Two large security problems, the alarmist and the uber-pragmatist

Of course there are security threats that come from outside your organization - and even some that come from inside. But I'm sorry to say that some of the most dangerous threats to an organization's security can come from the people trusted to manage it.

The two problems I'm talking about are people that are on each end of the security posture spectrum. On one side, you've got the alarmist - on the other side, you've got the uber-pragmatist

The alarmist uses fear to fuel their objectives. The plans and suggestions they have may be appropriate but when they are faced with the resistance every security practitioner experiences - you'll hear them say things like:
"well, if you're willing to accept the risk and liability - it's out of my hands"
"nobody expected 9/11 either"
"I can't be a part of this unless you take security seriously"

We all know the alarmist, and we've all seen what they do to the overall view administrators have of security. They further the perception that everyone is taken advantage of, by a government and industry praying on the fear of society.

Because of these alarmists, many reputable security professionals have a difficult time. The more you've been forced to deal with an alarmist, the more you'll see assessments of security threats and risks as if they are coming from an alarmist point of view. However, alarmists usually find a place in the industry working for organizations that either tolerate their views or are deal with a lot of fear.
Often times they can justify themselves by pointing to the fact that the measures they recommend result in safer locations. Well - if there was much less of a threat than the alarmist stated to begin with than of course it's safe!

Alarmists, and the ongoing war on terrorism - have produced a strong crop of what I call uber-pragmatists. These are the guys who need to be the "voice of reason", they fancy themselves as the sober realists who don't fall for the fear-based security "fads". Many times, organizations find the uber-pragmatist's views refreshing and comforting. They feel like they are not being taken for fools by a fear-crazed industry - yet protected by someone who has the intelligence and experience to "know better".

These guys are wildly popular, especially in this day and age. Administrators like to consider themselves immune to the hystaira that effects the common man and leads to knee-jerk reactions. They like having security professionals who confirm their views instead of threatening them with worst case senerios.

The obvious danger with uber-pragmatists is ignoring valid security risks and writing them off as hystaira. But one of the most overlooked and underdeveloped pieces of security is the fact that the views of the employee population can sometimes outweigh the common sense that uber-pragmatists rely on.

For instance, the threat of an armed attacker coming into a clinic and shooting everyone may be extremely low. But, if the staff is convinced that it's a valid threat than productivity and staff relations will suffer. Common sense says that you shouldn't install a panic alarm system if the true risks and threats don't merit one. But, giving the staff what they need to FEEL safe may be much more important than sitting back and making it clear that you're not swept up in unfounded fear.

We protect property and staff so that buisness can go on and the company can be productive. How productive is a company if there is a high turnover due to conditions the staff sees as unsafe? How smoothly will things be between the administration and staff if it's viewed that the administrators don't care about the safety and securty of employees?

Throwing unessessary security measures in place can definetely lead to trouble, but measured, carefull use of security to help employees feel safe is sometimes nessessary, and the uber-pragmatist has a terrable time understanding that fact.

It's not easy, and we each have elements of the alarmist and the uber-pragmatist to contend with - but we have to balence the two.

Are your security officers happy? (probably not)

You can not treat your security officers, (in-house or contract) like other employees that make the same wages. It should be just that simple - but we all know it's not.

I'm not saying that every employee on the same pay scale as security officers is not treated fairly, but rather - security officers hold an awful lot of your critical resources in their hands, so we should act accordingly.

When your other employees are underpaid, mismanaged and othewise negelected you run into productivity and turnover issues. With your security officers - productivity and turnover are the least of your concerns.

Because security is viewed in most settings as a necessary evil, and prone to expensive bouts of knee-jerk reactions, security officers often get by on minimum salaries and non-existent management, little enrichment and hardly any sustained training. These officers make about as much as the guys who change your oil - and we expect them shoulder the same amount of critical responsibility as your IT staff.

A report released this week and reported in USA Today talks about how the low morale of airport screeners could harm security.
Airport screeners make more money and have better professional development opportunities than the vast majority of corporate and municipal security officers. It's not a good comparison on all levels, but I use this point to illustrate how the morale and overall well-being of your security staff can present much more risk than any other department.

