Tim Wenzel, CPP, Co-Founder and President of The Kindness Games, explores the operational processes and protocols that can help security teams best conduct their business.
It’s 3am. You awaken, struggling to breathe.
You get to a local emergency department and they ask you a series of questions.
The same series of questions will be asked to you in Los Angeles, Fargo, London, Bangkok or São Paulo.
The same series of questions which gather the necessary information in the proper format, properly attuned to the ecosystem of the human body…
The medical profession has put together the best root cause analysis system the world has ever seen and it has scaled to every single healthcare professional in the world.
Its uniformity enables peer review, specialist opinions and the seamless transfer of medical care to other providers.
It does not stifle innovation and it does not fret over failure.
Instead it learns, reviews, challenges assumptions and reinvents its body of knowledge each decade.
Security is not surgery. What is our excuse?
We actually discussed the main problem in The Insecurity in Security part 3: Inconsistency and frustration.
The medical field has attuned its processes around one very predictable ecosystem, the human body.
For all of its complexity, its operation is quite consistent, lending itself to being governed by some fairly clear rules.
Alternatively, each client or end user of security varies greatly.
Businesses, non-profits and even government agencies can have a great disparity of needs, risks and threats; making a one size fits all security department ineffective – leading to inconsistency and frustration.
We left the last article with three main points:
These three items, worked through thoughtfully, will define your ecosystem – just like the medical field has defined the human body… what’s next?
Every security department and each program within needs to develop The Way of conducting business.
Just like every EMT asks the same foundational questions that every nurse and doctor on earth will need to form a diagnosis and treat a patient, every security department must do the same in their activities and interactions.
The medical field has the luxury of the human body.
It works the way it works and fails the way it fails and does not care about your opinion on the topic.
The organizations we serve morph depending on leadership, economics, initiatives, etc; so if we are to maintain consistency, it must be within our practices, with an eye on the changing ecosystem around us.
Just like the patient assessment, security departments must intake to requests, risks, threats, concerns and feedback in a uniform manner.
This process should not easily change and when change is required, it should be flagged for review at a later time by the higher authority for validity.
You should develop your own intake process but for me, my programs and my employees, I’ve come back to this one for over a decade.
What is the risk, threat, question, concern, feedback, request, etc…
At this point, is there an action we can take which will manage the initial issue, in alignment with all or most of the stakeholders, in a manner in which success and failure can be measured?
If No: we propose doing nothing, unless the business really needs us to act.
If the business really has an appetite for us to act, even though the value proposition is unclear to us, the we lead conversations to find a mutually agreed way to measure success, failure and duration of operations.
If Yes: we present our options to the business so they can decide the best course of action.
This process lends itself to honest conversations which create appropriate expectations, allowing security to be successful even when we don’t see the risk or optimal outcome.
Medical procedures are highly standardized and deviating from protocol is frowned upon – because it introduces variance and exceptions, which skews the proper measurement of success and failure.
In my opinion, security operations should be highly standardized. Deviation should be frowned upon for the same reasons.
It is obvious that exceptions and deviations will need to be made from time to time but the key is to document them in a manner which lends itself to being measured.
Medical treatment is a highly engaged activity.
The basic premise is that each patient may respond differently, even though the human body generally operates according to rules.
To account for this and maintain a coherent protocol, medical interventions are implemented in this fashion and security should follow.
A major problem in the security industry is our lack of ability to predict and explain side effects which are unpleasant for the business but do not alter the course to intended outcomes.
Many times we are caught off guard and we confuse side effects with unintended outcomes.
We often accept failure prematurely, when our implementation was actually effective.
How quickly do we run out of options when failure is assigned to us due to our inability to forecast and educate on side effects?
This is caused by great variation in operations and a lack of program management to properly measure outcomes over a sustained period of time.
Another contributing factor can be the lack of experience managing emergencies, specific types of risk or threat scenarios; which result in a small body of work producing an underdeveloped body of knowledge.
There are some types of issues best left to specialists who manage these types of situations across a larger sample size than your organization can provide.
Many security professionals think only major incidents or failures require a post incident review.
This is faulty reasoning. We should be conducting reviews of our most mundane operations on a regular basis as a quality assurance exercise.
This is how we start to identify the baselines of normal, our side effects and unintended outcomes.
It’s how we vet and prove our metrics. We learn how our ecosystem reacts to security operations and we can refine our processes and messaging to achieve better outcomes in the future.
By running this process over and over again, the business can see your rapid improvement, solidifying your reputation and expertise.
To be effective, rules need to be established to govern the Incident Debrief process.
Here are mine:
Rule 1: understand the facts and timeline of the incident. Rule out bias and emotion from this process by noting inference, opinion and confusion.
Rule 2: measure the totality of the incident against the policies and understanding of risk that existed when the incident happened.
This is the only way to be fair to the people involved. We can never apply today’s understanding of risk to yesterday’s incident. Frustration and mistrust will follow.
Rule 3: focus on policy, process and professional development. As humans, we feel a need to find a culprit.
We already have one: the aggressor, the threat, the uncertainty. Focusing on development uncovers what could be done in the future while still meeting the needs of the business.
In the Codes of Conduct for my teams, I write the following into policy:
“Problems are opportunities to be excellent. Someone does not always need to be at fault. We succeed and fail as a program. We are committed to the professional development of one another.”
Rule 4: If negligence or malice is uncovered, it should be dealt with separately. Incident Debrief is a development process, not a disciplinary process.
Once you tailor this process to your organization, document it and indoctrinate the entire security department into The Way of doing business, a few things will become apparent:
Will you commit to designing The Way your security department will conduct business?
Read the previous article in Tim’ series here and keep an eye out for the next installment, coming out 29 May 2024!