if groups of children are your critical asset, you can trace on a facility plan where this “asset” is present at different times during the day. Then, it will also be simpler to determine what layers you can create around specific critical assets. In the case of fixed assets (ex. back-up generator) the same layering principle applies. You can always follow the rule of having at least two (2) physical layers (walls with lockable doors) around each critical asset. The best scenario is to have a minimum of two (2) physical and one (1) operational and / or technological (security staff and / or security systems) layer. The purpose of each layer is to deter, detect, and delay any threat. Let’s look at an example:

- You arrive at a parking lot of your institution with an objective to reach the room which houses the back-up generator. Your first protection layer may be in the way your parking lot is enclosed. It may be protected with various combinations of fences, gates and movable barriers, automated access control and video surveillance, as well as posted and roving security staff. Yet, in some cases, the parking lot may have no physical enclosure or monitoring technologies. Then, your first protection layer would be the building’s perimeter and its entrances, in particular.

- The second physical protection layer may be a wall and door separating your reception area from internal spaces. In addition to physical separation there could also be automated access control and video surveillance installed in the reception area. In some cases, this separation does not exist and the next protection layer will be the walls and doors enclosing the generator.

If you spend the time zoning your facility relative to assets and their criticality levels it will be plain to determine whether you have enough physical, technological, and operational layers around your assets and where you require improvements.

It is quite understandable that dedicated staff cannot be placed at every perimeter and interior entrance, and new walls and doors are also challenging and expensive to install. But knowing where you have gaps in protection layers can help you determine how to make small but meaningful and often zero-cost changes to your operations, technologies, and physical environment in order to achieve better protection. For example, many buildings today have electronic alarm sensors installed at least on perimeter openings (doors and windows). Therefore, instead of adding staff at various perimeter entrances, signals from alarm sensors could be routed to existing security staff locations and even to mobile devices. The assumption here being that those to whom these alarms are routed actually understand how to monitor them and respond to alarm events.

Furthermore, creating and placing simple but attention-grabbing signage on unstaffed perimeter entrances to preclude casual use can help reduce vulnerabilities. Adding frequent (at least weekly) multi-format training to these measures will also help solidify compliance and vigilance. One organization, for example, has introduced a safety and security talk as the first agenda item to every team meeting. In the first couple of minutes one of the participants volunteers to describe a recent safety or security event they experienced or heard of. The team then discusses common sense ways of avoiding and dealing with such an event.

3. Vigilance can’t be outsourced

The security industry is full of reports and statistics pointing to trusted insiders (employees and contractors) as the most frequent cause of incidents. In many cases, there is no malicious intent but simply lack of awareness and vigilance on the part of trusted insiders. This is yet another reason for concentrating your attention on internal resources. All that is required is frequent (at least weekly) training in various formats, motivation, and leadership by example.

4. Simplify

As you contemplate how to use your internal resources for better protection, please focus on simplicity of controls and related tasks. In case of security (asset protection) systems, make it a point to require that they be set up in a way that any task could be completed in three steps or less. When it comes to policies and procedures, move away from thick narrative to visual workflows as they are much easier to quickly understand and follow. Here’s a simple example:

5. Blend operations and technologies

No organization has enough people to cover all required areas and control points. This is where smart use of existing technologies can add value. For example, most of today’s video surveillance systems, however basic, can be set-up to monitor motion and use virtual trip-lines at user-specified time periods. All that’s required is to send relevant signals in a timely manner to the right people. As mentioned earlier in this article, these signals can be routed to mobile devices thus eliminating the need for fixed locations and additional hardware installation.

I hope that this information will be useful as you improve your protection controls. Just follow one simple rule: look internally first and think outside of the box!