Archive for category Consulting

Date: August 24th, 2010
Cate: Consulting, Uncategorized

Physical vs. Operational Security Assessments

Does your security consultant or internal security staff assess both physical and operational aspects of the security program? We often review prior assessments that focus solely on one or the other, usually the physical side only, but less frequently do consultants or security staff review both.

A physical security assessment typically includes a review of physical security measures (e.g. perimeter barriers, access control, fencing, etc), electronic security systems (e.g. access control, cameras, alarms, etc) and exterior lighting. An operational security assessment, on the other hand, focuses on policies, processes, training, written and unwritten protocols and on personnel.

Most security failures occur on the operational side. As such, operational security aspects should be included in a comprehensive security assessment.

Date: June 3rd, 2010
Cate: Consulting

The Value of Interviews in Security Risk Assessments

I have always been a believer in interviewing people intimate with a facility during a security assessment. People that work at the facility have a better understanding of the security problems than I do when I first walk into a new facility.

Recently, I’ve had some unique opportunities to conduct “fact-finding” missions for a couple of clients. Rather than working from a formal list of questions, the interviews were less structured and more conversational. This has proven to be a valuable method for getting to the facts.

For one of the clients, the goal of the “interviews” was to determine what the real security problems are at their facilities so a security program could be designed. For the other client, the goal was to determine how best to reduce security costs. In both cases, the conversational, unstructured interview elicited significantly more facts that were expected and likely more than would have come to light in a formal interview.

While the facts were more plentiful and the depth of understanding greater using this method, the downside is the time it takes to elicit the information. Each interview can take anywhere from 30 minutes to two hours. In structured interviews of comparable interviewees, it usually takes 25 – 50% of that time. For clients and consultants alike, time is money. Understandably, some clients don’t see the value of this approach as it takes their employees away from work for a longer period of time and ultimately they pay for both the employees time and the consultants time. Worse yet is the consultant who doesn’t dedicate the necessary time to gather the facts.

Having been exposed to the values of this method, I am now a true believer. Here are some basic guidelines for conducting this type of interview:

1. Do NOT prepare questions in advance – if you know what information you need, you’ll get there without a written list of questions

2. Let the discussion evolve rather than forcing it

3. Build rapport early – find something common with the other person before hammering out questions

4. If possible, try not to take notes, type on a laptop, or use tape recorders

5. Validate the interview – once you finish the interview, type the interview notes and send them to the interviewee to verify the facts and make changes as necessary

6. Take your time

Try this method once and let me know how it works out for you.

Date: May 3rd, 2010
Cate: Consulting
1 msg

Threat, vulnerability, risk – commonly mixed up terms

What are the most commonly mixed up security terms? Threat, vulnerability, and risk.

While it might be unreasonable to expect those outside the security industry to understand the differences, more often than not, many in the business use these terms incorrectly or interchangeably. Maybe some definitions (from Strategic Security Management) might help….

Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items.

An asset is what we’re trying to protect.

Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

A threat is what we’re trying to protect against.

Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.

A vulnerability is a weakness or gap in our protection efforts.

Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Risk is the intersection of assets, threats, and vulnerabilities.

Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never understand the true risk to assets. You see, when conducting a risk assessment, the formula used to determine risk is….

A + T + V = R

That is, Asset + Threat + Vulnerability = Risk.

Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.

Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets. Understanding the difference between threats, vulnerabilities, and risk is the first step.

Date: April 9th, 2010
Cate: Consulting

What types of threats should you be looking at?

From a security perspective, a threat is an act or condition that seeks to obtain, damage, or destroy an asset. Threats can be divided into three types: actual, conceptual, and inherent.

Actual threats are the crime and security incident history against an asset or at a facility which houses the assets. Actual threats are a quantitative element of a threat assessment.

Conceptual threats, on the other hand, exist by virtue of vulnerabilities around the asset or weaknesses in the security program which produce opportunities for crime to occur. Alternatively, conceptual threats may be identified based on crimes occurring in the area or against similar assets. Conceptual threats are a qualitative element of a threat assessment.

Examples of conceptual threats are…

1. assaults in dark, isolated areas of a college campus

2. burglaries of motor vehicles in unsecured mall parking lots

3. viruses on computers connected to the internet without anti-virus software, firewalls, etc.

Inherent Threats, in contrast, are threats which exist by virtue of the nature or characteristics of the assets in need of protection. In other words, the asset is a crime magnet or prone to loss, damage or destruction. Inherent threats are also a qualitative element of a threat assessment.