Security officers are the ones you'll count on to handle emergencies - get your employees into safe areas and make split second decisions that can save or doom your operation. The better they are treated and supported - the more secure (and safe) you'll be. So, as you're throwing cutting edge human resourses techinques at your staff to boost performance - push some of that love over to your security officers. You'll be glad you did.

Vendor / Integrator Selection Tips

Choosing a systems integration vendor is seldom the kind of thing that's taken lightly.

Of course there are situations where the capabilities and resources of the vendor are not nearly as important as the product used, but not many. Overall, if you've got sound vendor selection methods in place for all projects than you're covered - and you can always scale down your criteria if you need to.

Having a set criteria also helps justify recommending a provider that may cost more than others. It can also help cover you if you're subject to scruteny because of public funding, etc.

Systems integrators hate the term "vendor". It's a subtle distinction to anyone not in the industry, but a major factor the more you know about how security providers operate.

Here's a quick overview of the differences:

Vendors: Carry a set list of systems, and are very good at basic "cookie cutter" installations. They can put systems in on time and under budget on a regular basis - just as long as there is not any complicated variations of the system or integration with other systems. The typical vendor technician has spent a few years doing home security installations and is good at most component installation.

Good: inexpensive, fast, and proficient at putting basic systems in place and doing routine maintenance.
Bad: complex projects that require engineering outside what the manufacturer ships with the product.

Integrators: Specialize in a few high end systems, but are either familiar with all others or can easily figure it out if they have never used it They are best in complex projects that join together parts of separate systems to function with core usability. The typical integrator technician has worked for a "vendor" in the past and gravitates to more challenging work.

Good: can engineer ways to maximize your system capabilities, and make non-standard solutions work without much drama. Can handle service issues that most vendors give up on and suggest replacement.

Bad: standard installations will cost more than with a vendor and will take longer. There are many more differences at other levels but that is a good basic overview.

So, when it comes to selecting a vendor / integrator for a project than you need to make the following considerations:

1. What kind of project is it? Just a basic installation or does it require complex engineering? The problem here is that you may not know. You may be thinking that all you need is a typical system but as the project goes forward you learn that there's a lot more integration needed.

2. What's more important - price or engineering and service? This is tricky as well because it may be difficult enough for you to convince your management to install a system at any price.

If you've got a basic system and you need a low price, than you're going to be looking at a vendor. If you've got a complex system that needs to function, and also need sustained support - you're looking at an integrator. If you don't have a core system in place already - I suggest dealing with manufacturers first and see what vendors / integrators they work best with in your area. Keep in mind that if you're putting a project out to bid and get proposals from both vendors and integrators - than take a close look at what's being spec'd and how well the proposal addresses your needs. You also want to be aware that many companies will lowball the price they propose just to get their foot in the door and expect to make up the difference in future projects.

Once you've decided what kind of security provider you need - the following considerations should apply:

1. What systems do they specialize in? How many systems like yours have they put in and support? How long have they been using your specific system?

2. How many project managers, installation technicians, service technicians and account mangers are based out of your location? What happens if they are in the middle of a major install project when you have a problem with yours? Where is the next closest branch and what kind of staffing do they have?

3. How many of their project managers, and technicians are factory trained on your system? (have been through the manufacturer's training and certification process)

4. What kind of relationship do they have with the manufacturer? (ask the manufacturer)

5. What are some of the other clients they have saying about them?

6. How long has their lead project manager been there? lead technician? lead sales position?

7. Does the company have a history (positive or negative) with the state licensing board?

Many times, if you're part of a large company than your purchasing department already has many of these questions on the Request For Price (RFP) paperwork they send to prospective providers, so it's worthwhile to check with them. You also want to standardize how these questions are presented, to be fair to everyone. I have a set questionnaire that I send out and keep on record that populates reports on overall vendor options.

I'm happy to share my questionnaire with anyone who needs it - just shoot me an email.

Clinical security, who are we protecting?

