Building a Corporate Culture of Security (eBook)

Building a Corporate Culture of Security: Strategies For Strengthening Organizational Resiliency 4
Copyright 5
Dedication 6
Contents 8
About the Author 14
Foreword 16
Preface 18
An Idea Is Born 18
What Could Possibly Make This Book Unequivocally Different? 18
This Book Is as Important as You Want It to Be 21
Anyone in a Responsible Leadership Position Can Benefit from Reading This Book 22
Features and Benefits 23
Organization and Presentation Is Important to Understand the Big Picture 23
Acknowledgments 26
1 - Introduction 30
Overview 30
Building Security Resilience and Developing Relationships 31
But What Do Ability, Capability, and Preparedness Really Mean? 31
How Do We Relate Security Goals to Business? 32
Can We Speak Intelligently About the Threat Environment? 33
Watch Out for Stumbling Blocks 33
Experience and Knowledge Base of Senior Decision-Makers Can Cause Us to Trip 33
What Do We Do with Misguided Executive Decision-Making? 35
Experience of Security Professionals 36
Vulnerability Creep-in Just Showed Up—It Wasn’t Here Before 36
Conclusion 37
2 - Strategies That Create Your Life Line 39
Overview 39
A Need Exists to Create a Set of Uniform Security Strategies 39
Part I: General Security Strategies 40
Part II: Special Security Strategies 40
Security Strategies and Guiding Principles 40
Ensure Public Safety, Public Confidence, and Services 40
Encourage and Facilitate Partnering Internally and Externally 41
Interface with Other Corporate Programs 42
Safety Program 42
Human Resources and Capital Investment 43
Business Continuity Planning 43
Capital Improvement Program 43
Use Unique Criteria Associated with Protection 44
Exploring Methods to Authenticate and Verify Personnel Identity 44
Coordinating Interoperability Standards to Ensure Compatibility of Communication Systems 44
Security Technologies and Expertise 45
Encourage and Facilitate Meaningful Information Sharing 45
Safeguard Privacy and Constitutional Freedoms 46
Security Policy 46
Security Authority, Responsibility, and Accountability 46
Conclusion 47
3 - The Many Faces of Vulnerability Creep-in 48
Overview 48
Vulnerability Creep-in Eludes Many Security Professionals 48
Strategic Security Deficiencies Top the List 50
Some Executives Have No Clue What Security Is About 50
Executives Struggle to Grasp Essential Principles of Security Planning 51
Executives Exhibit Little Knowledge of the “Duty to Care Principle” 51
The Disruptive Influence of Inexperienced Executives in Security Activities 52
Many Security Professionals Lead from Behind 53
Weak Security Managers Must Enhance Skill Sets to Match the Business Environment 53
Programmatic Security Weaknesses Rank Second Place 53
Security Units are Vulnerable to Poor Leadership and Management 54
Security Creditability and Competency Hangs in the Balance 54
High Turnover Rates Take a Toll on Historical Perspective 55
Ineffective Planning and Development Plagues Security Organizations 55
Security Planning, Policies, and Practices Lack Strategic Vision, Balance, and Purpose 56
Protocols are Poorly Constructed, Poorly Written, and Difficult to Understand 56
Security Compensatory Measures Are Not Widely Used 56
Security Design, Engineering, and Technology Application Need Improvement 57
Corporate Management Culture Influences Security Practices and Competencies 57
Human and Technology Inadequacies Rate Third Place 58
Security Force and Other Personnel Shortcomings 58
Security Technologies and Applications Hinder Security Competency 59
Security Design Development Practices are Immature 59
Equipment and Facility Shortfalls Degrade Security Capability 59
Conclusions 60
4 - The Evolving Threat Environment 62
Overview 62
Understanding the Business Environment and Its Challenges 62
Understanding the Threat Environment and Its Challenges 62
What You Should Know About Terrorist Plots 63
Additional Facts About Other Terrorist Activities (2013–2015) 64
The Threat Landscape Is Diversified and Sophisticated 65
Protecting Critical Infrastructure and Key Assets Remains a Pressing Concern 65
Biological and Chemical Threats Are a Great Concern to the United States 66
Seized ISIS Laptop Reveals Terrorist Group’s Bio Weapons Attack Plan 66
Terrorist Groups Want Chemical Weapons Capability 66
Nuclear Weapons May Go to the Highest Bidder 66
International Terrorism 67
ISIS or the Islamic State of Iraq and the Levant 67
al Qaeda 68
Cells and Sleeper Cells 68
Domestic Extremist Groups 68
