Security operations training and high performance development

Security Options and High Performance
Introduction
As McCrie notes, “the training of employees and the development of their skills and careers is a critical and time-consuming activity within security operations.”[footnoteRef:2] For an organization like a public elementary school, employees are more than likely already stretched to the max in terms of time and ability: their primary focus is on teaching and assessing student achievement. Other stakeholders—i.e., parents—will nonetheless be concerned about safety, as Stowell points out.[footnoteRef:3] To keep stakeholders happy, managers and employees have to find ways to satisfy concerns about security—on top of doing their full-time jobs of administering and educating. That can be daunting, but to help there are security solutions that the Digital Age has helped bring into existence—tools like SIELOX CLASS, which allow teachers to communicate with administrators, access campus cameras, alert authorities, trigger a lockdown, and keep students safe by responding quickly to a potentially dangerous situation and following procedures sent them over their mobile devices.[footnoteRef:4] This paper will show how McCrie’s recommendations about 1) going with the security options that fit an organization’s budget and 2) that provide the type of security desired by stakeholders can help to ensure that a) employees are prepared to engage in safeguarding practices (which includes having a proper measure of the effectiveness of the security system) and b) have the necessary resources to support them (i.e., the proper training to help guide them through the process of safeguarding in real time). [2: Robert McCrie, Security Operations Management, 3rd ed. (MA: Butterworth-Heinemann), 95.] [3: Holly Gilbert Stowell, “Checking in for Safety,” Security Management, 1 Aug 2018 https://sm.asisonline.org/Pages/Checking-in-for-Safety.aspx] [4: Holly Gilbert Stowell, “Checking in for Safety,” Security Management, 1 Aug 2018 https://sm.asisonline.org/Pages/Checking-in-for-Safety.asp]
Training and Development for High Performance
Two ideas that McCrie tackles when it comes to training and development of workers and managers for high performance with respect to security are a) the need to measure for effectiveness, and b) the need for non-security personnel to have security training. Each of these are important for their own reasons. Measuring effectiveness is crucial because too many assumptions can be made about a security system’s utility without that utility ever actually being challenged or tested. It is only through something like a penetration test that the actual merits of a system can be gauged. A penetration test helps to measure the overall comprehensiveness of a system in the face of a real threat.[footnoteRef:5] At the same time, not all employees are going to be security personnel—but they still need to know what to do in the case of an emergency. Training can be costly and time-consuming, and not every worker is going to have the ability to undergo extensive security training. Organizations have to find ways to meet their security needs as well as their budgeting needs.[footnoteRef:6] The example that Stowell gives with the elementary school is a perfect one for illustrating how an organization can balance security and budgeting concerns to make sure all workers are on the same page and security systems are effectively measured and engaged. [5: Red Team Security Consulting, “What is a Penetration Test and Why Do I Need It?” Red Team Secure, 11 Jan 2018 https://www.redteamsecure.com/penetration-test-need/] [6: Joel Lanz, “How to be Street Smart When Budgeting for Security,” 31 Oct 2016 https://www.journalofaccountancy.com/newsletters/2016/oct/street-smart-security-budgeting.html]
The Need for Appropriate Measures of a Security System’s Effectiveness
In order for a security system to be effective, managers have to be able measure its effectiveness.[footnoteRef:7] Stowell shows that measurements can come in all shapes and sizes. One type of measurement of a system’s security is the penetration test: this is where an exercise is conducted to see how well a security system stands up to an actual attack. In Stowell’s example of the measurement of the effectiveness of the SIELOX CLASS security system, a penetration test was actually accidentally initiated when a teacher hit the lockdown button on her mobile phone device by mistake. Within two minutes the police arrived and the school’s security measures kicked into place. The principal was very pleased with how well the system worked and even though it was an accident, it turned out to be a good drill and a good measure of the security system’s effectiveness overall.[footnoteRef:8] [7: Robert McCrie, Security Operations Management, 3rd ed. (MA: Butterworth-Heinemann), 117.] [8: Holly Gilbert Stowell, “Checking in for Safety,” Security Management, 1 Aug 2018 https://sm.asisonline.org/Pages/Checking-in-for-Safety.aspx]
Overall, a system of security has to be tested in some form in order for it to be proved viable. Stowell’s example is good because it shows how even an accidental triggering of the alarm can be a way to find out how effective the response team is. The point both Stowell and McCrie make is this: no system can truly be said to provide security unless that security is somehow tested. Assumptions may be made—but assumptions are not enough to make an organization safe. Thus, there is a need for a security system’s effectiveness to be measured—and once measured the proper steps can be taken to address any shortcomings that appear as a result of the testing. That is the other good thing about measuring a security system’s effectiveness.