The last thing a clinical healthcare provider wants to do is harm a patient. In most cases, clinical staff will put themselves in harm's way in hopes of resolving a problem rather than escalate things.

So, it's surprising to see a story like this; Hospital calls cops and feels the sting. (Securityinfowatch.com)

Basically, when a patient started showing some of the warning signs of violent behaivor - the staff called the police. To control the patient, the officers used a Taser and once he was on the floor he was injected with medications and transferred to the psychiatric unit in another hospital.

Except now, that hospital (Northfiled City Hospital - Minnesota) has been cited by federal and state health officials for violating that patient's rights.

Healthcare oversight agencies are notorious for this kind of let's make an example out of them thinking. Unfortunately, it works because hospitals have little to gain in fighting the system - but can loose everything. I've been in situations where a regulatory authority was clearly overstepping the bounds of their scope, but the hospital being reviewed decided not to push the issue - it just wasn't worth the trouble and risk.

Aside from the regulatory agencies, interpretations of rules and political angles at play, the use of force in a clinical environment is a nightmare topic. The conflict of interest between protecting one patient or protecting other patients and staff is a hard balance to achieve.

To make matters worse, the trend over the last 20 years has been to decrease the clinical staff positions that would serve an "orderly" role and physically restrain patients. An orderly is clinical staff and in most cases, is not subject to the same restrictions that security staff is - or the same obligations as law enforcement (to protect other patients and staff, first - and than address the clinical concerns secondly)

Sadly, these details often are lost in the thinking of auditors, inspectors or regulatory authorities. It bothers me when one hospital is made an example, with no regard to the overcompensation that occurs in the other institutions. How do you think the incident in Minnesota effects clinical staff's thinking when there is a potentially violent patient in their wards? Although they would usually call the police for help - they don't want to be cited for violating patient's rights.

There is no easy fix for this topic, but one thing is sure -- there needs to be solid planning, communication and training between clinical and security staff. Action plans should be developed by all stakeholders to make sure problems are addressed on each front. If you lay out all the hard topics on the table - and work out your solutions together (making sure your legal folks have a say as well) than you're less susceptible to the auditor's interpretation of rules and guidelines .

The Bio-Chem Risk and Research Security

Former Navy Secretary Richard J. Danzing has been warning us about bioterror and chemical weapons for some time now.
Even way back in 1999 he wrote It Can Happen Here (The prospect of a biological or chemical attack is no longer hypothetical) which was published in Hoover Digest.

More recently, he spoke at a Washington D.C security conference and reminded us how easily lethal agents and pathogens can be diverted from their intended users (university and corporate research labs) and used for more sinister purposes.

Although attempts have not been successful, and wide spread distribution of harmful agents can be very difficult, there are still many dangers to consider.

If you work with any research institutions, you know how relaxed the logistical security measures can be when transporting substances for lab use. And in some cases, the labs themselves can be just as vulnerable. The fact of the matter is, unless your research lab is part of a global scientific conglomerate, you probably are not getting the security resources needed to mitigate these risks.

Up to this point, the Department of Homeland Security (DHS) has started to key in on some of the most dangerous materials that are used in research environments - namely, radioactive materials. Even though the focus has recently been on radioactive sources - it's just a matter of time or situational gravity that will shift attention to biological and chemical agents.

Danzing's warning is in line with protection at the national level, but we can also focus our attention to the element dealing with the protection of agents in research institutions. But since biochemical attacks make for good movie plots, we've got to work hard not to sound like alarmists when proposing institutional shifts in security practices.

Should we be looking at that highway?

Security can be somewhat of a swiss army knife for your organization. It's valuable because it does it's job well, but it has the capacity to facilitate other valuable services that are closely related.

As a matter of fact, security professionals live in a world where risks, threats, assets and resources are constantly balanced, contrasted and compared. This way of thinking transfers well into many other functions other than security, and it's one reason we see security professionals venture outside their lane from time to time.

Since many of the same measures are used to protect resources from both security risks as well as emergencies, it only makes sense to roll emergency planning and protection into your security work.

