Homeland Security

Homeland Security is a concerted national effort to:

• 1. Prevent terrorist attacks within the United States
• 2. Reduce America's vulnerability to terrorism
• 3. Minimize the damage and recover from attacks that do occur

The active role for most businesses is with #2 and #3 above, while a few businesses provide products and services that can contribute to #1 above.

Where does the country stand, and where does your business stand, with regard to its Homeland Security efforts?

One Year Later

"A year after September 11, America remains dangerously unprepared to prevent and respond to a catastrophic terrorist attack on U.S. soil. In all likelihood, the next attack will result in even greater casualties and widespread disruption to American lives and the economy. The need for immediate action is made more urgent by the prospect of the United States going to war with Iraq and the possibility that Saddam Hussein might threaten the use of weapons of mass destruction (WMD) in America."

-Report of an Independent Task Force Sponsored by the Council on Foreign Relations, October 25, 2002

Businesses Dangerously Unprepared

Contributing to the overall situation is the fact that most American businesses remain dangerously unprepared to respond to the results of a catastrophic terrorist attack on U.S. soil. Many aspects of security and business operations need to be taken into account. Some situations to be considered that are:

• Slowdowns and interruptions of supply side and delivery side services
• Disruptions of normal external channels of communication
• Loss of internal information/communication systems
• Inability of personnel to report to work
• Inability of customers to conduct business in the normal way
• Near-term loss of electrical power (days to weeks)
• Local civil unrest
• Temporary closure of financial institutions
• Increased opportunity for employee fraud and theft
• Dealing with a completely unanticipated crisis

These would be side effects of a successful or unsuccessful attack elsewhere, not just a direct attack on your own business. A direct attack could result in additional, more serious scenarios. Each one of the situations listed above will require specific security responses in addition to the operational responses. Security will have to be tailored to support the operational situation. There is high risk of loss in not having both operational and security responses planned in advance.

The purpose of this article is not to present an exhaustive examination of the specific dangers and potential remedies. Its purpose is to prompt action within those companies who don't yet have a sufficient security program going, by touching on some of the important issues, and by suggesting where to look for help in addressing them. For those companies who do have security well in hand, there remains the task of helping and guiding others.

Waiting for active U.S. military action to occur (such as Iraq) or waiting for the next terrorist attack at home to happen before implementing significant security measures would be disastrous for many enterprises, and would mean the needless demise of at least a small percentage of businesses.

No Precedent

This is the first time that businesses across our nation have had to seriously consider the possible effects of an attack on home soil. The situation is complicated by the fact that new destructive technology, including biological weapons of mass destruction that can be carried in one's pocket or briefcase, have not existed in previous generations. Thus within a particular company there may be little or no past experience to fall back on when trying to assess today's security needs and how to respond to them. Where in the past emergency response measures and security response measures have often been assessed and developed independently, the increased level of national threat means that emergency response must take security into account, and vice versa.

Take a Hand, Lend a Hand

Although it is true that, as a whole, American business is not in a good position, many companies -- especially the larger ones -- have made outstanding progress in establishing effective security programs. For the sake of Homeland Security, they are sharing information with other businesses to help speed up and strengthen the process of securing our nations businesses. "Lending a hand" has always been an important component of the American spirit. This simple but critical ingredient can make an order of magnitude difference in the progress that we make in Homeland Security in the coming year.

If your own business needs to accelerate it's security progress, take a hand from the companies, organizations and government agencies who have established Homeland Security task forces and working groups, and who have made information and services available to you.

This is what is meant by "a concerted national effort" -- individuals and organizations working together (i.e. working in concert) to strengthen every aspect of security all across our country. You can get valuable information and assistance from cities, counties, states and the federal government; businesses and industry associations; health organizations and universities; fire, police and other emergency responders; as well as citizen groups in your local community.

If you are one of those businesses who has made significant progress on your security programs, consider how you can share appropriate information with other businesses in your industry and in your community.

