Building Security Resilience and Developing Relationships
This book is packed with my personal experiences and research results that describe the frailty of security activity in both the private and public sectors, and the decision-making process that has shaped and continues to shape our security destiny. It focuses attention on our ability to achieve many security goals and objectives, our ability and capability to perform to expectations and standards, our craving to communicate effectively with chief executives and others, and our personal desire to improve our proficiency, competency, and productivity.
But What Do Ability, Capability, and Preparedness Really Mean?
Two prominent sources answer this question: Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience,” and Homeland Security Presidential Directive (HSPD) 8, National Preparedness Guidelines.
PPD 21 describes resilience as the ability of an organization to resist, engage in, recover from, or successfully adapt to adversity or to a change in conditions. This includes preparing for, adapting to, withstanding, and recovering rapidly from disruptions, deliberate attacks, industrial mishaps and hazards, and weather-related calamities, and the return to an acceptable level of performance in an acceptable time after being affected by an event or incident.1 Resilience is a concept that applies to individual assets, systems or networks of assets, and security activities and programs. Resiliency allows the asset, network, or system to fail gracefully rather than abruptly, or in such a way as to allow the consequences of failure to be minimized. Self-healing components, systems, and networks enhance resiliency.
HSPD-8 describes resilience as the capability of an organization to maintain its functions and structure in the face of internal and external change, and to degrade gracefully when it must. Under HSPD-8 guidance, “capability” means to accomplish the mission by performing one or more critical competencies under specified conditions and to a targeted level of performance standard or expectation. For security organizations, critical competencies include the ability and capability to deter, delay, prevent, protect, detect, assess, respond to, and recover from a security or security-related event. Chapter Establishing and Maintaining Inseparable Security Competencies relates to these capabilities. HSPD-8 further explains that capability may be delivered through any combination of properly planned, organized, equipped, and trained resources that can achieve the desired outcome. Capability also refers to features, operations, or policies that serve to benefit a protective environment and that may eliminate or reduce the need for particular protective measures without jeopardizing mission goals and objectives or performance outcome.2
I often come across chief executive officers (CEOs) and security professionals who have no clue what “ability” and “capability” really mean. Sometimes it seems that no matter how often we plead our case, or what actions we take, many strong-minded executives just do not get the message. I talk more about this topic in Chapter How to Communicate with Executives and Governing Bodies. For now, it is important to know that this lack of basic knowledge is strikingly reflected in corporate security and emergency preparedness planning, in the development of policies and protocols, in training programs, and in demonstrated performance outcomes that we have observed throughout our visits to all industry sectors. There is more on these topics in Chapters Preparing for Emergencies, A User-Friendly Protocol Development Model, and A Proven Organization and Management Assessment Model.
How Do We Relate Security Goals to Business?
As a security professional, you must have a clear understanding of the organization’s culture and management’s knowledge base if you are to fully embrace the company’s strategic vision for pursuing business goals and objectives. This understanding is essential if you expect to establish, implement, maintain, and effectively monitor the effects of building security resilience (Sullivant, 2007, pp. 111).
Let us briefly examine the three categories of this strategy: an understanding of the characterization of security requirements; the nurturing of business relationships both internally between upper management and organizational divisions, and externally among stockholders and governing bodies; and community entities that have an invested interest in the success of the company, its services, and security performance expectations.
Key to characterization is the ability to clearly define:
• business services and security operations,
• business continuity and emergency operations,
• the rank order of assets that are critically important to the enterprise’s mission, and
• the degree of service interruption the enterprise and the security organization can sustain should an event occur before an entity can collapse.
It is essential for those individuals who have a responsibility to meet the challenges of achieving business and security goals and objectives to buy into this characterization, and to have the unconditional support of C-suite executives.3 I talk about these topics in Chapters Strategies That Create Your Life Line, The Evolving Threat Environment, The Cyber Threat Landscape, and Developing a Realistic and Useful Threat Estimate Profile.
Can We Speak Intelligently About the Threat Environment?
Concurrent with characterizing business services and security operations, you need to begin developing strategies for building security resilience. The key to this characterization is defining the possible threats, hazards, risks, and vulnerabilities that a corporation will face, including perceived and postulated threats and hazards, adversary modes of attack, threat capabilities, the likelihood of threats occurring, the potential consequences of losing assets, and solutions to these problems in terms that are meaningful and useful to executive management (Sullivant, 2007, pp. 133). Key to a comprehensive threat analysis is to determine the security organization’s ability and capability to perform its critical operational mission: deter, delay (or deny), prevent, protect, detect, assess, respond to, and recover from acknowledged threats. No other mission is more important for a security organization—it could determine the survivability of the corporation. I discuss these capabilities in Chapters Strategies That Create Your Life Line, The Evolving Threat Environment, The Cyber Threat Landscape, Establishing a Security Risk Management Program Is Crucial, Useful Metrics Give the Security Organization Standing, A User-Friendly Security Assessment Model, Developing a Realistic and Useful Threat Estimate Profile, and Establishing and Maintaining Inseparable Security Competencies.
Watch Out for Stumbling Blocks
Let me briefly examine some significant conditions, circumstances, and situations that repeatedly plague the ability and capability of security organizations to perform as mandated or expected. First, if you are to gain acceptance and trust from executive management as a professional security expert, you must always—in all circumstances—demonstrate leadership value to the corporation. Second, you must not only understand the business and threat environments; you must also be able to achieve workable and practical solutions to security problems that mirror the corporate image, brand, and reputation that are acceptable to executive management. Last, to survive in today’s business culture it takes resolve and strategic vision, which are really works in progress.
Experience and Knowledge Base of Senior Decision-Makers Can Cause Us to Trip
Wherever I go, chief executives proudly proclaim their security organizations are doing a good job protecting the company. These CEOs and those around them are alw...