I guess that's a lengthy way of saying - security professionals should help with emergency management.

And it's a lengthy way of leading up to my suggestion to seriously think about how close your assets are to interstate highway travel. In the last five years, it seems there has been an increase in highway related hazardous materials incidents. But the interesting thing is, there doesn't seem to be an increase in protection measures.

We've all seen railroad routes being considered in this kind of thing - for good reason. But they are not the only option when transporting hazardous material by any means.

So here we have another threat to mitigate? Another thing to be worried about?
I wouldn't consider this something to base an entire assessment or plan on. But I would suggest keeping this issue in mind, and looking for opportunities to protect against it instead of marginalize the risk.

Every hour of every day tons of hazardous material is shipped over US highways, many times in vehicles you wouldn't think twice about. And even wrecks involving non-hazardous material can seriously screw up your operation - especially if you rely on the highway daily - or for critical emergency response or evacuation routes.

This does not mean expensive technology to detect incidents, or video monitoring to be the first to know if there is an issue - but it does mean:

• Considering what impact the loss of the highway would have to normal and emergency operations and plan for back-up routes.
• Consider what effect hazardous materials (liquids, solids or gasses) would have on your operations or assets directly adjacent to the highway.
• Consider what your organization may be able to assist with if in the event of an emergency on the highway.

And keeping this topic in mind when looking at issues may prove helpful in other ways as well (there's that whole swiss army knife thing again). It's easy to apply the same logic to other disruptions of logistic support, or exposure to hazardious materials.

The Next Generation

It's been said for some time now.

The institution of security contractor or security integrator is dying a long, slow, painful death.

And in the space that's being left behind, something interesting is happening. For all intents and purposes, it should be filled with young "hybrids". (Professionals that bridge the gap between technology and physical security).

But instead, it's become a vacuum - sucking up all the leftovers of the IT industry party that dried up seven years ago. It seems as if the timing of all this has been perfect for scores of tech industry folks who bet the farm on "a job with computers" just like everyone else.

What we're left with is a stark contrast between old school security vendors and high tech industry innovators. And as time goes on, and the next generation of executives will turn from the old school vendors (who have been able to convince their predecessors that all this flash in the pan technology mumbo-jumbo is a waste of time and money) they will have to choose from the IT industry leftovers and the few "hybrids" that are out there.

"Leftovers" is a pretty strong term - and there are some very positive aspects to having this element in the mix. But a large number of these folks are just taking up space. They are using their technology savvy to package what they are selling as the next generation of security. And in the long run, they are doing more harm than good when the clients who buy into their pitch get stuck with systems that don't fit their needs

. I'm just scratching the surface of this robust and complex issue, but I had to get on my soapbox for a few minutes.

Can AT&T deliver remote video monitoring via smartphone?

The answer is - I don't know.
And even if I did know, it would be through testing of the system in my area and my findings would only apply to specific set-ups that are similar to mine.

Putting video on the network is nothing new, and the desire to watch video from smartphones has been around for awhile as well.
But now AT&T has a packaged deal specifically for that purpose.

I haven't personally tested this service (I'd like to), but I have put together similar integrations with varying degrees of success. The one constant issue facing this concept is the data speed and service coverage over your phone's wireless connection. A secondary issue is the network connection available at the camera site.

At an AT&T conference a few months ago, I did learn that their wireless network efforts are substantially more robust than before. They are always striving for faster connections that are available in more places, but what I was most impressed with was the resources they are committing to make sure their networks stay up and running. They are focusing on the law enforcement, public safety and security markets much harder than ever before and they realize how the weak link in most wireless data integrations is the reliability of the connection itself.

So maybe they have been able to get the speed and reliability problems down to an acceptable level to consider this type of thing for a security feature, I'd have to see it for myself before recommending it of course.

But one thing bothers me:



Has there been some major breakthrough in DSL technology? Am I missing something? I just can't see how using DSL to feed your video to the network, than trying to view that feed over a wireless connection has any chance of working well.
Please tell me if I've missed something.
This looks to me like another situation where sales folks see "DSL" and lump it in there with normal network speeds and assume it works just the same. There may be cases where video fed over a DSL connection is watchable from another solid network connection - but I just don't see it have any quality over a wireless connection.