The Synthetic Organic Chemical Manufacturers Assciation ( www.socma.com ) offers a Chemical Security Preparedness seminar series. This is a free seminar series being done in partnership with government and other industry associations on site security, distribution security, customer awareness and risk communication. Many industry and business associations have such programs - check with those you belong to.

Another example of sharing information is the Crisis Communications Toolkit from the Business Round Table ( www.brtable.org ). This 100-page guide is a valuable document that every business should study. It is designed to enable members of the by-invitation-only BRT to tailor for their own unique purposes a workable post-9/11 crisis communications plan that includes crisis preparation, prevention, and continuous improvement. The document states: "By all measurements, the events of 9/11 and the continued threats to security and global business have changed the way we think of crisis preparation, prevention and response. As a guide or clearinghouse of Best Practices-for inclusion in or adaptation for your company plans-this toolkit should be shared with your vendors, subsidiaries or suppliers so that everyone in your supply chain is as prepared as possible."

With more than 32,000 members, ASIS International ( www.asisonline.org ) is the preeminent international organization for professionals responsible for security. ASIS now offers three security certification programs: Professional Certified Investigator, Certified Protection Professional, and Physical Security Professional. ASIS is a means of both getting a hand and lending a hand. If you are not an ASIS member you should consider joining. Use the ASIS website to find members near you (and in your own industry or field) who can tell you more about the benefits.

High Desire But Low Results

Why is it that in spite of the wake-up call of September 11th, many businesses have made little or no real progress in assessing and addressing their security needs in light of our serious nationwide Homeland Security issues? Why is security not one of the very highest priorities? There is an apparent corporate complacency that doesn't match the strong interest in security that I typically encounter in the corporate individuals that I talk to. Often when there is a high desire for something but little action, people simply don't know what to do and need a hand getting started.

Boards of directors, CEOs and other senior executives must develop a full and realistic understanding of where their company is and where it needs to be in terms of security. It's one thing to be chastised for a dip in profits; another to be held accountable for loss of life or for the demise or near-demise of the business in spite of ample warning.

Concern for security should not be confined only to the top executives, however. Employee jobs at all levels may be lost if a company is damaged physically, financially or operationally.

Security on a Personal Level

It's the responsibility of higher level executives and security management to see that policies and procedures exist that cover emergency situations, and to see that personnel understand them and are trained on them. This is very important organizationally, but it's also important on a personal level, and that's one of the lessons that I learned on September 11.

There is no measuring the personal impact of a disaster that can result from decisions regretted and plans not made. I lost a close friend in the World Trade Center attack. I'm very thankful that nearly all of my friends and associates survived. Many of us learned some very dear lessons through the hard experience of our friends and colleagues that day.

Failing to establish security and emergency policies and procedures, and to train your people on them, is tantamount to abandoning them and their junior staff in a crisis, so that they are forced to make decisions that they are not prepared to make, and forced to decide where their staff should go and what they should do. They may need to make life and death decisions, in a situation where failure to decide is still in effect a decision. Even if they make the right decisions, decisions that no one questions later even for a moment, if injury or death is involved, they are left to carry the weight of that alone. They will have no training, policy, procedure or advice to back them up. Consolations given after the fact are of little real value.

This is needless human damage. In a small crisis, it can double the casualties to the business, because good people thus burdened have trouble continuing to work in the same surroundings and with the same people. If you were a manager or executive above such a person, how would you fare when looking him or her in the eye?

This is one reason why security ratings cannot use the same kind of scale as other aspects of the business. You can measure the dollars and cents damage to a business. You can't measure the damage to its people.

Rating Security

One of the contributory factors to the apparent corporate complacency is that an organization's security cannot be scored in the ordinary ways that we are used to rating things. The typical scale of Excellent, Good, Above Average, Below Average, Fair and Poor does not apply. Even above average security in our current situation is far from acceptable. With regard to security, if you are not in Good or Excellent shape, you or your business could be dead.

