Leadership and Security
If you are a member of security leadership then this blog is especially for you. If you are responsible for security, but you are not part of leadership then stay tuned because one of your challenges will be to get leadership on board. We have dealt with some excellent people in leadership that really knew their job and take it seriously. One such person was an Air Force Colonel. He knew what he was doing. He was born and raised in the UK, had been a member of Scotland Yard, and then for reasons I never heard, immigrated to the US, and became part of the US Air Force’s Security Forces.
We have worked with a number of federal agencies for over four decades, and we are willing to bet that at any time if you approached the leadership of almost any organization, they would have declared that they are running a secure facility. But I am willing to bet that they aren’t nearly as secure as they think! Security has to be enforced and adhered to at several different levels, but it always starts and ends with the organization’s leadership.
Other leaders were just as serious about security as the US Air Force Colonel but did not have the advantage of the advanced training that the Colonel had. They wanted to do a good job. They appreciated any real help, but their staff had to be effective at stating each case where an improvement was needed, why it was needed, and how the improvement was to be accomplished.
We have worked with others that did not have any real training in security, they were there because of a “last” promotion before they retired. They were more concerned about their budgets than about preventing security breaches of any kind.
There are other mid-level leaders within a security structure that are also involved. Our familiarity is heavily tilted towards military branches but most of this will also pertain to non-government organizations too.
Who Performs Security Functions?
Lots of people perform some amount of security functions. Organizations vary widely, especially when they are commercial companies. The sensitivity of the products or services performed will have a lot to do with the level and depth of security required. But every business that has any reason to control access at some level needs to plan how they will implement security.
In some cases, security is needed to prevent information to be extracted for an unauthorized purpose. Unauthorized purposes may be a euphemism for “stolen.” In other cases, it isn’t what a nefarious visitor might take away if is what a nefarious visitor might bring into the facility. Food processors and pharmaceuticals do not want somebody coming in and tainting their products.
We are going to describe a hypothetical company named “Acme Widget Company.” Acme builds a diversified list of products from Anvils, and Rocket-Powered Roller Skates, to Giant Kites and Rocket Sleds. Some of these products are quite dangerous and must be kept out of the wrong hands! Acme Widgets also employs many confidential processes which must be protected from unintentional disclosure.
These are some of the job functions at Acme Widget and how they relate to its security:
Director of Security – This is the person that is responsible for all security operations in the plant. He reports to the C-Level management team. If anything goes wrong, it will be the Director of Security (DoS) that must explain why security failed.
Security Team – The Security Team works for the DoS at Acme Widgets. Amongst other things, they write the procedures that must be followed when inviting non-employees into the plant. Non-employees include Contractors, Vendors, VIPs, Visitors, etc. The Security Team will also determine requirements for vetting, requirements for placing NDAs on file, COVID-19 screening, etc.
Acme Widgets uses a Visitor Management System that automates the vetting process used to determine the fitness of a non-employee to enter the facility. But in cases where a flag is raised by the automated vetting system, it is generally somebody on the Security Team that manually determines the final outcome of whether or not to permit the non-employee to enter the facility.
The Visitor Management System also ensures that the person either already has an NDA on file or will present a generic NDA for signing when the visitor arrives. The last thing that the Visitor Management System does before issuing a visitor badge is to present a series of COVID-19 specific questions that must be answered correctly.
Department Heads – It is obvious that Acme Widget’s DoS and the security team cannot be everywhere all of the time. The Acme Widget’s Department Heads are part of the security process. All prospective visitors entered into the Visitor Management System must be approved by the Department Head in charge of the department where the visit will take place.
All Employees – All Acme Widget Company employees are required to say something if they see something. For example, if an unknown person is seen within the facility that is not wearing an employee or visitor badge of some kind, the employee must notify the security team about what they have seen. A member of the security team will be dispatched to talk to the employee about what they have seen. Then the Security Team will investigate and mitigate the incident.
Different companies will have different organizational structures, but this hypothetical describes in simple terms how different people and different job functions work together to make the organization and its facility a more secure place.
So, the answer to the question we started with, “Who Performs Security Functions?” The answer is virtually everyone that is part of the overall organization. But this will only work if leadership sets the policies, follows through routinely restating the security plan, and then states how the plan pertains to everyone. Every employee should know what is expected of them as well as who to call if something does not look right or is not according to plan.