So - except for that DSL wrinkle, I do think this AT&T service is something to look into causiously. If I have an oppertunity to myself, I'll be sure to post my findings.

Tracking your employees in the field (for security)- on the cheep with Brightkite

I wrote up a little post after we had a case recently here in NC where a field auditor was killed on the job. (Protect Your Field Agents and Auditors)

And, I'll be the first to admit that the concept of getting all your field employees on GPS enabled phones may be a daunting task in a lot of situations. Thankfully, there's a way to trim down that option.

As long as you can have your employees check in and out from calls, and have someone available to keep on top of that reporting (real time) you can have a manual version of map based tracking.



Brightkite.com is a pretty solid application. It's formed around social networking and the idea that knowing where your friends are brings another useful dimension in the whole social spectrum. Users can check out a map of their area and see who is nearby - or can even be alerted if someone checks in close to them.
You don't need a GPS phone because you "check in" by sending a text message, email or via the website.
It fits nicely into Twitter use and although it's still in beta - I think Brightkite has a bright future. (can't believe I just said that)

The beauty of this is that you could keep your employees on their current phones.
But - you'd have to:

• Make sure they check in and out from every call with the correct address.
• Make sure there is a firm policy for the length of visits and exending when in a visit.
• Make sure someone is watching the web interface and keeping up with the visit times.
• Make sure all the communications policies cover the bases and are well trained.
• Make sure they can use SMS, and know how to as well.
  

This solution is mostly for large scale operations with more than a few workers in the field at any given time. Mapping out the worker's locations is the main benefit, and Brightkite's messaging / picture integration is a plus.
Once someone's checked in - they can post pictures or notes that can be added to a case file later or reviewed by the monitor real time.

It's an option - but you can always keep up with employees old-school by them calling or texting in and out with a "tracker" plotting them on a map and standing by.

Brightkite is still in beta but let me know if you're interested in trying it out.

HOLY TOLEDO - you're REQUIRED to have CCTV?

Toledo Ohio recently passed a city ordinance that requires convenience store and small restaurant owners to install security video systems.

I tried to go to the City of Toledo website and look at city counsel minutes, but the links lead to off topic documents - no lie - one was a neighborhood schematic and another was an athletic league schedule.

I can understand the logic in this on a few points:

• It's a pain in the ass to investigate hold-ups without decent video
• Just the knowledge / publicity generated is a deterrent

But:

• This looks like an enforcement nightmare
• The required system components/set-up leave huge gaps in basic security
• What's going to happen when all the owners get their Costco camera systems put in and they all crap out in a year or so?

I swear this is not an "oddly enough" security blog but it seems there is enough crazy stuff in the news to make one.

(via SecurityInfoWatch)

Security cam feeding pics to phone catches stealth house guest

All weirdness aside, this is a pretty good example of phone based security integration working.
This guy was noticing food missing and other oddities over the course of a year. So - he installed a security camera and had timed images sent to his phone. (I've also seen set-ups where motion will trigger the sending of a still or clip).





They found a homeless women living in his closet.

I think this kind of integration is perfect for small business owners, homeowners and for keeping an eye on valuable items/spaces. Of course, if it's not set up correctly there is a lot of headache involved.
You've got to make sure that clear images are being captured and sent - so the basic rules of security camera placement apply. There should also be some kind of on-board buffering or recording available.

On a larger scale, this kind of thing should be tied into access control and dvr/nvr systems. There are lots of deployments where there's only one officer on shift for the entire site (high-rise offices, etc). If they are not at the desk, they loose a lot of the tools the access control and video systems offer. At best, I've seen the systems send text messages to the officer on a moblie phone - but imagine if a still or clip was sent as well?
I'm looking forward to when highspeed connections over smartphones allow for just clicking a link on the alarm message to go to the live feed.

Via: Engadget / ixplora