WHY PERFORM A SECURITY ASSESSMENT?
Security is About Minimizing Risk
It’s not a question of “if” but a matter of “when, where, and how.” Forget the conviction that it will not happen at your company, on your watch.
The security assessment should produce a professional, candid, inde- pendent, and objective analysis of enterprise security vulnerability to measure the effectiveness of existing protective measures, evaluate the current status of the security program, and identify gaps in the security process.
41
48 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
A comprehensive, thorough, and useful security assessment helps exec- utive management determine means and ways to increase the capability and effectiveness of the enterprise to prevent the damage or destruction of its assets and resources or the disruption of operations. It identifies organ- ization or agency strengths and weaknesses and presents recommended mitigation actions to reduce or illuminate security vulnerability. While a desirable goal of the security assessment is to achieve a perfect and absolute risk-free environment, the reality is that this is unattainable, and executive management and stakeholders must agree on what is or is not an acceptable risk.
A comprehensive and thorough assessment not only enables decisive near-term action but guides the rational long-term investment of effort and resources. For example, a comprehensive assessment can help determine whether to invest in permanent, physical “hardening of an asset” or in maintaining a reserve of personnel and equipment that can meet a tempo- rary “surge”-protection requirement during periods of heightened security.
The security assessment identifies specific initiatives to drive protec- tion priorities. More importantly, it establishes a foundation for building and fostering a cooperative environment in which all elements of an enter- prise can carry out their respective protection responsibilities more effec- tively and efficiently.
The definition of what constituted adequate security changed on September 1 1, 200 1, and so did the definition and makeup of a security assessment. History has a tendency of repeating itself, and one of the ben- efits of a well-designed and -executed security assessment is to offer a
“lessons-learned strategy” to bridge the past to the present and hopehlly the present to the future.
For example, in reviewing cases dating back three decades, the sea- soned security consultant and security analyst can show that corporate America has often based its security strategy on “work politics,” on an incorrect understanding of the threat, and on the misapplication of adopted protective measures. The results of these efforts more often than not have led to a false sense of security and expensive liability suits. Until recently enterprises have conducted security assessments with little thought or adequate emergency preparedness for meeting the current dynamic threat environment.
Today the adversary is highly skilled, raising the bar of vulnerability to new heights. In today’s corporate world security threats are so diverse that they pose one of the most serious challenges facing executive man- agement, making the corporate security organization a dynamic entity
THE SECURITY ASSESSMENT: WHAT, WHY, AND WHEN 49
constantly responding to changing priorities and competitive demands.
Traditional law-enforcement investigating techniques have served America well in the past, but they do not work adequately in today’s threat environment. As a nation we have made significant advancements to meet the changing threat. As such, the conduct of security assessments must also take on a new, dynamic structure and meaning. No longer can we be content with focusing our security assessments strictly on cameras that seldom monitor some distant perimeter. Other operational capabili- ties are in play that cannot be ignored.
Risk concerns an event that has potential negative impact. It repre- sents the possibility that such an event will occur and adversely affect an enterprise’s activities and operations, as well as the achievement of its mission and strategic objectives. It encompasses identifying vul- nerabilities, threats, and consequences. Enterprises typically define risks as events related to terrorism, criminal activity, natural disasters, and other emergencies with a quantitative and/or qualitative measurement involving such variables as a predetermined level of financial damage or loss to property and/or potential for injury or loss of life. Ranges and lev- els of significant risk include:
Vandalism
Breaking and entering Robbery
Employee theft Workplace violence Arson
Loss of intellectual property
Insider financial fraud and deception Ethical breaches
Disruption of business operations Natural disaster
Tampering with or destroying equipment
The diffused nature of international and domestic terrorism in its var- ious disguises
Corporate America faces new challenges posed by the unexpected, such as fears of a new terrorist attack, a new outbreak of anthrax, the use of ricin or sarin, water contamination, and the impact of other unpredictable
50 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
events. The vulnerability of America’s critical infrastructure never has been greater or more complex than it is today, and the risks are high.