An annual meeting about security is insufficient. A written security handbook that is distributed to the employees with the instruction to read it is insufficient. We did some work for a Fortune 100 where the security requirements of everyone involved on the project were reviewed verbally every morning before we started to work. That is overkill in most cases (it wasn’t in this case), but enough focus on security needs to be enforced by leadership so that there is no doubt in the minds of all employees that security is seriously and strictly enforced.
The reason most people will not say something when they see something is that they are afraid that they are overacting and that their fellow employees will think less of them. Or they do not want to get involved and expect that somebody else will get involved. These are reasons why leadership needs to stay engaged on a routine basis. Leadership must remove any stigma about reporting something that seems out of the ordinary. Leadership must frequently restate how important it is that everyone needs to be involved.
Physical Penetration Testing
There is an excellent article by Strahinjs Stankovic, ECSA, about Physical Security Penetration. The article was posted by PurpleSec as a blog. You may find the article here.
Physical Security Penetration has to do with testing the physical barriers. As the author states, these are methodologies that can be used to test “million-dollar physical security controls.” The author promises that by the time you have finished reading the article you will have a “better understanding of how to protect your business from a physical breach….”
Our advice is that leadership should read this article and make these tests. Leadership should come up with a plan to remedy any issues resulting from the Physical Security Penetrations tests.
The Great Escort Compromise
We cannot begin to tell you how many companies and government agencies that we have talked to about how they might tighten up their internal security, have claimed that they don’t need any help because they have everything covered. Upon further discussion, they claim that they have everything covered by requiring all visitors to be escorted.
We will admit that this sounds like a good plan, but it is not as good as it sounds. First of all, junior employees are often used as the escorts. By nature, the junior employee wants to appear knowledgeable to the visitor. The escort may also think that the visitor represents a possible future employer, and it would be in the escort’s best interest to impress the visitor. Beware, a good “visitor/spy” will be able to play to the junior employee’s weaknesses. A lot of casual questions can be asked perhaps in a seemingly random order. But the answers can be reassembled into some meaningful and confidential information. This is even easier to do if the visit is over multiple days even when different escorts are used for each day. While the escort is “impressing” the visitor, the visitor is assembling a fair amount of classified information. In some cases, the visitor may already have a lot of information but may have a few holes in the facts. The escort may be the unwitting accomplice that fills in those holes.
If escorts must be used, it is better to use more senior-level employees that have been thoroughly trained on how not to answer questions posed by the visitor. If a junior-level employee must be used as an escort, make sure that they are not allowed to answer any questions other than to refer the visitor to a more senior member of the team. Also make it a policy that questions can never be answered in hallways, away from the entire team. Questions, no matter how innocuous, must be answered in the presence of the team.
Another ploy used by the visitor/spy is to try to find a reason to slip away from the team, allowing them to gain a glimpse of something that may be otherwise off-limits. Visitors that need to be escorted should be escorted everywhere until they leave the building. If the visitor wants to make a quick solo stop at a break room or a solo trip to a restroom, do not let them. Always escort them everywhere until they leave the building.
One more ploy that is used by visitors/spies is when they are initially vetted before being allowed to enter a facility. Hypothetically let’s say you are expecting a visit from an organization, especially a foreign organization, that has submitted the identities of the five (5) people that are expected to visit. Everyone has passed vetting. They are good to enter. But at the last minute, there is a substitution for someone in the original group. There isn’t time to fully vet the substitute person. Our best advice. Tell them “NO.” Do not accept last-minute substitutions unless you can fully complete vetting at the same level as the rest of the visitors.
We had a meeting with military base leadership that included a member of the base commander’s staff, members of the Security Forces command staff, our Congressman’s Aid, security managers associated with several of the military groups from on base, and a contracting officer. Prior to the use of our automated Visitor and Badge Management System, all of these groups had their own individual systems. No two systems talked to each other. Communication between these disparate systems was a series of hand-carried forms. Data had to be keyed in and re-keyed into the next system to be used.
But by the use of our automation, all of the different groups shared the same data stored on the same database accessed by the same application. Many of the groups had screens that were specific to their job function. All groups were properly trained in their jobs. All of this was supported by the Security Forces Commander and his staff. The contracting officer spoke up shortly after the meeting was started and said to the Congressman’s Aid; “We all used to use different systems, but now we all use the same application and are all part of the same security team.”
Everyone benefits from working together to maximize the security of the facility. Everyone needs to be on the same security team. But without the buy-in from leadership, this will not be possible.