Emergency Preparedness, business continuity, disaster recovery
In order to ensure the safety and security of an organization’s personnel, a Chief Security Officer (CSO) must be able to identify, assess and develop appropriate responses to a wide range of potential and actual threats as they evolve in real time. This presents a Herculean challenge since security, while recognized as critical, is also preferred to be invisible in day-to-day operations. Substantial guidance in these efforts is available from the communities of law enforcement, the private sector and emergency planners. In particular, it is worth summarizing five central insights that can assist CSOs as they work to protect their organizations.
- Teach heightened situational awareness: A unique method of teaching situational awareness (…) emphasizes the importance of understanding today’s threat environment, recognizing telltale signs of an evolving threat and empowering people to take effective action. All personnel in the organization, from the C-suite to entry-level staff, should be educated in recognizing the signs of potential threats. These signs can include, but are not limited to, identifying an employee who manifests signs of social withdrawal or who engages in threatening communication with a potential targeted individual or individuals. It can also include the recognition that an employee has obtained a weapon and/or is becoming proficient in its use. Also key is the recognition of steps leading up to these behaviors, such as an employee’s negative coping mechanisms and personal social stressors. Awareness of triggering events (e.g. academic failure, financial stress, divorce, job termination) is vital, as is evidence of ideation/fantasy including strong negative behavioral changes, pervasive paranoia or use of pseudo-militaristic language, along with any indicators of indoctrination into extremism.
- Ensure risk mitigation on the personal level: A four-pronged strategy consisting of education, preparation, planning and practice can and should be presented to employees to convey the risks posed by workplace threats. Each individual CSO should identify national-level models and modify them to suit their environments to include strategies related to employees with special or functional needs if mobility or access present additional challenges. Common-sense planning related to, for instance, the ability to access a concealment location quickly if escape options are limited requires that the areas beneath desks should not contain an excess of stored materials. Silencing cellphones so as to not alert an attacker to concealment locations while maintaining the ability to utilize a tracking feature or app to signal for help provides another example. This information should be shared with employees in a written format as well as in an open company-wide town hall style meeting specifically designed to share ideas. The latter reinforces written policies as well as reduces the reluctance to ask questions or indicate any misunderstanding. Making attendance mandatory also reinforces the buy-in of the organization and has the collateral benefit of gaining ideas and suggestions, which could improve the overall level of preparedness. In a sense, organizations are able to crowdsource their training and collect best practices simultaneously. The central message to be conveyed is that the CSO can conduct the responsibilities of the job most efficiently when every member of the organization is well-versed in the risks posed by threats to the workplace and has personally understood and accepted a plan of action in the stages before, during and after a threatening event.
- Apply lessons from actual threat incidents: CSOs can leverage the lessons identified/learned from actual events. These include those derived from attacks against both hardened facilities such as the Washington Navy Yard and Ft. Hood, Texas, as well as attacks in what had been considered soft targets at college campuses and universities. The egregious active shooter event in April 2007 at Virginia Tech, which resulted in the deaths of 32 people, served as a catalyst for institutions of higher learning to heighten their security throughout the risk cycle. When a university police officer was shot on campus in December 2011, officials notified stakeholders via multiple communication channels and social media. The school also implemented threat assessment teams to coordinate warning signs of potentially violent behavior, a model that has been incorporated in other types of organizations.
- Prepare an emergency response plan: CSOs should create and regularly update an emergency response plan (ERP) with input from their stakeholders, such as their facility owner/operators, their facility managers, their human resources and legal departments, their training department (if one exists) and local law enforcement and emergency responders, including fire departments and hospitals. Developing an ERP will prepare personnel to respond effectively and help minimize any loss of life. An ERP is intended to address critically important policies and procedures, for example, reporting emergencies and evacuation of the premises. In addition, preparing for a variety of different active threat scenarios helps to minimize fear and potentially prevent additional casualties since alternative scenarios were anticipated, planned for and practiced in advance. The ERP should also include requirements for conducting all-hands training exercises on at least a semi-annual basis. The inclusion of video-based narratives of individuals who were witness of, or responders to incidents adds a great deal of credibility to the training. Individuals are able to identify with the human actions and reactions expressed, likely remembering them for far longer than a mandatory security lecture. Having the materials easily accessible for refresher training reinforces learning and adds to personal situational awareness and resilience outside of the work environment.
- Assess a range of recovery tasks: To achieve post-incident resilience, CSOs can build or add a component to the business plan for rapid recovery from disruption caused by emergencies. Thinking through recovery and resilience efforts in advance better prepares an organization and its employees for both tangible requirements – actual rebuilding or replacement of damaged property, communications about the company or product brand, and the intangible but most important support services to employees. Such resilience can be achieved during the immediate aftermath of an event through effective response and recovery actions viewed as a series of “waves.” The Response Wave involves stabilizing an emergency situation in the immediate hours after an attack. The Mitigation Wave entails lessening the near-term impact of the critical incident. The Recovery Wave involves restoring pre-incident operational functioning and the well-being of those affected by the incident. Numerous tasks need to be accomplished during the three transitional waves, via a game plan for each wave that identifies each task and assigns responsibility to include alternative personnel designations to specific organization members.
The five insights above could serve as a starting point for action for CSOs responsible for the safeguarding of their organization’s employees and property. As always, preparation is the key to ensuring the best possible outcome when a threatening situation arises in the workplace.
Emergency Preparedness, business continuity, disaster recovery
- ISO 27001 – Information Security
- Risk Management
- Hacking Forensic Investigator
- Ethical Hacking
- Implementing NIST Cybersecurity Framework using COBIT® 5
Kiernan, Kathleen (2017). Emergency Preparedness Essentials: 5 Things CSOs Should Know. Recovered on 16 of June 2017 from http://www.securitymagazine.com/articles/88079-emergency-preparedness-essentials-5-things-csos-should-know