Without a doubt, traditional crime pales in comparison to the devastating cultural, emotional, and financial effects of terrorist attacks. But these criminal activities have also had great influence on corporate executives, ensuring that preventable foreseeable events don’t wreak havoc on busi- ness goals and objectives.
The risk of vulnerability in a changing environment will continue to increase. No two enterprises are the same, and neither are their secu- rity requirements. While the range and level of risk may differ from one critical infrastructure sector to another, from one enterprise to another and between industry and government, the need for prudent and responsible action remains the same distinct challenge. Concluding thorough and comprehensive security assessments translates threat information into protective measures.
These threats are rupturing the very fiber of the American economy.
They are eroding consumer confidence. For instance, the short-term con- sequences of the 9/11 horrendous loss of life, destruction of property, and apprehension in the stock market are well documented. According to a report issued by Congress’s Joint Economic Committee, several studies have attempted to put a price tag on it. The immediate loss of “human and nonhuman capital” has been estimated at $20 to $60 billion. Short-term lost economic output has been estimated at $47 billion, with another $1.7 trillion in lost stock-market wealth. The long-term costs of 9/11 are incon- clusive, with no realistic forecast. The full costs of terrorism including the effects of biological, chemical, or even cyber attacks are almost impossi- ble to estimate.
As these threats continue and new threats emerge, vulnerabilities in the changing infrastructure environment will continue to increase. No doubt, expenditures to combat terrorism across national critical infrastructure assets will continue to divert more funds from other activities.
Conservative analysts place the cost at $400 billion annually. Corporate profits are threatened, and no doubt terrorism will continue to take its toll.
The Changing Threat Environment
Since the beginning of the 20th century, terrorism has migrated in both scope and scale, drawing its strength from continuous media coverage and silent supporters. The more familiar form of terrorism first appeared on
THE SECURITY ASSESSMENT: WHAT, WHY, AND WHEN 51
July 22, 1968, when the Popular Front for the Liberation of Palestine undertook the first terrorist hijacking of a commercial airplane. Since then terrorism has taken on many faces-among them international terrorism, domestic terrorism, and independent crusaders with a particular cause.
Terrorism has impacted governments, industries, and private citizens. It has destroyed, damaged, and disrupted:
Government and commercial facilities and operations Oil pipelines and production capabilities
Aircraft and sea vessels including air and maritime operations Olympic Games and other events
Railroads and mass-transportation systems Telecommunications and transmission lines Construction projects
Private property
Corporate America is Adjusting to the Changing Threat Environment
The attacks on the World Trade Center and the Pentagon on September 1 1, 2001, and the subsequent anthrax mail attacks have been viewed as the single most defining moment in the world of corporate security. American business CEOs now face challenges more difficult than organized crime and other traditional criminal elements. There are over 130 major extrem- ist groups and terrorist organizations that oppose America in some way.
Their new target is corporate America.
Conducting security assessments makes increasing sense. Western nations are awakening to new and emerging dangers potentially involving the world’s most destructive weapons.
The knowledge, technology, and materials needed to build weapons of mass destruction are increasingly available all over the world. These capabilities have never been more accessible than now. Terrorists may conceivably steal weapons of mass destruction, weapons-usable fissile materials, or related technology from states with such capabilities, create them with their own resources, or obtain them through connections.
Several state sponsors of terrorism already possess or are working to develop weapons of mass destruction and could provide materials or
52 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
technical support to terrorist groups. Once terrorist groups acquire these weapons and the means to deliver them, the potential consequences could be more devastating than any attack suffered to date. Evaluating potential security risks to workers and the public posed by uncontrolled release of and exposure to toxic or hazardous substances; release of biological, chemical, or radiological weapons; or interruption of drinking-water sup- plies enhances safety and public-health protection. A comprehensive security assessment helps determine whether to invest in permanent physical hardening, the isolation of facilities, or other preventive and pro- tective measures.