Security Training for Non-Security Personnel
Security training is essential for all workers because all workers play a part in keeping the organization secure—even those who have no background in security. Stowell’s example of the elementary school applies here again as well. The teachers and administrators had no formal training in security—yet they were the ones who would be tasked with maintaining a secure system. They were the ones to whom parents were entrusting their children. Thus, they were essentially the first and last line of defense. That said, the local law enforcement department was on hand and could be on the scene within minutes if something bad happened—but teacher and administrators still had to make the call and know what to do when the alarm was triggered.
For that reason, non-security personnel have to be trained in handling security risks, threats and attacks. If there is a breach, they have to know how to respond. They also have to know how to prevent breaches from occurring in the first place. Cameras and communication devices are helpful tools and that was proven in the case of the “field test” at the elementary school. However, every organization will differ and not all will use the same types of security measures. Indeed, not all will have the same types of budgeting restrictions. An organization has to be smart about how it applies security tools, how it measures their effectiveness, and how it trains non-security personnel to behave in the event of a breach and even just to keep breaches from happening in the first place.
The right tools also have to be available. Stowell shows how important the right security system can be in her example of the elementary school that obtained the new SIELOX CLASS system. It was perfect for the teachers and administrators because it did not require them to be formally trained in security. They could use their mobile devices to engage the system and receive updates and messages. The system would provide them with directions on what to do in case of a breach or security threat. The teachers still needed some training in terms of how to use the system and how to make the best decisions given their particular circumstances at any particular time (as well as the manner of the threat). But the system itself was a major support and allowed the training of the non-security personnel to be achieved relatively easily. That is why the security tools that an organization utilizes have to be on the same level as the ability of the non-security personnel—otherwise they will not be used when they are needed. Stowell’s school teachers showed that even in the case of a false alarm the system was easy to use and all teachers and security personnel could respond efficiently and effectively when the time came to act.
What Drives Security Operations
What drives security operations are a) the need to have security, and b) the budget available to provide adequate protection. The need for security is commonly expressed by stakeholders, though sometimes it can be mandated by the state, depending on the type of work an organization is engaged in and what type of data is being secured. Hospitals and health care facilities, for instance, have to ensure that they are securing patient health information by law.[footnoteRef:9] They are required by the state to protect patient data so that it does not become public information. [9: Agrawal, Rakesh, and Christopher Johnson. "Securing electronic health records without impeding the flow of information." International journal of medical informatics 76.5-6 (2007), 471.]
At the same time, security measures are driven too by budgetary concerns. Balancing risk and cost are issues that an organization routinely has to face, yet the balance has to be maintained. Securing a facility or an organization’s information does not mean that the most expensive security systems have to be purchased. On the contrary, a little homework by an organization’s security team would show that there are numerous ways to protect and secure an organization without having to spend a great deal of capital. Indeed, several simple tasks by end-users, for example, can be enough to prevent the majority of breaches from occurring. Whether one is talking about cybercrime or breaking and entering into a facility, the tricks are of the same simple manner: not leaving passwords on note pad pieces of paper where others can see them and steal them; not leaving doors open for strangers who do not have a security card that would otherwise have to be used to gain entry. The little steps that team members can take to protect a facility and its data are really big steps in the great scheme of all things security.