The Sovereign Citizen Movement 69
Militia Groups 69
White Supremacy Groups 70
Abortion Groups 70
Animal Rights Groups 70
Environmental Groups: Case Histories 71
Transnational Criminal Organizations 71
Transnational Criminal Organization Structure 71
Radicalization Is a Growing Concern 72
The Insider Threat 72
Attack Modes Make Planning and Response a Challenge 73
Conventional Attacks Are the Preferred Method to Wreak Havoc 73
Nonconventional Attacks Are in Their Embryonic Stage 73
Vehicle Bombs 74
Train Bombs 74
Airplanes Used as Weapons of Mass Destruction 74
Piracy 75
Kidnapping 75
Small Aircraft With Explosives 75
Suicide Bombers 75
Radiological Bombs 75
Other Criminal Activity Is Also a Threat 76
Threats to Personnel Safety 76
In-house Employee Terminations 76
Insult and Emotional Trauma 77
Theft of Property 77
Stockroom and Inventory Threat 77
Competitors and Espionage 78
Vandalism and Sabotage 78
Conclusions 78
5 - The Cyber Threat Landscape 80
Overview 80
Who Is Responsible for Today’s Cyber Attacks? 81
The Cyber Threat Continues to Devastate the U.S. Economy and National Security 82
Trusted Insiders Bear Watching 84
Motivational Factors Shed Insight on Undesirable Employee Behavior 84
We Can Learn From Our Mistakes and Bad Experiences 85
State-Sponsored Cyber Attacks Create Havoc With Our Economy and National Security 85
Cyber Practices and Incident Responses Need Improvement 86
Executives, IT Security Professionals, and Employee Perceptions Are Cause for Alarm 87
Employee Dependability and Reliability Cannot Be Trusted 89
Ability to Detect and Respond to Breaches Requires Significant Improvement 90
Cyber Security Protocols Lack Clarity, Substance, and Usefulness 92
Users Say Budget, Time, Resources, and Training Are Insufficient to Thwart Cyber Threats 93
Monetary Consequences of Cyber Crime Have Reached a New High 94
Conclusions 95
Public and Private Sectors Struggle to Build Security Resilience 95
We Are Dealing with Outside Experts and Cunning Insiders, Not a JV Team 96
Our Approach Is Not Working: We Need to Change Our Strategy 96
American “Exceptionalism” Is Disappearing: We Must Take It Back 97
Human Fallacy Is Our Greatest Weakness: Let Us Do Something About It! 98
We Must Act Responsibility and Be Accountable for Our Actions 98
Only Our Willingness Stands in the Way of the Sharing of Intelligence Information 99
We Must Gain Executive Management’s Trust, Get in Front of the Issues, and Stay There 99
CEOs Face Great Challenges and Must Rise to the Occasion 99
6 - Establishing a Security Risk Management Program Is Crucial 101
Overview 101
Risk Management Measures and Evaluates Risk Exposure and the Ability to Deal With Threats 102
Purpose and Need for a Security Risk ManagementMeasurement Program 103
Identifying Security Successes and Failures Is Crucial 103
Subscribing to a Security Risk Management Program 104
A Risk Management Program Establishes Creditability 106
What Are the Fundamental Aspects of a Risk Management Program? 106
Quality Service and Performance Must Be Your NumberOne Priority 106
Developing Relationships Is a Key Condition for Successand Your Second Priority 107
Building Teams for Creative Thinking and AchievementIs Priority Three 107
Continuously Improving Performance Is Priority Four 107
When to Measure and Evaluate Performance 108
A Risk Management Program Is Key to Performance Success 109
Executives Need Compelling and Persuasive Information to Make Sound Business Decisions 109
Conclusions 110
Appendix A: Risk Management andArchitecture Platform 111
Frameworks 111
Measurement 111
Evaluation 111
Relationship Between Measurement and Evaluation 111
Architecture Platform 111
Performance Analysis 112
Risk Analysis 113
Diagnostic Analysis 113
Evaluation Tools Mostly Used Within Security Organizations12 114
The Physical Security Assessment 114
The Cyber Security Assessment 115
The Security System Technical Assessment 115
The Technical Surveillance Countermeasures Inspection Review 116
The Organization and Management Review 117
The Inspection Review 117
The Compliance Audit 117
The Special Study 118
Quality Assurance: Zero Defects 118
7 - Useful Metrics Give the Security Organization Standing 119
Overview 119
Risk-based Metrics Are Often Underestimated 120
Setting the Metric Framework and Architecture Foundation 121
Well-Designed Risk-based Metrics Resonate with CEOs 121
Theory of Probability 122
Probability of Occurrence (Pa) Criteria 122
Business Consequence Analysis Criteria 126