Enterprise fraud, waste, and abuse committed by corporate senior executives also has become a national investigative priority. The pas- sage and implementation of the Sarbanes-Oxley Act of 2002 set into motion corporate governance functions and strict auditing procedures including adding a more complicated layer of a diverse array of responsi- bilities. Such investigations and audits have prompted an increase in forensic-accounting services, and auditors must now take on a broader scope of responsibility respective to the insider fraud threat. It makes good sense to be diligent, including identifying vulnerabilities against profit loss, corruption, and other white-collar crimes.
A solid business case exists to conduct enterprise-continuance assessments. While most enterprises are not direct targets of terrorist attacks, the greatest threat to many involves collateral damage brought about by a nearby attack involving conventional explosives against other high-risk corporate entities. The consequences of such events and their resultant effects in terms of human injury or death are dire. The partial or total destruction of facilities, the shutdown of operations and loss of enter- prise leadership, the disruption of vehicular traffic and mass transporta- tion, the demand on lost utilities, the availability of emergency-services responders, and the closure of streets and establishment of security corri- dors around a large area would directly affect enterprise operations for an indefinite period. The demand on emergency-service responders to work in harm’s way would also impact the community.
Continuance planning increases a corporation’s probability of survival.
It represents the wise choice among many costly alternatives to guide the long-term investment of effort and resources. Building on the efforts of the security assessment, its results provide direction to enhance the enter- prise. In this respect, the security assessment belongs and applies to the total enterprise, not just to the security organization.
THE SECURITY ASSESSMENT: WHAT, WHY, AND WHEN 53
WHAT IS THE SCOPE OF A SECURITY ASSESSMENT?
The scope of a security assessment is usually determined by the statement of work issued by the enterprise. Most security assessments are limited in nature for a variety of reasons. For instance, investigative work may already have been performed by the client or another consultant and per- ceived to be adequate. Budget and time constraints often control the assessment as well.
The security assessment evaluates in-place protective measures for detection, deterrence, delay, assessment, and response to identify threats and security operational and physical vulnerabilities and to offer solutions to increase the security capabilities and effectiveness of the cor- poration to combat terrorism and prepare for other potential emergencies.
WHEN SHOULD A SECURITY ASSESSMENT BE PERFORMED?
The security assessment is not a one-time task. It must be performed periodically in order to remain relevant to changes in business objectives and operational processes, technological advances, modifications to facilities, the construction of new structures, or the relocation of opera- tions. A security assessment should also be performed when threat con- ditions and circumstances significantly change, emerging threats present a clear and present danger, and after a major terrorist attack, natural dis- aster, or other emergency.
WHICH SECURITY ASSESSMENT MODEL IS BEST?
Numerous security-assessment models exist, which provide a foundation for selecting and implementing actions to reduce the risk associated with current or anticipated threats. The best models are those that focus on per- formance-based results. James F. Broder, CPP, security consultant, lecturer, and author of Risk Analysis and the Security Survey, suggests that the suc- cess and creditability of a security assessment depend on four factors:
What is it that needs to be done?
What is the performance capability or expectation for accomplishing the security mission?
54 STRATEGIES FOR PROTECTING CRITICAL INFRASTRUCTURE ASSETS
What performance-based evaluation criteria are used to measure that How strongly does senior management support and approve of secu- level of performance?
rity at the outset?
Other elements indispensable to a successful security assessment include the following:
A user-friendly process that enables the enterprise staff to understand its structure and process without special knowledge of security ana- lytical skills.
A methodology that encourages the management staff to place secu- rity high on the agenda and promote security awareness across the enterprise.
An approach that identifies the areas of greatest vulnerability to the enterprise as a whole, promotes better decision-making across divi- sional lines, and helps avoid excessive or unnecessary expenditures.
CONCLUSION
A comprehensive security assessment identifies initiatives to drive protec- tive measures. It increases the enterprise’s probability of continuance in the market place and provides a direction to prioritize management actions, and the allaction of resources and budget.
Security assessments performed on a periodic basis keep pace with changes in business objectives and practices, threat conditions and cir- cumstances, and market changes.
~~