Security ratings can't be averaged out with other ratings in the business. "Production is up, profits are up, employee morale is up. Our new security program still hasn't gotten off the ground yet, but we've got to attend to business first." This kind of comment indicates a corporate culture that is dismissive of security, and shows that it's executives are not confronting the liabilities involved in ignoring or postponing security initiatives. That is dangerous in the short-term and could be suicidal in the long run.

The following rating system that is more appropriate for the consequences involved in security. This is not a rating of security measures, but of the security function within your organization.

Excellent. An appropriate security plan has been developed that takes into account the current U.S. national threat from terrorism and the operating situations that the business may find itself in. The security plan is periodically reviewed and updated. The security responsibilities of all are clearly known and understood. Security improvements are proceeding rapidly. A security training is well-established and includes refresher courses. Periodic emergency drills are successfully held. All executives, employees and company stakeholders are accurately and timely informed about the status of security programs and projects. Only purely discretionary security items are postponed for budgetary reasons. People with key roles in company security also participate in trade association and community activities and round tables that share appropriate security knowledge with fellow businesses, as a way of strengthening their industry and their local community.

Good. The same as Excellent, except no sharing of information with others.

Faltering. Security plans have been developed, but the original sense of urgency has faded. Schedules are slipping. Some security items are being postponed for budgetary reasons. Periodic reassessments are not being performed. It's difficult to get cooperation on security issues and actions. Most things have higher priority than security. Unless someone really "takes the reins" with regard to security, the organization will slip down to a Failing rating.

Failing. The persons responsible for security allow other responsibilities to push security concerns aside. Perpetual postponement of security assessments and planning occurs, and only very immediate security concerns are given attention. The lack of real planning means that there is no basis for budgetary allotment, thus no real case for security programs and improvements can be presented to senior executives or other financial decision makers. The lack of budgetary funds results in a "next year" attitude towards any significant improvement in security.

Non-Existent. No executive has truly assumed full responsibility for the organization's security. Thus the business is at high risk regardless of any existing physical access control, CCTV and alarm systems or contract guard services. The systems, policies and procedures if any barely meet the real requirements for normal times, but ad-hoc security reactions allow the business to cope with security issues on a day to day basis, thus camouflaging the real situation. The business can't be expected to withstand any significant criminal or terrorist security threat. Regardless of the security measures that have automatically carried over from previous years, security as an active and aware function of the organization does not exist.

Only the top two ratings should be tolerated by executives, employees and other stakeholders. The remaining ratings require immediate and sustained corrective action.

Where Does Your Business Stand?

Prior to September 11th, most businesses had insufficient security against even ordinary or typical business threats. In the five year period prior to 2001, every single security walkthrough that my company's consultants participated in revealed at least one significant security flaw, and the majority involved several of violations of basic security. In most cases, the top management or security management was unaware of most of the issues. This is very significant when you realize that the companies we were visiting had security programs of one kind or another in place, and were actively trying to maintain good security. Imagine the security picture at businesses that are not even trying.

Historically, security programs and measures have been a reactive responses to one or more incidents or problem situations. Some companies suffered enough that they decided to be proactive, and a taste of the benefits of being more in charge of their corporate destinies has helped them to keep that orientation. Those companies are the exception-a situation that must change quickly given our current national threat situation, and the increasing technological advancement of terrorist and criminals.

If you are in one of the few businesses that are truly "on top of" the situation and have your company's own security well in hand, your only foreseeable weaknesses may lie with those businesses upon which your business depends either in small or large measure. In terms of general survival, it may be prudent for you to lend a hand to others in your community and industry who could benefit from your know-how and experience.

Establishing an Internal Security Driver

Perhaps September 11th provided an impulse that prompted organizational action with regards to security, but you have discovered that the security momentum is slowing down. What you need to do is replace the external driver of September 11th with an internal one in the form of a live person who is tasked and empowered to lead the company with regard to security. Sometimes the person assigned the responsibility is not always given the power needed to carry out the associated actions and duties. That is especially true in a larger organization where getting things done requires the participation of people in various departments and positions in the organizational hierarchy. If the person charged with the security responsibility can't directly be given such authority, then those who have it must commit to providing the support needed, and must provide it in a direct and timely manner.