Benefits of Using Risk-based Metrics 127
Conclusion 128
A Historical Perspective 128
Useful Metrics Span a Wide Area of Interest 128
Balancing Business Innovations and Risk Exposure 128
Align Security Goals with Company Goals 129
Metric Creditability 129
Measurement Provides Feedback 129
Closing Thoughts 129
Appendix A: Metric Framework and Architecture Platform 130
Scientific Merit or Value 130
Reliability 130
Validity 130
Generalizability Theory 130
Strategic Relevance 130
Organizational Relevance 130
Communication 131
Return on Investment 131
Operational Reasonableness 132
Manipulation 132
Timeliness 132
Cost 132
8 - A User-Friendly Security Assessment Model 133
Overview 133
A Reliable Security Assessment Model That Resonates with C-Suite Executives 134
Why Security Assessments Should Be Important to You 134
How to Effectively Use the Model 136
Measuring and Evaluating Performance Effectiveness 137
Security Analysis Framework 137
Theory of Performance Effectiveness 137
PE1: Existing Effectiveness 138
PE2: Proposed Effectiveness 138
The Benefits Management Enjoys from Using a Risk-Based Model 140
Conclusions 141
9 - Developing a Realistic and Useful Threat Estimate Profile 142
Overview 142
Providing Meaningful Strategic Threat Advice to Executive Management Is Essential 142
Threat Planning Relies on the Development of a Useful Threat Estimate Profile 143
Suggested Composition of a Threat Estimate Profile 146
The National Threat Assessment 146
The Regional/Corporate Threat Assessment 146
The Local/Site-Specific Threat Assessment 146
Identifying the Range of Potential Threats and Hazards Is a Critical Planning Process 147
Consequence Analysis and Probability of Occurrence for Threats and Hazards 149
Benefits of Having a Threat Estimate Profile 149
Conclusions 150
Appendix A 151
Appendix B 153
10 - Establishing and Maintaining Inseparable Security Competencies 157
Overview 157
Are Your Security Competencies a Top Priority? 157
Deterrence Is Mostly an Intangible Strategy 159
Delay Channels the Population 159
Prevention 161
Protection 161
Detection 162
Assessment 162
Response 163
Recovery 163
Timely Interdependencies of Security Capabilities 163
Principle of Timely Security Deterrence Should Focus on “Curb Appeal” 164
Principle of Timely Security Delay 164
Principle of Timely Security Prevention 164
Principle of Timely Security Protection 164
Principle of Timely Security Detection 165
Principle of Timely Security Assessment 165
Event Identification 165
Tracking the Adversary and Activity 166
The Muddied Water 166
Principle of Timely Security Response 167
Principle of Timely Recovery 167
Conclusions 167
Deterrence 168
Delay 168
Prevention 168
Protection 168
Assessment 168
Response 168
Recovery 169
Closing Thoughts 169
11 - A User-Friendly Security Technology Model 170
Overview 170
A Dire Need Exists to Embrace a Technical Security Strategy 171
The Technical Security Planning Process Is Often Misunderstood and Underestimated 171
The Technical Security Analysis Provides a Road Map to Decision Making 172
Purpose of the Technical Analysis 172
Benefits Derived from the Technical Analysis 174
The Role of Security Technology Planning 174
Embracing The Challenges of New Technology Advancements 174
The Role of Security Design and Design Engineering 175
Quality Factors and Safety Features 176
What Does Integration Mean to the Security Professional? 176
Technology Application Has High-Visibility Challenges 176
Importance of a Quality System Maintenance Program 177
Maintenance Concept 177
Preventive Maintenance 177
Corrective Maintenance 177
Depot Support 178
Embracing Inspections and Tests Extends the System Life Cycle 178
Always Conduct Physical Inspections at the Start of Each Shift Change 178
Always Conduct System Diagnostic Tests at the Start of Each Shift Change 179
Always Conduct Weekly Operational Tests 179
Maintenance Performance Tests 179
Seasonal Performance Tests 180
Test Plans and Test Procedures 180
Collection and Composition of Test Data and Test Logs 180
System Failure Modes and Compensatory Measures 180
Conclusion 181
Appendix A: Selected Security Technology Deficiencies and Weaknesses 182
Background Information 182
Overview of Selected Case Histories 182
Appendix B: Sample Test Logs 184
General Information 184
Safety Information 191
12 - Preparing for Emergencies 192
Overview 192
Security Emergency Planning Is Critical to Organizational Survival 193
Planning for Prevention, Protection, Response, and Recovery 193
