Tim Wenzel, CPP, Co-Founder and President of The Kindness Games, explores the operational processes and protocols that can help security teams best conduct their business.

The security ecosystem

It’s 3am. You awaken, struggling to breathe.

You get to a local emergency department and they ask you a series of questions.

The same series of questions will be asked to you in Los Angeles, Fargo, London, Bangkok or São Paulo.

The same series of questions which gather the necessary information in the proper format, properly attuned to the ecosystem of the human body…

The medical profession has put together the best root cause analysis system the world has ever seen and it has scaled to every single healthcare professional in the world.

Its uniformity enables peer review, specialist opinions and the seamless transfer of medical care to other providers.

It does not stifle innovation and it does not fret over failure.

Instead it learns, reviews, challenges assumptions and reinvents its body of knowledge each decade.

Security is not surgery. What is our excuse?

We actually discussed the main problem in The Insecurity in Security part 3: Inconsistency and frustration.

The medical field has attuned its processes around one very predictable ecosystem, the human body.

For all of its complexity, its operation is quite consistent, lending itself to being governed by some fairly clear rules. 

Alternatively, each client or end user of security varies greatly.

Businesses, non-profits and even government agencies can have a great disparity of needs, risks and threats; making a one size fits all security department ineffective – leading to inconsistency and frustration.

We left the last article with three main points:

1. Learn the business
2. Use enterprise security risk management (ESRM) to study the organization and create a risk management and governance framework
3. Adopt proper program management practices

These three items, worked through thoughtfully, will define your ecosystem – just like the medical field has defined the human body… what’s next?

Operational consistency

Every security department and each program within needs to develop The Way of conducting business.

Just like every EMT asks the same foundational questions that every nurse and doctor on earth will need to form a diagnosis and treat a patient, every security department must do the same in their activities and interactions.

The medical field has the luxury of the human body.

It works the way it works and fails the way it fails and does not care about your opinion on the topic.

The organizations we serve morph depending on leadership, economics, initiatives, etc; so if we are to maintain consistency, it must be within our practices, with an eye on the changing ecosystem around us.

Intake process

Just like the patient assessment, security departments must intake to requests, risks, threats, concerns and feedback in a uniform manner.

This process should not easily change and when change is required, it should be flagged for review at a later time by the higher authority for validity.

You should develop your own intake process but for me, my programs and my employees, I’ve come back to this one for over a decade.

What is the risk, threat, question, concern, feedback, request, etc…

• Why is it a problem?
  • For whom?
• What can we control?
• What can we measure?

At this point, is there an action we can take which will manage the initial issue, in alignment with all or most of the stakeholders, in a manner in which success and failure can be measured?

If No: we propose doing nothing, unless the business really needs us to act.

If the business really has an appetite for us to act, even though the value proposition is unclear to us, the we lead conversations to find a mutually agreed way to measure success, failure and duration of operations.

If Yes: we present our options to the business so they can decide the best course of action.

This process lends itself to honest conversations which create appropriate expectations, allowing security to be successful even when we don’t see the risk or optimal outcome.

Operational templates

Medical procedures are highly standardized and deviating from protocol is frowned upon – because it introduces variance and exceptions, which skews the proper measurement of success and failure.

In my opinion, security operations should be highly standardized. Deviation should be frowned upon for the same reasons.

It is obvious that exceptions and deviations will need to be made from time to time but the key is to document them in a manner which lends itself to being measured.

Thoughtful operational protocol

Medical treatment is a highly engaged activity.

The basic premise is that each patient may respond differently, even though the human body generally operates according to rules.

To account for this and maintain a coherent protocol, medical interventions are implemented in this fashion and security should follow.

1. I think this is the problem which calls for a specific treatment protocol, for these reasons (operational template)
2. According to the treatment protocol, there are a few things to keep track of:
   1. Intended outcomes (predictable outcome according to the proper implementation of treatment plan)
   2. Side effects (undesirable but foreseeable and notably expectable effects which generally do not negate the intended outcome)
   3. Unintended outcomes (Unexpected outcomes which are unforeseen and cause us to re-evaluate our diagnosis and change the course of treatment)
3. Reassess and re-evaluate the need for further intervention

A major problem in the security industry is our lack of ability to predict and explain side effects which are unpleasant for the business but do not alter the course to intended outcomes.

Many times we are caught off guard and we confuse side effects with unintended outcomes.

We often accept failure prematurely, when our implementation was actually effective.

How quickly do we run out of options when failure is assigned to us due to our inability to forecast and educate on side effects?

This is caused by great variation in operations and a lack of program management to properly measure outcomes over a sustained period of time.

Another contributing factor can be the lack of experience managing emergencies, specific types of risk or threat scenarios; which result in a small body of work producing an underdeveloped body of knowledge.

There are some types of issues best left to specialists who manage these types of situations across a larger sample size than your organization can provide.

Post-incident review

Many security professionals think only major incidents or failures require a post incident review. 

This is faulty reasoning. We should be conducting reviews of our most mundane operations on a regular basis as a quality assurance exercise.

This is how we start to identify the baselines of normal, our side effects and unintended outcomes.

It’s how we vet and prove our metrics. We learn how our ecosystem reacts to security operations and we can refine our processes and messaging to achieve better outcomes in the future.

By running this process over and over again, the business can see your rapid improvement, solidifying your reputation and expertise.

To be effective, rules need to be established to govern the Incident Debrief process.

Here are mine:

Rule 1: understand the facts and timeline of the incident. Rule out bias and emotion from this process by noting inference, opinion and confusion.

Rule 2: measure the totality of the incident against the policies and understanding of risk that existed when the incident happened.

This is the only way to be fair to the people involved. We can never apply today’s understanding of risk to yesterday’s incident. Frustration and mistrust will follow.

Rule 3: focus on policy, process and professional development. As humans, we feel a need to find a culprit.

We already have one: the aggressor, the threat, the uncertainty. Focusing on development uncovers what could be done in the future while still meeting the needs of the business. 

In the Codes of Conduct for my teams, I write the following into policy:

“Problems are opportunities to be excellent. Someone does not  always need to be at fault. We succeed and fail as a program. We are committed to the professional development of one another.”

Rule 4: If negligence or malice is uncovered, it should be dealt with separately. Incident Debrief is a development process, not a disciplinary process.

Once you tailor this process to your organization, document it and indoctrinate the entire security department into The Way of doing business, a few things will become apparent:

1. The amount of exceptions being requested, showing you the inconsistency across your organization. This will create a lot of work for management in the short term, but is essential.
2. Resistance to putting requests, feedback, etc through a formal process. You will witness literal anxiety around this point. Change management produces fear of uncertainty. Security departments are famously stuck in their ways. This will build the character of your people and strengthen relationships with the business.
3. Some of your prime stakeholders will push back. They are used to making a request and being told yes. They are not used to engaging in short preliminary conversations. This will give leadership the opportunity to educate them on the new processes being created to optimize security operations and consistency.
4. In the mid-term, you will see an increase in trust within your security organization. Once it is apparent that leadership will always back up their people who follow The Way and are committed to the development of their processes and people vs assigning blame, communication will be open, engagement will be higher and outcomes will trend upward.

Will you commit to designing The Way your security department will conduct business?

Read the previous article in Tim’ series here and keep an eye out for the next installment, coming out 29 May 2024!