Examples of inherent threats are…

1. theft of jewelry

2. assaults in bars and nightclubs

3. hacking of a financial institution’s network to obtain customer information such as account numbers

Hopefully, this short primer is of value the next time you’re reviewing a security program. When assessing the threats to assets, it is important to consider all three types of threats.

Date: March 17th, 2010
Cate: Consulting, Healthcare Security

Designing Security in Hospitals

You’re a very busy hospital security manager. At 2 pm on one of your normal busy days, you receive a call from a man saying he represents a security consulting firm. He explains that one of the company’s specialties is technical expertise in electronic security design. He asks if you have any upcoming projects or concerns and if you would like to meet with a company representative. Why should you not just politely say no and end the call? What could this firm do for you that you cannot do yourself? After all, you understand how to perform a risk assessment, have your hard earned certifications, and no one is more familiar with the electronic security needs of your facility than you are. While this may be true, the use of a security design consultant can be an extremely valuable tool to help you do your job.

While security management consultants deal with the full risk assessment and the entire security program, security design consultants deal with a specific and specialized piece of the assessment and security program, electronic security. Therefore, while the advantages to using a security management consultant are more ‘big picture’, such as budget verification or independent review, the advantages of using a security design consultant are more specific, dealing with issues like access, visual verification, detection, deterrence, and response. That is not to say that security design consultants do not deal with the total electronic security picture or how that fits into the overall security program. In fact, that is exactly what they do. In general, the services of a security design consultant fit into three categories: assessment, design and project management.

Assessment

Assessment services are the services most commonly attempted by the security manager or security department. It is thought, correctly so, that you have the most knowledge about the overall security needs of the facility. However, having that knowledge does not necessarily mean you know what electronic security devices are required to deal with those security needs, where they should be placed to be most effective, how much they will cost, or how they should be integrated with all of the other facets of your security program. Let’s say you have a visitor control issue that you have identified because of certain incidents or just by your observations of your facility. It is necessary to develop a needs assessment report outlining the type of electronic security devices that can help remedy the situation, where they should be located, how much they will cost and how will they be integrated with the rest of your security program such as guard force and existing monitoring capabilities. What do you do?

Unfortunately, what is done a lot of the time is some devices are identified to be placed in locations to deal with the perceived issue at that time. Many times these devices are merely extensions or additions to existing access control or CCTV systems which were not designed at the time to deal with your specific issue. It is easier and more cost effective to add to existing systems in the hope of resolving the problem rather than starting from scratch with a new approach. You may solicit the help of your existing installation firm or even call in a new one to help you place new devices and add them to your existing system. They may even suggest different ideas than you had to deal with your specific issue. The problem is they are in the business of selling you equipment, not coming up with the best solution for your problem. That is not to say they are acting unethically, just that their reason for being there is different than your objective.

Let’s say you make the correct decision and decide to evaluate the problem from scratch and figure out the exact needs of the facility, do you or members of your department have the specific expertise to make those decisions? Do you have a good understanding of all the functions and capabilities available in today’s electronic security systems? Can you evaluate every reasonable option available to determine the best fit for your needs? Do you know how much these systems cost? If any of your answers to these questions is no, what do you do? You have the option of doing the best you can which may or may not be good enough, or finding a professional who can assist you in making the correct decisions when it comes to your electronic security needs.

A security design consultant has the expertise in evaluating the security needs of your facility and determines the best electronic security options to meet those needs. Additionally, the consultant has an understanding of how those options will integrate with all the other elements of your security program. The consultant can determine optimal device placement, deal with regulatory and code issues with the devices (especially with access control systems) and prioritize the importance of system functions and capabilities to make sure the ultimate equipment chosen matches the security needs. Finally, the consultant can provide realistic cost estimates so budgets can be set and no surprises come up during system procurement. All of these evaluations and recommendations from a needs assessment report that can be used to support your claim that a security need exists and should be addressed, ultimately helping you do your job even better.

System Design

Now that you know what types of electronic security devices should go where and what their functions and capabilities should be, the necessary system needs to be designed. Let’s say you have a complete and correct electronic security needs assessment showing all the correct device types, locations and functions. Do you have the expertise to know which products in the marketplace are the best fit for your needs? Do you know the correct things to look for in a product to determine if it fits your need? Do you know what things to avoid? Do you know how competitive the bidding would be based on those product choices? Probably not. This is no slight on you, the industry is just so complicated and fast changing that it would be impossible for you to keep up on all those issues and still do your job. What do you do as the security manager handling this project?

