Making informed decisions to further your goal/direction as security managers is always a challenge. Using the WAG (wild a&& guess) method is never a good idea and resting on our laurels just isn’t good enough. We can add an S to the front of that accronym, which stands for Scientific and reduces the importance of the W in wild. CIP compliance is the first layer requirement, even if it isn’t required at some locations, and can be a good starting point or guide on where to start.
It is our goal as security professionals to protect people and property from harm or injury and damage. In the military we utilize intel, gathered from a variety of sources to give us key data and metric points to make informed and educated choices before we move peices on the chess board. This is the same reason law enforcement experts and detectives conduct interviews and gather evidence to support thier investigations. Often times this happens after a crime or incident has occurred. Information is the key! Security managers, directors and Cheif Security officers should and do the same thing, however our methods are significantly different.
On the cyber front, we rely on experts to watch trends, technology and track attempts to shore up our defenses. If you see an increase of something banging on your front door find ways to re-enforce your side of that door.
On the physical front we should engauge with local law enforcment partners to gather intel information about criminal trends. We need to build relationships with those folks to add to KPIs and metrics so we can utilize our sometimes over taxed budgets to spend our corporations finances in a smart way. Don’t wait for law enforcement agencies to contact you. At that point a crime may already be in process, or have been committed. Cyber and physical security are different industries, but work in tandem with eachother.Â
Example: if your cyber teams are showing a significant uptick in unusual activity from a single location or source, this could be an indicator that a physical attack may be on the horizon. The opposite of this senario can also be true.Â
Utilizing a “red team” or pen testing group can gather crutial information in a controlled and safe mannor to give you that vital information you need to: validate a concern, find unknown vulnerabilities, test your therories or “cherry pick” locations where you can later impliment solutions on a more broad scale. Testing and challenging your processes, systems and protections is always the last and most crutial piece to the puzzle and makes us better organisations.
Attending trade shows, continuing education in the security industry and participatng in discussions with our counter parts to share best practises helps us be better professionals. If we silo ourselves and don’t branch outside of our relms then we run the risk of stagnation which can leave us and our organisations at risk. I champion the E-ISAC for their efforts on information sharing!
In the end, we security minded folks are risk mitigators.
