1. When it comes to the terrorist threat, what are the greatest misconceptions about how they think and operate?
There has been a lot of evolution in terrorist threats in the past fifty years. Earlier hierarchical terrorist organizations have given way to loose affiliations bound together by ideology and the internet. Today, they are not trying to liberate anyone, and they are not trying to impose a religion. Instead, driving communities apart has become the aim in this new age of terrorism. In the January 2016 edition of The New Yorker Lawrence M. Krause wrote an article titled Thinking Rationally about Terror where he said something that stopped me in my tracks: “…terrorism is designed (to) drive a wedge between segments of a community which otherwise might have coexisted peacefully, both politically and socially.”
2. The threat landscape for security professionals is constantly evolving. What are some of the newest threats that you are most concerned about and why?
The first threat that concerns me the most is guns. They are easy to obtain anywhere in North America, and accurate and reliable in the hands of a person with minimal training. People with guns can operate from outside my physical protection systems’ detection range and kill employees and destroy critical components. This is a relatively new trend in an old threat, and we need to work on it.
My second biggest concern is climate change. Our infrastructure was designed for a world that no longer exists. Events that used to be in the high impact/low frequency quadrant are now drifting towards the high frequency quadrant, and we’re going to have to make changes to funding and staffing to keep the level of reliability that our customers demand.
3. In your book, you spend time illustrating why it’s important for security professionals to step outside of the security department to fix weaknesses and vulnerabilities. Why is this so impactful to the process?
Three months after I joined an offshore oil drilling company, I found myself working as a safety and security supervisor on an oil rig drilling off the coast of Angola. An old Australian driller commented that with three months in the industry I probably felt useless. He then added that I had something that no one else on the rig had: a fresh set of eyes. He said that sometimes they did things because they’ve always done them that way, even if the context had changed, and told me that if I saw something that didn’t make sense to say something. I’ve never forgotten what he told me.
Security is the same way. Create a vulnerability assessment team by bringing in interested employees that represent all parts of the organization, not just the security department. Operations personnel can tell you what really needs to be protected. Human Resources understands company culture and training. IT and OT knows how information is collected, transmitted, and processed. Supply Chain can tell you what components take a long time to replace. Engineering can take lessons learned and implement them in both new construction and existing sites. And together, they all have a fresh set of eyes that can challenge why we do things the way we do. If we can defend our approach, good. If we can’t, then we’ve just learned something.
4. What are the most common mistakes you see security professionals make when it comes to protecting their physical assets?
Security professionals are too easily seduced by the beauty of our technology. We go into our facilities and look at cameras and fences and access control systems and see what’s there, not what’s missing. When we install security equipment, we test it in isolation—not as a component that is part of a larger system.
This is important, because while we are looking at the site security system, we are ignoring the larger physical security system (PSS). The PSS contains things that we often don’t see or think about in the context of a site survey, such as personnel policies, maintenance workflow, critical spares, response time of law enforcement, etc.
The way I look at it is that a PSS is a lot like a piano. And you can’t tell if a piano is in tune by looking at it – you must play it. We need to learn to ruthlessly test our systems using a design basis threat and a scenario-based vulnerability assessment methodology. Only then will you know if all the components of your PPS are up to the task of protecting the site.
5. What key piece of advice would you give our readers who are currently working on building or improving their insider threat management program?
All organizations have insider threats, but few recognize it. Most organizations have many of the policies they need to reduce insider risk anyway, such as supervisor signoff on expenses, separation of duties, and anti-bullying and anti-harassment policies, but they don’t go the final step and create an insider risk management team to look across the enterprise and ensure all critical functions are properly protected.
The best way to sell an insider threat program to your executive is to call it something else, because many organizations think that to call it what it is shows that you don’t trust your employees. My favourite is “Data Assurance Group.” No one knows what that means, no one is offended and you can book meetings with it.