Corporate Security Task Force

Control Risks Group is a leading international business risk consultancy whose services include political and security risk analysis, investigations, and full-spectrum security consulting. William Daly, a former FBI investigator, is Senior Vice President of Control Risks Group and head of its New York Office. Daly says that creating a corporate security task force is one approach that many organizations have increasingly found effective when looking at corporate wide security issues. Daly suggests, "Its membership should include representatives from legal, human resources, IT, corporate communications, risk & insurance, operations and security." Such a task force can falter if it doesn't include the right people needed to establish the priorities and implement recommendations. To be effective the task force also needs report to a senior-level executive, who can promptly come to the task force's aid if a roadblock is placed in its way. Establishing such a task force is one way of developing commitment based support for a security director who, perhaps in the past, may not have received broad based support and buy-in for corporate programs.

Outside Help

If you find that little or nothing has been done to improve security since September 11th, then you probably need outside help to get things going. It may be difficult to get your hands around what security means for your company. Many companies in need of outside help have reached out for it. See the sidebar titled Roadblocks for some of the more common reasons that companies fail to get outside assistance when needed. If any of them apply to you or your personnel, recognizing the factors involved will put you in a better position to take corrective action.

Even experienced security professionals consult with colleagues and associates outside of their own firms as a matter of practice, through their professional associations as well as on individual occasions.

If you need to work with an outside firm and haven't done so before, try taking a two-step approach. Engage a security consultant or consulting firm to first help you generally identify your security consulting needs. They will help you document them, and work out an approach that gets the most critical things addressed first in a way that fits the available budget. Not only can they help you design your approach to security, they can provide you with a ball park estimate on your remaining consulting needs. You can then contact several consultants or firms and have them present to you how they would go about helping you with your needs.

Don't rule out firms based upon the size of the company. A large company may have very specific expertise that you need, and may be able to provide it a reasonable cost. A sole practitioner consultant may be more familiar with your community and able to direct you to local resources more effectively. You could also end up engaging more than one firm, depending upon the nature or size of the tasks. Check with your local community and trade associations, to see what good experience other businesses have had with outside consultants. You could also join together with local businesses to bring one or more speakers in for luncheon or breakfast meetings, to provide you with an introduction to various security topics.

One of the primary barriers to getting started on security projects, and one that sometimes stalls projects that were moving along, is biting off more than you can chew. If that's been the case, take a step back and find a smaller step that you can accomplish right away, or break a larger task into smaller ones to make it more manageable. Sometimes that's all it takes to start making progress when you're stuck.

Roadblocks

Individuals responsible for security can find themselves in a holding pattern and in need of outside help, but any of the following issues may keep them from seeking it.

• Procrastination
• Cost of outside help expected to be too high
• Not aware of how or where to get help
• Don't know how to evaluate a firm or consultant
• Fear of looking bad within the company
• Fear of looking bad to outsiders
• Previous bad experience dealing with outsiders
• Feeling that you must prove yourself qualified for the security job or task, and considering that seeking outside help could work against you

Don't let any of these factors keep you or one of your personnel from getting the assistance you need and deserve.

Government Guidelines vs. Regulations

If the vast majority of American businesses don't actively put sufficient security into place, government guidelines will start turning into regulations. Ask any industry that is government regulated, or ask any company's accounting department, how they like the regulations they have to deal with. Although this is not a primary motivator to establishing security, it's definitely another good reason to help others get their programs established.

The National Picture

We are all dependent personally and in our businesses on the state of our local and national economies, just as we all contribute personally and business-wise to those economies. Strong nationwide business security programs are critical to our nation's ability to withstand a terrorist attack. Individual businesses must survive, and we can't wait another moment to start changing the security picture. This is a case where individual business interests and national interests coincide.

America is the strongest nation on Earth, but it now needs to be stronger. Amongst us all, we have the knowledge and resources it takes to strengthen our businesses. For all of our sakes, lets get going now.

From Security Technology & Design Magazine, January, 2003.