The Need for Security
The need for security will be determined by stakeholders, the market, the community, and the directors of the organization. They are the main drivers of security operations, as McCrie points out: they are the ones who want safety to be provided—and they are the ones who have to be appeased, ultimately. The example given by Stowell regarding the school helps to make the point: the parents wanted safe schools because of recent escalations in school violence. They used their voice to advocate for an improvement in security systems. They were thus the main drivers of the security operation. The operation had to meet their satisfaction—otherwise it served no purpose. The school parents had a major stake in the school: after all, they were sending their children there.
Security needs are different for every organization, so every organization has to conduct an assessment: it has to engage stakeholders to find out what is deemed valuable and essential, what needs to be protected, and what is incidental. If the community members of the school in Stowell’s example had cared more about the desks than the students, the security system that the state purchased would have been much different. It would have involved installing doors that locked upon the throwing of a switch instead of an alarm that sounded to alert teachers on their mobile devices.
Budgeting for Security—another Driver
The school in Stowell’s example did not have a great deal of funds to spend on security. The money ended up coming from the state via a 1% tax that allowed the state to have extra funds that it could use to satisfy some demand brought forward by the community. When the state asked the community how it would like the money to be spent, the community responded that it wanted safer schools. The state had enough money to try an experiment implementing the security system SIELOX CLASS at the elementary school. These extra funds made it possible for the school to have the security system—but without the tax, the money never would have been available. In other words, the school really had no budget for such a system, but the state did—which shows that if no one is planning ahead for the unknown, the satisfaction of stakeholders is likely to be a going concern.
Not all organizations will be in the same position as the elementary school—i.e., not all will be able to rely on the state for support. They have to, therefore, make conscious decisions about how much they are willing and able to set aside to ensure that safety and security are issues that can be addressed. No one likes to think of financial considerations as being drivers of security operations—but they are. They provide the parameters of the operation in terms of what can be done with the amount of capital on hand. In Stowell’s example, the system implemented was perfect: it fit the needs of the stakeholders and it was cost-efficient. Teachers could use it without much hassle and it actually complemented the skills of the workers, who were likely to already be proficient at using mobile devices for communication and planning purposes.
Conclusion
In conclusion, security management is an issue that McCrie and Stowell both agree on: it has to be done with great consideration. That means there has to be a way of measuring the effectiveness of the security system. There has to be training available for non-security personnel. The drivers of the security operation have to be recognized: the needs of the stakeholders and the adequate allocation of a budget. Without all of these considerations, the security operation will not be very effectively or efficiently implemented. No matter how well a system is installed or how great management thinks it is, unless it is tested there are bound to be flaws and bugs in it that can allow for breaches. No matter how smart one’s employees are, unless they are provided with at least some basic training in how to respond to a security threat, there will be major problems when a threat finally occurs. Likewise, no matter how safe an organization feels it is, unless it consults with stakeholders to find out what matters most to them, there is no guarantee that it is actually protecting the right things. And no matter how much the organization would like to spend on security, if the money is not in the budget, the security plan is not going to happen.
Works Cited
Agrawal, Rakesh, and Christopher Johnson. "Securing electronic health records without
impeding the flow of information." International Journal of Medical Informatics 76.5-6 (2007): 471-479.
Lanz, Joel. “How to be Street Smart When Budgeting for Security,” 31 Oct 2016
https://www.journalofaccountancy.com/newsletters/2016/oct/street-smart-security-budgeting.html
McCrie, Robert. Security operations management (3rd ed.). Waltham, MA: Butterworth-
Heinemann, 2016.
Red Team Security Consulting. “What is a Penetration Test and Why Do I Need It?” Red
Team Secure, 11 Jan 2018 https://www.redteamsecure.com/penetration-test-need/
Stowell, Holly Gilbert. “Checking in for Safety,” Security Management, 1 Aug 2018
https://sm.asisonline.org/Pages/Checking-in-for-Safety.aspx