Unfortunately, a lot of the times you call a large installation firm (if they werem’t already called in the assessment phase) that also advertise themselves as ‘security consultants’. If you need specifications written for the project to go out to competitive bid, they may offer to write the specifications for you. And, to your good fortune for budget purposes, they will write the specifications for no charge. While you may think this is a bargain, it probably will cost more money in the long run. What typically happens is that company will write the specifications to make it extremely difficult and sometimes impossible for any products to be used other than their proprietary ones, making them the only company able to competitively bid the project. This creates two major problems: first is the equipment specified is more than likely not the best fit for your needs and second you will pay far more than you should for the installed system because it in effect becomes sole source.

What if, instead of having an installation firm write the specifications, you invite several reputable firms into your facility, explain to them what exactly you are looking for based on your needs assessment, and ask them to give you a proposal with products that will meet those needs and associated costs. Sound better? While it probably is better, it is still inherently flawed. Installation firms usually have certain manufacturers that they use the majority of the time either because they have a comfort level with that manufacturer or they have an actual agreement with that manufacturer to sell a certain amount of its equipment per month. What happens is the equipment is made to fit the needs even if it is not close to the best fit or the most cost effective option. Additionally, do you have the expertise to sift through the proposals to determine which equipment is the best fit for your needs?

A security design consultant is independent of any manufacturer or installation firm. Their product choices are based solely on the needs of the client. They match the product to the need rather than the need to the product. The consultant can prepare design specifications in two specific ways: for a Request for Proposal (RFP) or Invitation to Bid (ITB). A Request for Proposal describes in detail the system and equipment requirements as determined by the needs assessment and gives general criteria that the bidder must fulfill for their bid to be acceptable. The installation firm will then propose equipment to meet those needs and give a cost for the installation. The consultant will then evaluate all the proposals and make a recommendation as to which proposal best meets the needs of the client. An Invitation to Bid actually spells out the exact equipment that will be bid. The consultant will have already made those determinations based on expertise and industry best practices. The installation firm merely bids a cost for what is specified. In either case the product decisions are based solely on the needs of the facility and client rather than any other factors.

A note about using project architects to do the assessment and design work described above. This could be a good or bad thing. You need to ask some questions up front in order to make that determination. Does the architect use their own independent security consultant? If not, if they use an engineer or do it themselves, what expertise do they have in the assessment and design of electronic security systems? Unfortunately you will find that some architects also use security installation companies to do this work for them. While they are getting the services for free, you are being charged. Additionally, you are getting far from the best system for your needs. This is certainly not always the case, there are a lot of excellent architects out there that either have the proper expertise or hire that expertise. You just need to ask the questions to make sure you are getting the best for your money.

Project Management

Once the procurement process is complete and an installation firm has been chosen to install the designed systems, someone must make sure the systems are installed per the specifications and industry best practices. It stands to reason that the best person to provide that oversight is the person who actually wrote the specifications. If the same firm who wrote the specifications is doing the work, that is not very reliable oversight. In many cases you as the security manager can do this project management oversight yourself or through your department with little difficulty. However, if the security design consultant has been involved in the project through the assessment and design phases, he is best able to evaluate the quality and thoroughness of the installation. Also, for more complicated systems and installations, having project management performed by someone with the technical expertise to understand what to look for in the oversight process is a great advantage.

So the nest time you receive that phone call at 2pm on a busy day, perhaps you should consider hearing what they have to say. The consultants’ job is not to upstage the security manager or in any way take away from the overall security program, but rather to enhance the capabilities of the security manager and the department in general by helping you do your job in the best manner possible. No one is expected to know everything, but you are expected to find people with the necessary knowledge when an issue arises. Take advantage of it.

For assistance in designing security for your hospital, please feel free to contact us.

About the author: Brian Gouin, PSP, CSC has over 17 years of experience in the security and fire protection field, first as the owner of a security installation company and then as an independent security design consultant with Threat Analysis Group. Brian has extensive training in system design from a vast number of manufacturers of electronic fire and security equipment. Brian is a member of the American Society for Industrial Security, the International Association of Professional Security Consultants, the National Fire Protection Association and the National Association of Chiefs of Police. Brian can be reached via email at bg@threatanalysis.com or via phone at (281) 494-1515.

Date: February 21st, 2010
Cate: Consulting

What to look for in a security consultant….