Security Survey Looks at Capability Through Plan Development and Training 193
Highlights of Industry Standing From a Global Perspective 194
Alert Notification Systems Serve as Triggering Mechanisms to Carry Out Security Planning Considerations 195
Planning for Security Event-Driven Response and Recovery Operations 197
Normal Security Post Instructions and Procedures 198
Event-Driven Security Response Procedures 198
Event-Driven Security Recovery Procedures 200
Strategies for Integrating and Prioritizing Security Response and Recovery Operations 202
Security Emergency Response Plan 203
The Wavering Complexities of Security Emergency Planning 203
Critical Elements of a Security Response Plan 204
Security Planning Constraints and Limitations 205
Conclusions 205
Appendix A: Case Histories: Security Emergency Planning Fallacies 207
Background Information 207
Security Emergency Planning Lacks Strategic Insight and Determination: Selected Case Histories 207
13 - A User-Friendly Protocol Development Model 209
Overview 209
Adopting a Protocol Strategy Is Crucial to Quality Performance 209
Threats Should Prioritize Security Policy 211
Managing Tension 211
Better Measurement Tools 211
Implementation Matters 211
Leveraging Lessons Learned 212
Delegating Authority, Responsibility, and Accountability 212
Need for Protocols 212
Purpose of Protocol Reviews 212
Quality Review Process for Essential Security Protocols 213
Benefits Derived from Protocol Analysis 215
Conclusions 215
Appendix A 217
Protocol Case Histories 217
Background Information 217
Overview of Selected Case Histories 217
14 - A Proven Organization and Management Assessment Model 219
Overview 219
Embracing the Mission of the Security Organization 220
A Reliable Organization and Management Assessment Model That Resonates with CEOs 222
Purpose of Measuring Organization and Management Competency 222
Measuring Security Management and Leadership Competencies 224
Benefits of an Operational and Management Audit 227
Conclusions 227
Appendix A: Case Histories – Management and Leadership 228
Background Information 228
Overview of Selected Case Histories 228
15 - Building Competencies That Count: A Training Model 230
Overview 230
Why Security Training Is Important 231
Goals and Value Are Drivers of Effective Training 232
A Reliable Training Model Resonates With Chief Executive Officers 232
Independent Research and Credence of the Model 233
Identify Job Performance Criteria 237
Identify Trained Personnel Requirements 238
Analyze Current Training Programs 238
Design the Curricula 238
Types of Security Awareness Training Programs 239
The Employee Security Awareness and Emergency Response Training Program 239
Specialized Security Training for Designated Enterprise Employees 239
Emergency Operations Center Responder Training 239
Emergency Preparedness Training 240
Cyber Security Training 240
Security Alert Status and Security Reporting Protocols 240
Contamination Detection and Surveillance 240
Executive Management Security Awareness Seminars 240
Crisis Management Training for Staff Members 240
Security Strategies and Security Planning Seminar 240
Executive Protection Seminars 241
Specialized Security Staff Training Program 241
Security Officer Training 241
Flight, Seas Coast, or River Observer Training 241
Workplace Violence Training 241
Emergency Security Response Procedure Training 241
Security System Operation, Maintenance, and Testing 242
Security System Enrollment Training 242
Special Security Event Training 242
Security Management Training 242
Security System Administration Training 242
Course Design Brings Instruction to Life 242
Classroom Instruction 243
Computerized and Programmed Instruction 243
Correspondence Study/Training Bulletins 243
Seminars 244
On-the-Job Training 244
Field Training (or Drills and Exercises) 244
Objectives and Scope of Security Field Training and Exercises 245
Planning Security Field Training and Exercises 246
Developing Security Field Training and Exercise Scenarios 246
Conducting Exercises 248
Lessons Learned 249
Professional Development Is Key for Security Planners 250
Benefits Management Enjoys by Adopting the Model 250
Conclusions 250
16 - How to Communicate with Executives and Governing Bodies 251
Overview 251
Why Would a CEO Ever Ask You for Help? 251
Why Should a Chief Executive Listen to You? 252
Speak the Language Executives and Board Members Understand, Care About, and Can Act On 253
Communicating With Executives and Board Members Is a Work in Progress 253