Like all professional services, security consultants are a diverse group. Many have years of experience while others have just entered the field. Some are specialized in specific industries or type of facilities while others are generalists. Many consultants rely on their prior experience in law enforcement, the military, or as security managers and directors until they have developed the acumen for specific facilities and industries through their work in those areas. Unfortunately, a lack of experience may or may not be beneficial to a client’s current project.

The following questions should be answered prior to hiring a consultant:

Is the consultant independent?
Does the consultant have requisite experience in my industry?
Is the consultant licensed?
Does the consultant have any relevant certifications or credentials?
Does the consultant have a track record of research and publication?
Does the consultant have the business acumen to provide solid, defensible recommendations?

Independence is the single most important characteristic that a consultant must have. Consultants that are not independent are usually affiliated with other products or services that they may recommend. This may compromise their objectivity. Many independent security consultants are members of the International Association of Professional Security Consultants (www.IAPSC.org). “The primary purpose of the IAPSC is to establish and maintain the highest set of standards for professionalism and ethical conduct in the industry. Its members are independent of affiliation with any product or service they may recommend in the course of an engagement, thus ensuring that the services they render are in the best interests of the client.” As a prominent physical security consultant succinctly puts it, an independent security consultant “matches product to need, not need to product.”

Industry specific knowledge is not needed on all projects; however, some industries are regulated or must meet other compliance standards. Hospitals, chemical plants, and maritime ports are examples of regulated facilities. If the scope of the project for which you are hiring a security consultant must meet those requirements, the consultant should have the requisite knowledge of such guidelines and standards. Given the situational nature of security, a baseline level of industry specific knowledge should be a requirement.

In most states, security consultants need not be licensed. Some states, such as Texas and Nevada, do require that security consultants be licensed. Licensing, in and of itself, does not mean that the consultant possesses the other characteristics discussed in this article. Check with your state’s security bureau to determine if consultants in your state must be licensed.

There are many certifications available within the security industry. Among the most prominent are the CPP (Certified Protection Professional), and PSP (Physical Security Professional), and the CISSP (Certified Information Systems Security Professional). The CSC (Certified Security Consultant) is the only certification for independent security consultants. Where the CPP, PSP, and CISSP demonstrate knowledge of security management, physical security, and information security, the CSC demonstrates consulting competence and independence.

Beyond certification, other credentials may be relevant to your project including membership in industry associations. Most security consultants are members ASIS-International, the largest security industry association in the world. As stated above, many independent security consultants are members of the IAPSC. Information security consultants are often members of (ISC)². Security consultants that specialize in specific industries may be members of industry specific organizations, for example IAHSS for consultants who specialize in healthcare and hospitals. Though security association membership is beneficial, many associations are simply “pay to play” in that they do not require active participation in the association. Consultants who attend the association’s conferences and training seminars are typically more knowledgeable than those that do not. Also, consultants who actively volunteer for association projects or serve in leadership roles may bring value to your project.

Security consultants who have a background in research are often adept at finding solutions to complex security problems and are often on the cutting edge in management techniques and security system design. Consultants who have researched security solutions extensively will usually bring a broad perspective to your project which affords them the ability to accurately identify the root problem, understand your needs, and develop multiple solutions to resolve the issue. When reviewing a consultants resume or curriculum vitae, research experience is often reflected as publications and speaking engagements.

After independence, the last question is probably the most important from your (the client’s) perspective. Ultimately, it’s the recommendations made by the consultant that you’ll be responsible for seeking approval and implementing those that are approved. A consultant that identifies roadblocks to implementing recommendation provides great value to the client. A consultant that identifies alternative solutions and the costs and benefits of each alternative provides even greater value.

Finally, while there are many quantitative factors (cost, experience, education, etc) that you should look for in a consultant, there are also qualitative traits that enhance the project and the relationship. These traits include good project management and communication skills. This trait means that the consultant has the ability to talk to different people at various levels within your organization and has the ability to successfully manage the project to its end. Good project management skills will ensure that the project comes in on time, on budget, and with a high degree of quality. The consultant should also be collaborative and willing to work as part of your team and other project stakeholders. The consultant should be adaptive, willing to adjust the project objectives as needs are refined. The consultant should have an open mind about the project goals and should avoid pre-conceived notions. To do this, the consultant must ask the right questions and avoid cookie-cutter solutions.

For assistance or more information on Threat Analysis Group, LLC, please contact us.