Use Terms Management Understands and Can Act on 254
Impressions Count 255
Appearance and Demeanor 255
Style and Body and Facial Language 255
Speech and Voice 255
Image, Brand, Reputation Credibility 256
Tips That Will Help You Get Your Message Across 256
Preparing Your Message for Delivery 256
Memorizing Is a No-No 256
Reading Too Is a No-No 257
Think Strategically 257
Strategic Thinking 257
Process Thinking 258
Risk-Based Metrics Resonate with Executives 258
Develop a Management Perspective 258
Think in Terms of Business Operations and Business Risk Exposure 259
Carve Out Recommendations in a Business Context 259
Offer Constructive Options 259
Be Trustworthy, Candid, and Professional 259
Do Others Perceive You as Trustworthy? 259
Do Others Perceive You as Being Candid in Your Dealings With Them? 261
Always Project a Positive Image in Your Business Affairs? 261
Be a Verbal Visionary 262
Use Risk-Based Metrics to Develop a Telling Story and Tailor It to the Audience 262
Operational Metrics Fail to Resonate With Executives 263
Be That Window for Tomorrow 263
Measuring Tomorrow’s Results 263
Measuring and Communicating Risk-Based Metric Results Over Time 264
Give Constructive Advice 264
Always Be Professional and Display a Positive Image 264
Select a Beneficial Approach That Resonates with Your Audience 264
Staying within Time Constraints Helps Win the Battle 265
Capturing the Attention Span of Your Audience Helps Win the War 265
Build a Solid Business Case 266
Point 1: Report the Facts 266
Point 2: Set a Course for the Future 267
Point 3: Introduce a Pathway to Achieving Your Goal 267
Point 4: Pick Your Path 267
Point 5: Identify Business Impact 267
Point 6: Close Out 268
Know When to Pull Your Parachute Cord 268
Present Program Results Regularly 269
Conclusions 270
Work Hard to Establish and Maintain Trust and Respect 270
Collaborate to Narrow the Communication Gap 270
Focus on the Ultimate Outcome 271
Making a Business Case 271
How Will You Know if You Are Successful? 271
Much Work Remains to Improve Communication with Executives 271
17 - A Brighter Tomorrow: My Thoughts 272
Overview 272
A Perspective for the Future 272
The Evolving Business and Threat Landscape 274
Business Environment 274
Threat Environment 274
Corporate Image, Brand, and Reputation Hang in the Balance 275
The Challenge of Exposing Vulnerability Creep-in 275
Security’s Weakest Link: Human Fallacies 276
Cyber Incident Response Capabilities 276
Cyber Security Threat Gains Executive Management’s Attention 277
Measuring and Evaluating Performance and Productivity 277
Prioritizing 277
Protocols and Practices 277
Security Design Performance and Program Integration 278
System Reliability, Dependability, and Availability 278
Technology and Other Protective Measures Avoid Paying in the Courtroom 279
Integrating Physical and IT Security, Business Continuity, Crisis Management, and Emergency Planning 279
Training Programs Need a Major Uplift 279
Security Emergency Plans and Response/Recovery Procedures 280
Communicating with Executives and Governing Bodies 280
Accepting Responsibility 280
Communicating and Interacting with Executives and Governing Authorities 281
Reporting the State of Security Readiness 281
Security Leadership Needs a Touch Up 281
Executive Management in the Shadows 281
Security Management Is Holding on 282
Slippage of Leadership, Foresight, and Execution of Responsibilities 282
Management Is Losing Ground on Oversight Responsibility 282
Management is Either Ignoring Issues, Covering Them Up, or Has No Clue What’s Going on 283
Management Social Behavior and Ethics Need Polishing 284
Change Management in the Wind 284
Corporate Boards Are Pressuring C-Suite Executives to Demonstrate Leadership 284
Security Directors and Managers Are Under the Gun to Produce 285
Chief Information Security Officers Are Corporate Scapegoats 285
What Does Work May Surprise You 286
Successful Security Programs Integrate People, Processes, Best Practices, Technology, Strategic Vision, and Strong Leadership 286
Integrated Security Risk Management 286
Mitigating Risks to a Company’s Image, Brand, and Reputation 286
Developing Relationships of Openness and Trust is a Key Condition for Success 286
Making a Business Case for Security Investment 287
Security Transparency 287
Characteristics of Future Security Leaders 287
My Parting Thought 288
References 290
Index 292
A 292
B 292
C 292
D 293
E 293
F 293
G 293
H 294
I 294
L 294
M 294
N 294
P 294
Q 295
R 295
S 295
T 297
U 298
V 298
W 299